JoseLuis1225 Posted October 19, 2023 Posted October 19, 2023 Hello, I have an EA5 controller as a director in version 2.10.6, a couple of weeks ago it began to constantly consume all the network bandwidth, it always kept sending data outwards, consuming 300 to 700 mb constantly. I have already tested disconnecting third-party services such as cameras, alarms, etc., but the constant sending of data continues. The packages it sends have been tracked and it is found that they are almost always to addresses in China and the IP address to which it sends the data changes constantly. It has been analyzed with network engineers and they tell me that it is likely that the equipment has been hacked and that I need to factory reset the equipment. I would like to know if something similar has happened to any of you and how you solved it. Do you know if there is any security part for this equipment in this version of software? NOTE: This project has not been updated to OS3 because there are many devices that are not compatible and there is not currently the money to replace them all. I appreciate your help. Quote
msgreenf Posted October 19, 2023 Posted October 19, 2023 Do you have your controller or anything port fwd’ed to the internet? Is your controller not behind a router/firewall? Is your router FW updated? Share more of your network topology Quote
JoseLuis1225 Posted October 19, 2023 Author Posted October 19, 2023 3 hours ago, msgreenf said: Do you have your controller or anything port fwd’ed to the internet? Is your controller not behind a router/firewall? Is your router FW updated? Share more of your network topology No, the only internet service that the controller uses is the connection with 4sight to use the application from outside, all other connections are local. The project has a main mikrotic router that is responsible for managing the entire network, after the router there are 3 HP brand switches that are responsible for distributing the network and the final equipment is already there, including this main controller. The router is updated. Quote
lippavisual Posted October 19, 2023 Posted October 19, 2023 Good choice in your router, I’m a MikroTik fan as well. Have you changed the username and password and also disabled the stock admin account? Make sure it’s fully updated. Next, check for open ports on your router. If it’s close to a stock install, there should be a good half dozen ways someone can get in from outside. Next, I’d check your firewall rules. You should have a “drop all from WAN not DST NAT’d” rule, if not, create one and that should be your last rule. Mikrotik is extremely popular and is used worldwide by many, which also has its cons. There are bots that will brute force attack your router until they get in. It happens and it sucks, but use it as a learning lesson. msgreenf 1 Quote
LollerAgent Posted October 19, 2023 Posted October 19, 2023 22 minutes ago, JoseLuis1225 said: No, the only internet service that the controller uses is the connection with 4sight to use the application from outside, all other connections are local. The project has a main mikrotic router that is responsible for managing the entire network, after the router there are 3 HP brand switches that are responsible for distributing the network and the final equipment is already there, including this main controller. The router is updated. Here is a decent set of default firewall rules to use on Mikrotik: /ip firewall filter add action=accept chain=input comment="DEF: accept established, related, untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="DEF: drop invalid" connection-state=invalid add action=accept chain=input comment="DEF: accept icmp" protocol=icmp add action=accept chain=input comment="DEF: accept trusted ssh" port=22 protocol=tcp src-address-list=\ trusted add action=accept chain=input comment="DEF: accept trusted api" port=8728-8729 protocol=tcp \ src-address-list=trusted add action=accept chain=input comment="DEF: accept trusted winbox" port=8291 protocol=tcp \ src-address-list=trusted add chain=forward comment="DEF: accept established, related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="Block WLAN-Guests from General" connection-state=established,new \ dst-address-list=vl10 src-address-list=vl31 add action=drop chain=forward comment="Block Security from General" connection-state=established,new \ dst-address-list=vl10 src-address-list=vl50 add action=drop chain=forward comment="Block WLAN-Public from Security" connection-state=\ established,new dst-address-list=vl50 src-address-list=vl31 add action=drop chain=forward comment="DEF: drop invalid" connection-state=invalid add action=drop chain=input comment="DEF: drop everything else not from LAN" connection-nat-state=\ !dstnat connection-state=new in-interface-list=!LAN There are some specific VLAN rules in there to give you an example of how to block traffic between VLANs if you need. These rules also require you have two interface lists -- "LAN" and "WAN" which you can create. As @lippavisual said -- make sure you are running the latest STABLE firmware and have changed default passwords, etc. Check to make sure your router isn't acting as an open DNS resolver and that it doesn't have a proxy enabled. Quote
JoseLuis1225 Posted October 19, 2023 Author Posted October 19, 2023 44 minutes ago, LollerAgent said: Here is a decent set of default firewall rules to use on Mikrotik: /ip firewall filter add action=accept chain=input comment="DEF: accept established, related, untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="DEF: drop invalid" connection-state=invalid add action=accept chain=input comment="DEF: accept icmp" protocol=icmp add action=accept chain=input comment="DEF: accept trusted ssh" port=22 protocol=tcp src-address-list=\ trusted add action=accept chain=input comment="DEF: accept trusted api" port=8728-8729 protocol=tcp \ src-address-list=trusted add action=accept chain=input comment="DEF: accept trusted winbox" port=8291 protocol=tcp \ src-address-list=trusted add chain=forward comment="DEF: accept established, related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="Block WLAN-Guests from General" connection-state=established,new \ dst-address-list=vl10 src-address-list=vl31 add action=drop chain=forward comment="Block Security from General" connection-state=established,new \ dst-address-list=vl10 src-address-list=vl50 add action=drop chain=forward comment="Block WLAN-Public from Security" connection-state=\ established,new dst-address-list=vl50 src-address-list=vl31 add action=drop chain=forward comment="DEF: drop invalid" connection-state=invalid add action=drop chain=input comment="DEF: drop everything else not from LAN" connection-nat-state=\ !dstnat connection-state=new in-interface-list=!LAN There are some specific VLAN rules in there to give you an example of how to block traffic between VLANs if you need. These rules also require you have two interface lists -- "LAN" and "WAN" which you can create. As @lippavisual said -- make sure you are running the latest STABLE firmware and have changed default passwords, etc. Check to make sure your router isn't acting as an open DNS resolver and that it doesn't have a proxy enabled. Thank you very much for your recommendations. In addition to this, do you recommend factory resetting the main controller or do you consider that it is not necessary? Quote
lippavisual Posted October 19, 2023 Posted October 19, 2023 Only way to get your controller back would be a factory reset. Quote
JoseLuis1225 Posted October 19, 2023 Author Posted October 19, 2023 All of these are already applied and the main controller continues to consume all the bandwidth by sending recommendations information, it is the only device on the network that does this, if I remove this device from the network everything is normalized, any other recommendations you can give me? thank you Quote
JoseLuis1225 Posted October 19, 2023 Author Posted October 19, 2023 1 minute ago, lippavisual said: Only way to get your controller back would be a factory reset. ok thanks Quote
Cyknight Posted October 19, 2023 Posted October 19, 2023 5 minutes ago, JoseLuis1225 said: ok thanks Actually... I would suggest doing a full image restore as it can overwrite the restore file as well. Dealer will have access to the needed software. I would first try making a back-up and clearing the project though: just to see if the issue goes away, as it's not inconceivable that a system driver is doing this. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.