webfig access via public ip
BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)

26 posts   •   Page 1 of 1
keter
just joined
 
Posts: 20
Joined: Thu May 26, 2011 9:18 pm

webfig access via public ip

by keter » Tue Jul 26, 2011 12:34 pm

I think it is a security issue to have your router directly accessible via your public ip address. How do i change the way of accessing my router through webfig? I am using v5.2

attached is a snapshot of how vulnerable the router is t any one who knows my ip address.
Attachments
public ip.PNG
public ip.PNG (60.38 KiB) Viewed 10957 times

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4090
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: webfig access via public ip

by mrz » Tue Jul 26, 2011 1:14 pm

Set in /ip services allowed address range
or set up firewall rules to block access from public interface.

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Thu Oct 25, 2012 2:23 am

mrz wrote:Set in /ip services allowed address range
or set up firewall rules to block access from public interface.


Hi mrz,

i'm using ports 80 and 433 on RB, but i don't need webfig
RB shows by webfig directly username...why? That is big issue
How can i block the access to webfig in general (not over local and public interface)?
Please help me! Thanks in advance
Attachments
webfig.JPG
WebFig_View
webfig.JPG (37.49 KiB) Viewed 10582 times

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19335
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

by normis » Thu Oct 25, 2012 3:33 pm

Webfig automatically logs in, if you have an "admin" user with no password. Remove the admin user, and Webfig will not log in.
No answer to your question? How to write posts

mixig
Member Candidate
Member Candidate
 
Posts: 245
Joined: Thu Oct 27, 2011 2:19 pm

Re: webfig access via public ip

by mixig » Thu Oct 25, 2012 11:21 pm

@paka

disable http an d www and https command

ip service disable numbers=2,4


http://wiki.mikrotik.com/wiki/Manual:IP/Services

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 11:10 am

Thanks for answers!

@normis

1. I've changed the username "admin" ... but webfig shows still "admin". What is this?
Where from does this name come?
Note: temporary files are removed already by browser, checked it by two pc ... receive the same result.
(changed through Winbox -> System -> Users -> system default user "admin")

2. Regardless that's not a nice solution . Please make a function on the future version, with that can we disable the service webfig.
I think, it will take no great effort or?


@mixing

i can not disable "www" and "www-ssl", because i use "www" for web-server and "www-ssl" for the User Manager

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19335
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

by normis » Fri Oct 26, 2012 11:21 am

Paka, "admin" is predefined in that page. It has no information about your actual username. It just guesses.

If you completely want to disable that page, email support about a branding package, that lets you customize the HTML
No answer to your question? How to write posts

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 11:34 am

Why is it predefined? It is not difficult to write itself :)
I do constantly upgrade operation, whenever a new version comes out. So should i send always the email for new version to receive the modified HTML or need not be?

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19335
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

by normis » Fri Oct 26, 2012 11:35 am

Paka, maybe it is confusing for you - but for a new customer, when he connects to the device, it is nice that he doesn't need to look for default username in the manual. He is automatically logged in, where he sees Quickset.
No answer to your question? How to write posts

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 11:40 am

Normis, ok
On the second question you have not answered :(

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19335
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

by normis » Fri Oct 26, 2012 11:47 am

Webfig is the main configuration option on RouterOS. I still don't understand why you want to disable it ?
No answer to your question? How to write posts

linek1980
newbie
 
Posts: 30
Joined: Thu Feb 03, 2011 2:39 pm

Re: webfig access via public ip

by linek1980 » Fri Oct 26, 2012 11:53 am

/ip service set www address="" disabled=yes port=8080
Attachments
ScreenShot149.jpg
ScreenShot149.jpg (109.66 KiB) Viewed 10493 times

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 12:00 pm

normis wrote:Webfig is the main configuration option on RouterOS. I still don't understand why you want to disable it ?


For safety reasons we have blocked all connections to configure settings of device over Public IP. But it is reachable still with webfig.
If i leave the access to webfig, where remains my security concept?

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4090
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: webfig access via public ip

by mrz » Fri Oct 26, 2012 12:10 pm

Block access from public interface in firewall.

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 12:16 pm

How can i do that? Thank you for your help!

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 12:37 pm

mrz, please answer

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4090
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: webfig access via public ip

by mrz » Fri Oct 26, 2012 12:50 pm

/ip firewall filter
add chain=input in-interface=<wan-port> dst-address=<your-public-ip> protocol=tcp port=80 action=drop

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 1:10 pm

@mrz
@linek1980

i need the ports 80, 443. see above my posts
port 80 - for "www" (forwarding to web server), port 443 - for "www-ssl" (User Manager)

yes, so with this firewall rule can i block this ports. But i need these for my services ...
any ideas?

User avatar
janisk
MikroTik Support
MikroTik Support
 
Posts: 5925
Joined: Tue Feb 14, 2006 10:46 am
Location: Riga, Latvia

Re: webfig access via public ip

by janisk » Fri Oct 26, 2012 1:48 pm

for now as a workaround maybe proxy with access-list can be used to limit access to certain pages available on the router.

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19335
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

by normis » Fri Oct 26, 2012 2:59 pm

User Manager and Hotspot you don't need on the public interface. The rule only blocks them on the public port.
No answer to your question? How to write posts

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 3:11 pm

janisk wrote:for now as a workaround maybe proxy with access-list can be used to limit access to certain pages available on the router.


It is impossible with web proxy, because webfig has not absolute path

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 3:25 pm

normis wrote:User Manager and Hotspot you don't need on the public interface. The rule only blocks them on the public port.


APs are in a certain place, Radius is in other place. Customers of hotspots use the user manager over public interface.
Moreover PayPal server connects with the user manager over public interface.
I hope, you find any solution

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19335
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: webfig access via public ip

by normis » Fri Oct 26, 2012 3:30 pm

This doesn't mean that the user manager needs access from public side. User Manager connects TO paypal, not paypal to user manager.
No answer to your question? How to write posts

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4090
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: webfig access via public ip

by mrz » Fri Oct 26, 2012 3:52 pm

You do not have web server on your router, so my mentioned rule will not block that traffic. It is "forward" traffic not "input".
The same for user manager, if it is set on other router behind gateway.

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Fri Oct 26, 2012 8:05 pm

@normis
my customer use the link http://myhost/user to manage own data
yes, correct is - user manager connects to paypal server

@mrz
you're right. By retrieving http://myhost is forwarded to my web server. Here can be not seen the webfig page , so i don't need it for port 80.
But by rertieving https://myhost i receive the webfig page. So i' ve forwarded any access over port 443 to web proxy.

So following configurations are made, but unsuccessful

1. block direct access to web proxy
ip firewall filter add chain=input protocol=tcp dst-port=8080 in-interface=ether1 action=drop

2. enable the web proxy
ip proxy set enabled=yes

3. forwarding to web proxy
ip firewall nat add chain=dstnat dst-address=publicip protocol=tcp dst-port=443 action=redirect to-ports=8080

4. add access rule by web proxy to block webfig
ip proxy access add dst-address=publicip path="/webfig/*" action=deny

5. add access rule by web proxy to allow user manager
ip proxy access add dst-address=publicip path="/user/*" action=allow
ip proxy access add dst-address=publicip path="/userman/*" action=allow


What did i done wrong?

paka
Frequent Visitor
Frequent Visitor
 
Posts: 62
Joined: Thu Jan 08, 2009 5:25 pm

Re: webfig access via public ip

by paka » Tue Oct 30, 2012 11:57 pm

Hi Mikrotik-Team,

I need your answer. Thanks in advance :)

26 posts   •   Page 1 of 1

Who is online

Users browsing this forum: Google Feedfetcher and 10 guests

It is currently Sun Dec 21, 2014 3:23 am