MikroTik

I think it is a security issue to have your router directly accessible via your public ip address. How do i change the way of accessing my router through webfig? I am using v5.2

attached is a snapshot of how vulnerable the router is t any one who knows my ip address.

Set in /ip services allowed address range
or set up firewall rules to block access from public interface.

Set in /ip services allowed address range
or set up firewall rules to block access from public interface.

Hi mrz,

i'm using ports 80 and 433 on RB, but i don't need webfig
RB shows by webfig directly username...why? That is big issue
How can i block the access to webfig in general (not over local and public interface)?
Please help me! Thanks in advance

Webfig automatically logs in, if you have an "admin" user with no password. Remove the admin user, and Webfig will not log in.

@paka

disable http an d www and https command

ip service disable numbers=2,4


http://wiki.mikrotik.com/wiki/Manual:IP/Services

Thanks for answers!

@normis

1. I've changed the username "admin" ... but webfig shows still "admin". What is this?
Where from does this name come?
Note: temporary files are removed already by browser, checked it by two pc ... receive the same result.
(changed through Winbox -> System -> Users -> system default user "admin")

2. Regardless that's not a nice solution . Please make a function on the future version, with that can we disable the service webfig.
I think, it will take no great effort or?


@mixing

i can not disable "www" and "www-ssl", because i use "www" for web-server and "www-ssl" for the User Manager

Paka, "admin" is predefined in that page. It has no information about your actual username. It just guesses.

If you completely want to disable that page, email support about a branding package, that lets you customize the HTML

Why is it predefined? It is not difficult to write itself
I do constantly upgrade operation, whenever a new version comes out. So should i send always the email for new version to receive the modified HTML or need not be?

Paka, maybe it is confusing for you - but for a new customer, when he connects to the device, it is nice that he doesn't need to look for default username in the manual. He is automatically logged in, where he sees Quickset.

Normis, ok
On the second question you have not answered

Webfig is the main configuration option on RouterOS. I still don't understand why you want to disable it ?

/ip service set www address="" disabled=yes port=8080

Webfig is the main configuration option on RouterOS. I still don't understand why you want to disable it ?

For safety reasons we have blocked all connections to configure settings of device over Public IP. But it is reachable still with webfig.
If i leave the access to webfig, where remains my security concept?

Block access from public interface in firewall.

How can i do that? Thank you for your help!

mrz, please answer

/ip firewall filter
add chain=input in-interface=<wan-port> dst-address=<your-public-ip> protocol=tcp port=80 action=drop

@mrz
@linek1980

i need the ports 80, 443. see above my posts
port 80 - for "www" (forwarding to web server), port 443 - for "www-ssl" (User Manager)

yes, so with this firewall rule can i block this ports. But i need these for my services ...
any ideas?

for now as a workaround maybe proxy with access-list can be used to limit access to certain pages available on the router.

User Manager and Hotspot you don't need on the public interface. The rule only blocks them on the public port.

for now as a workaround maybe proxy with access-list can be used to limit access to certain pages available on the router.

It is impossible with web proxy, because webfig has not absolute path

User Manager and Hotspot you don't need on the public interface. The rule only blocks them on the public port.

APs are in a certain place, Radius is in other place. Customers of hotspots use the user manager over public interface.
Moreover PayPal server connects with the user manager over public interface.
I hope, you find any solution

This doesn't mean that the user manager needs access from public side. User Manager connects TO paypal, not paypal to user manager.

You do not have web server on your router, so my mentioned rule will not block that traffic. It is "forward" traffic not "input".
The same for user manager, if it is set on other router behind gateway.

@normis
my customer use the link http://myhost/user to manage own data
yes, correct is - user manager connects to paypal server

@mrz
you're right. By retrieving http://myhost is forwarded to my web server. Here can be not seen the webfig page , so i don't need it for port 80.
But by rertieving https://myhost i receive the webfig page. So i' ve forwarded any access over port 443 to web proxy.

So following configurations are made, but unsuccessful

1. block direct access to web proxy
ip firewall filter add chain=input protocol=tcp dst-port=8080 in-interface=ether1 action=drop

2. enable the web proxy
ip proxy set enabled=yes

3. forwarding to web proxy
ip firewall nat add chain=dstnat dst-address=publicip protocol=tcp dst-port=443 action=redirect to-ports=8080

4. add access rule by web proxy to block webfig
ip proxy access add dst-address=publicip path="/webfig/*" action=deny

5. add access rule by web proxy to allow user manager
ip proxy access add dst-address=publicip path="/user/*" action=allow
ip proxy access add dst-address=publicip path="/userman/*" action=allow


What did i done wrong?

Hi Mikrotik-Team,

I need your answer. Thanks in advance