Hi Karl, I actually had a very similar issue back in 2021 with a brand new router that I installed, after a week or so it was attempting telnet connections all over the place. Duxtel sent the logs to Mikrotik but didn't find anything abnormal. Wiped and netinstalled, reloaded a safe config and we were back in business, still concerning that it was exploited in the first place, but no issues since. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer Sent: Monday, 7 November 2022 7:16 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Blocking FTP I'm wondering if I have fundamentally misunderstood something. In fact I am rather hoping I have. An outside agency has reported seeing telnet connection attempts coming from the outside IPv4 address of a client's router. They have provided info that shows quite clearly that these are attacks coming from the router. To see where in the network they were originating, I added these lines at the front of each of the input, output and forward "/ip firewall filter" chains: chain=xxx action=drop \ protocol=tcp dst-port=23 \ log=yes \ log-prefix="TEL_xxx" My log output shows exclusively lines with "TEL_output". I wasn't expecting any "TEL_input" lines, but I was definitely expecting some "TEL_forward" lines, assuming the miscreant is inside the network. Here is a sample (a.b.c.d is the outside address of the router, w.x.y.z is the destination address): 18:44:35 firewall,info TEL_output output: in:(none) out:e1-uplink, proto TCP (SYN), a.b.c.d:54315->w.x.y.z:23, len 40 I.e., the packets seem to be sourced at the router. Does this mean that the router is the source of this nefariousness?!? Or am I missing something? There are quite a few of these, I'm seeing about 20 per minute. The router version is old and should be upgraded: 6.36 (stable). It appears that an earlier colleague added three mangle/passthrough statements, but these as I understand it are effectively just counters. There are no other mangle statements. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au