I'm wondering if I have fundamentally misunderstood something. In fact
I am rather hoping I have.
An outside agency has reported seeing telnet connection attempts coming
from the outside IPv4 address of a client's router. They have provided
info that shows quite clearly that these are attacks coming from the
router.
To see where in the network they were originating, I added these lines
at the front of each of the input, output and forward "/ip firewall
filter" chains:
chain=xxx action=drop \
protocol=tcp dst-port=23 \
log=yes \
log-prefix="TEL_xxx"
My log output shows exclusively lines with "TEL_output". I wasn't
expecting any "TEL_input" lines, but I was definitely expecting some
"TEL_forward" lines, assuming the miscreant is inside the network.
Here is a sample (a.b.c.d is the outside address of the router, w.x.y.z
is the destination address):
18:44:35 firewall,info TEL_output output: in:(none) out:e1-uplink,
proto TCP (SYN), a.b.c.d:54315->w.x.y.z:23, len 40
I.e., the packets seem to be sourced at the router. Does this mean that
the router is the source of this nefariousness?!? Or am I missing
something?
There are quite a few of these, I'm seeing about 20 per minute.
The router version is old and should be upgraded: 6.36 (stable).
It appears that an earlier colleague added three mangle/passthrough
statements, but these as I understand it are effectively just counters.
There are no other mangle statements.
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer(a)nullarbor.com.au) work +61 2 64957435
http://www.nullarbor.com.au mobile +61 428 957160