Community discussions

MikroTik App
 
keter
just joined
Topic Author
Posts: 20
Joined: Thu May 26, 2011 9:18 pm

webfig access via public ip

Tue Jul 26, 2011 12:34 pm

I think it is a security issue to have your router directly accessible via your public ip address. How do i change the way of accessing my router through webfig? I am using v5.2

attached is a snapshot of how vulnerable the router is t any one who knows my ip address.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: webfig access via public ip

Tue Jul 26, 2011 1:14 pm

Set in /ip services allowed address range
or set up firewall rules to block access from public interface.
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Thu Oct 25, 2012 2:23 am

Set in /ip services allowed address range
or set up firewall rules to block access from public interface.
Hi mrz,

i'm using ports 80 and 433 on RB, but i don't need webfig
RB shows by webfig directly username...why? That is big issue
How can i block the access to webfig in general (not over local and public interface)?
Please help me! Thanks in advance
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

Thu Oct 25, 2012 3:33 pm

Webfig automatically logs in, if you have an "admin" user with no password. Remove the admin user, and Webfig will not log in.
 
mixig
Member
Member
Posts: 315
Joined: Thu Oct 27, 2011 2:19 pm

Re: webfig access via public ip

Thu Oct 25, 2012 11:21 pm

@paka

disable http an d www and https command

ip service disable numbers=2,4


http://wiki.mikrotik.com/wiki/Manual:IP/Services
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 11:10 am

Thanks for answers!

@normis

1. I've changed the username "admin" ... but webfig shows still "admin". What is this?
Where from does this name come?
Note: temporary files are removed already by browser, checked it by two pc ... receive the same result.
(changed through Winbox -> System -> Users -> system default user "admin")

2. Regardless that's not a nice solution . Please make a function on the future version, with that can we disable the service webfig.
I think, it will take no great effort or?


@mixing

i can not disable "www" and "www-ssl", because i use "www" for web-server and "www-ssl" for the User Manager
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

Fri Oct 26, 2012 11:21 am

Paka, "admin" is predefined in that page. It has no information about your actual username. It just guesses.

If you completely want to disable that page, email support about a branding package, that lets you customize the HTML
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 11:34 am

Why is it predefined? It is not difficult to write itself :)
I do constantly upgrade operation, whenever a new version comes out. So should i send always the email for new version to receive the modified HTML or need not be?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

Fri Oct 26, 2012 11:35 am

Paka, maybe it is confusing for you - but for a new customer, when he connects to the device, it is nice that he doesn't need to look for default username in the manual. He is automatically logged in, where he sees Quickset.
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 11:40 am

Normis, ok
On the second question you have not answered :(
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

Fri Oct 26, 2012 11:47 am

Webfig is the main configuration option on RouterOS. I still don't understand why you want to disable it ?
 
linek1980
newbie
Posts: 34
Joined: Thu Feb 03, 2011 1:39 pm

Re: webfig access via public ip

Fri Oct 26, 2012 11:53 am

/ip service set www address="" disabled=yes port=8080
You do not have the required permissions to view the files attached to this post.
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 12:00 pm

Webfig is the main configuration option on RouterOS. I still don't understand why you want to disable it ?
For safety reasons we have blocked all connections to configure settings of device over Public IP. But it is reachable still with webfig.
If i leave the access to webfig, where remains my security concept?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 12:10 pm

Block access from public interface in firewall.
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 12:16 pm

How can i do that? Thank you for your help!
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 12:37 pm

mrz, please answer
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 12:50 pm

/ip firewall filter
add chain=input in-interface=<wan-port> dst-address=<your-public-ip> protocol=tcp port=80 action=drop
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 1:10 pm

@mrz
@linek1980

i need the ports 80, 443. see above my posts
port 80 - for "www" (forwarding to web server), port 443 - for "www-ssl" (User Manager)

yes, so with this firewall rule can i block this ports. But i need these for my services ...
any ideas?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: webfig access via public ip

Fri Oct 26, 2012 1:48 pm

for now as a workaround maybe proxy with access-list can be used to limit access to certain pages available on the router.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

Fri Oct 26, 2012 2:59 pm

User Manager and Hotspot you don't need on the public interface. The rule only blocks them on the public port.
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 3:11 pm

for now as a workaround maybe proxy with access-list can be used to limit access to certain pages available on the router.
It is impossible with web proxy, because webfig has not absolute path
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 3:25 pm

User Manager and Hotspot you don't need on the public interface. The rule only blocks them on the public port.
APs are in a certain place, Radius is in other place. Customers of hotspots use the user manager over public interface.
Moreover PayPal server connects with the user manager over public interface.
I hope, you find any solution
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

Fri Oct 26, 2012 3:30 pm

This doesn't mean that the user manager needs access from public side. User Manager connects TO paypal, not paypal to user manager.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 3:52 pm

You do not have web server on your router, so my mentioned rule will not block that traffic. It is "forward" traffic not "input".
The same for user manager, if it is set on other router behind gateway.
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Fri Oct 26, 2012 8:05 pm

@normis
my customer use the link http://myhost/user to manage own data
yes, correct is - user manager connects to paypal server

@mrz
you're right. By retrieving http://myhost is forwarded to my web server. Here can be not seen the webfig page , so i don't need it for port 80.
But by rertieving https://myhost i receive the webfig page. So i' ve forwarded any access over port 443 to web proxy.

So following configurations are made, but unsuccessful

1. block direct access to web proxy
ip firewall filter add chain=input protocol=tcp dst-port=8080 in-interface=ether1 action=drop

2. enable the web proxy
ip proxy set enabled=yes

3. forwarding to web proxy
ip firewall nat add chain=dstnat dst-address=publicip protocol=tcp dst-port=443 action=redirect to-ports=8080

4. add access rule by web proxy to block webfig
ip proxy access add dst-address=publicip path="/webfig/*" action=deny

5. add access rule by web proxy to allow user manager
ip proxy access add dst-address=publicip path="/user/*" action=allow
ip proxy access add dst-address=publicip path="/userman/*" action=allow


What did i done wrong?
 
User avatar
paka
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Jan 08, 2009 4:25 pm
Location: Bonn, Germany
Contact:

Re: webfig access via public ip

Tue Oct 30, 2012 10:57 pm

Hi Mikrotik-Team,

I need your answer. Thanks in advance :)

Who is online

Users browsing this forum: Bing [Bot], CodeAlpha, Energizer and 83 guests