MikroTik

smytht

I think you best buy only equipment from that other vendor and leave us alone here...

No Need to be like that

cant we all just get along ...

smytht

Another Vendor of Networking Hardware recently published a security advisory, via email I was wondering if any thing could be learned from their approach, The ideas implemented below make sense to me! I was wondering what do you think ? Dedicated Security Director focused 100% on Vendors software vu...

smytht

Just a note - this topic is officially successfully drowned by you two... I hope that fact alone smytht indicate that your "method of delivery" seriously lacks something.. yeah you may have a Point... Lets return it to a technical discussion ... Ill work on my delivery, thanks, re V7 I th...

smytht

I think it would be good if MikroTik share with the community some of the mitigations they do implement in Router OS... It would help the discussion, and certainly put our minds at ease, (well Mine at least ) :) what do people think of compiler based mitigations ? http://oss-security.openwall.org/wi...

smytht

I know it's illegal, but i've reverse enigineered Mikrotik :D And I can confirm, all this Nova stuff - they do care about security, most of intermediate libs/sw is writted by them in C++, and finding exploits surely is possible, but TAKES TIME AND MONEY, unlikely open-sourced UBNT products, as we s...

smytht

... free market of Ideas... and I want to see if other users agree with some of my ideas.. A. Free market ? So why do you rate people not opinions ? They could be different than yours. It is forum, not your discourse. B. If you want to see opinions about your ideas then you should do not be offened...

smytht

Dont Take it Personally Im Not :) ... your tone says other wise I think you can conduct yourself better... You sitll continue to attack my opinion rather than engage in proper discussion -3 A . Please make up your mind: "You sitll continue to attack my opinion" vs "Play the Ball not ...

smytht

Hi, It would be nice if Mikrotik can take some proactive steps. For example IOS/Junos devices has proper shell in devices, and as sysadmin i can inspect system integrity easily, including taking storage/filesystem dumps over dd, checksums for all filesystem files and etc, and i can run also scripts...

smytht

You are using big word, big ideas which we all have to agree with as they are true. No one or almost no one, including me, do not say "It is totally wrong idea" to you but you expect all to say "YES, YES it is great idea, let implement it. Now". If anyone is not fully with you, ...

smytht

Instead wasting time for pompous writing just prepare script which closes all volunerable settings. Help save the World from CIA and NSA :-) Cant we all just get along... :) I have no issue with the NSA or CIA ... they are spies :) and they do spy stuff... :) my efforts here are to improve MT secur...

smytht

You guys should carefully rethink the definition of an exploit. RouterOS already has these checks! It does check also on upgrade. The definition of an exploit is that somebody has found a bug how to overcome or fool these checks. So MikroTik makes new checks and more security wizards. This does not...

smytht

5 posts in a row is some kind of record in this forum smytht . what can I say I care.. and I hate forums... the fact im posting on it tells you how seriously I view the issue My bottom line is I do not see this issue as cause to start global revolution and i don't remember any other issues to do so...

smytht

2) I would like to see a bug bounty program from MikroTik and crowd source expertise and reward responsible security issue disclosure to MikroTik, How much are you willing to pay for that? Did you notice Mikrotik is really cheap compared to competitors? You can't ask a company to be low-priced and ...

smytht

You have not answered my questions. You are saying that security is important. Yes, it is. You are trying to persuade us that construction company, lock makers, window and glass makers shoud harden their products as you want to be safe in your home. They ought to list all security problems which th...

smytht

2) I would like to see a bug bounty program from MikroTik and crowd source expertise and reward responsible security issue disclosure to MikroTik, How much are you willing to pay for that? Did you notice Mikrotik is really cheap compared to competitors? You can't ask a company to be low-priced and ...

smytht

The best solution is to always keep your device up to date, always do the maximum possible in securing your devices and keep following announcements and news. Still it is nice, also, if manufacturer(Mikrotik) provide some inspection tools, that makes job of implant authors much harder, and customer...

smytht

The best solution is to always keep your device up to date, always do the maximum possible in securing your devices and keep following announcements and news. Still it is nice, also, if manufacturer(Mikrotik) provide some inspection tools, that makes job of implant authors much harder, and customer...

smytht

Well of course, but as you can see in this situation, many of the big router manufacturers are facing the same issues or even much bigger ones. I guess this type of risk has always existed and in theory - always will. The best solution is to always keep your device up to date, always do the maximum...

smytht

Too many words to describe situation when the admin simply does not care about firewall rules. Im not sure what you mean by that ....[ciach-ciach] ....in other words it is not good enough to say Oh firewall the vulnerable services and everything will be ok ... Easy questions: Do you left access to ...

smytht

in other words it is not good enough to say Oh firewall the vulnerable services and everything will be ok ... Who said that? MikroTik has found the vulnerability and released a patch. This was done by carefully parsing all the discussions in the leaked documents. There are enough hints as to how it...

smytht

Too many words to describe situation when the admin simply does not care about firewall rules. Im not sure what you mean by that I Certainly care about Firewall rules and Im saying there are times you cant firewall a service off from the outside world, VPN services are just an example of that that ...

smytht

Yes, this is because all these documents are describing how these "hackers" are configuring their own systems for testing. This explains why they remove firewall and talk about "devel" login. This is because the documents do not describe penetration of remote systems. It describ...

smytht

Yes, this is because all these documents are describing how these "hackers" are configuring their own systems for testing. This explains why they remove firewall and talk about "devel" login. This is because the documents do not describe penetration of remote systems. It describ...

smytht

OpenBSD did implement work around on i386 to get around the lack of NX .. and they actually use multiple architectures to help show up bugs in software that runs across multiple platforms... so a bug that would appear in one platform easily would not appear in another platform that easily, but the b...

smytht

One of my concerns, and what I certainly don't want to continue, is that we all treat this as a single vulnerability and and that 6.37.5 / 6.38.5 solves it... cause it doesn't.....of particular concern is the devel login and its purpose and the process around its design and implementation and the d...

smytht

There has never been any backdoor. "devel" user is created by installing a special debug package by mikrotik staff, which would appear in the packages menu, and allow a new user "devel" to access the device. The user "devel" uses the admin password, so there is no way ...

smytht

One of my concerns, and what I certainly don't want to continue, is that we all treat this as a single vulnerability and and that 6.37.5 / 6.38.5 solves it... cause it doesn't, one of the docs refers to "the many ways" in which to get in to a MikroTik Box, that is of particular concern, I ...

smytht

Mikrotiks Rapid Reaction to the exploits discussed on this thread are to be very much welcomed, however, I have a strong belief that more could be done and should be done to ensure the protection of our routers and firewalls, after all our customers trust us to provide a service and to protect their...

smytht

... Check your Route Filters... Ensure that your AS Prepend is not set to 0

AS prepend should be Greater than or equal to 1

...your AS needs to be prepended at least once on any adverisements to your neighbour in most ISP e-BGP Configurations

smytht

Lads... Im Going.... I think it will be a good one....

Rock On

smytht

DNS Changer Malware Detection Script for MikroTik Router OS Routers. This Script is designed to identify users that are infected by DNS Changer Malware, and will redirect their DNS Requests to Legitimate DNS Servers. The FBi have been operating temporary Good DNS Servers on the IP addresses that wer...

smytht

simply place a specific route for each address and Set the gateway to be the PPPTP Interface if they are all in the same lan eg 10.1.1.0/24 you can just add a route for that network with the gateway being the PPPTP Interface, Remember both Routers (each of the VPN ) must be configured with Routes, (...

smytht

Hello Check the Rx Sensitivity of the Boards you want to compare, the lower the number the better for Rx Sensitivity -97dB would see twice as far as -91dB Card, 6 db ---> 2x Distance 4x Power 3db---> 2x Power also if you need higher data rates you need to look at Rx Sensitivity for that particular d...

smytht

HI mobinz... Looks like you probably dodged the bullet.. .and got hit with an automated worm rather than a determined attacker, simply Net install the router to be absolutely certain, and you should be fine... socks / web proxy would be an ideal start point...for an attacker if they didnt use it hap...

smytht

... 2.4 GHz.... not so good... I would Suggest 5GHz Stuff... for higher Client Density... High Density... use 4xxAH boards /or 7xxGs for maximum performance Use R52Hn for best performance and Range, Turn off Default Forward and use Nv2 for best performance if using 2Ghz you are going to have to use ...

smytht

I think this is a great Idea and MikroTik Should implement it as soon as possible...

Netfilter String Matcher / Firewall string matcher would be more stable than L7 Filters

Legend

smytht

Absolutely ... IT would be a big help for Firwall Engineers Im 100% behind this Idea... Have been begging for it since 2008

smytht

You should be able to to do it by simply dst nat based on Dst address and port,

ie add a dst nat rule for each WAN connection,

ie, Publicip 1:80 dst nat to proxy server 8080
Publickip 2:80 dst nat to proxy server 8080
Contrack Should do the rest for you,

I hope this helps

smytht

To Be honest , I found the Switch Interface on ROS to be a bit clunky... Ithink you would be far better of using the Software mode, ie use 1 bridge for each vlan and add vlan interfaces on trunk ports, and add physical interfaces to the bridge (these would be access ports)... if you want to forward ...

smytht

export compact will reveal any configs they may have added, being honest the one they probably added was web proxy ... that would allow for relaying spam/ attacks etc (TCP based Services)

smytht

oh yeah ,

going forward you should filter all admin services entering a router or disable them,

disable telnet http, api and ftp ( un-encrypted services) ...

Avoid Upnp like the plague, it is inherently insecure

Thanks,

smytht

Hi Mobiunz It Depends on the sensitive nature of the site, Ideally 1) Isolate the Compromised router, 2) try to check logs and configuration for clues to the perpetrator 3) if router is running > 5.12 then try export compact to see exactly what happened, 4) audit all systems behind the router... (an...

smytht

Im not sure what the Signature Is for ... however, I would suggest the following, 1) Remove the URL from the webpage (this causes false positives ) in relation to Web Scanner Software for XSS 2) Remove the Time / Date fro the Webpage as this gives an attacker the Time on the Proxy (gives them feedba...

smytht

Hi Omega -00 :) Sorry to hear about your installation issues with the PE 1950 Server ... I have good experience in operating these great servers, ... however the SAS / SATA Controller is custom and MT ROS does not in Seeing custom hardware such as the SAS5i / SAS6ir / PERC 5/6, I do know how you fee...

smytht

Hi Jan, How is it going ? I have setup a Radius server in a similar manner... Make sure you set up the user with the correct pool name (which im sure you have) http://wirelessconnect.eu/images/stories/support/mikrotik_forum/usermanager.jpg http://wirelessconnect.eu/images/stories/support/mikrotik_fo...

Search found 45 matches