Hey.
Is there any way to access SSH or WINBOX when my RB750G is configured like this
It looks like your firewall rules explicitly allow winbox, and it looks like you were connecting with it to capture those images, so what’s the problem?
Are you trying to prevent other people from accessing it?
problem is that i cannot access winbox nor ssh remotely with those settings, only locally. when i disable firewall rule #3 then i can access winbox and ssh remotely.
for me firewall rule #3 is secure enough when i run it through https://www.grc.com/x/ne.dll?bh0bkyd2, but if i disable it and run it through GRC again, it shows me some more than 20 closed ports, and for me it aint secure.
this is why im asking how to access ssh and winbox remotely when i have firewall rule #3 active.
You can add a rule or rules above that which accept traffic on the two relevant ports (22 and 8291). You should also do one or more of the following to make that a bit safer:
- Limit the src address(es) allowed to connect to those ports
- Set up a port knocking scheme as shown in this how-to - http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
- Add detection and blocking rules to prevent people trying to brute force the logins.
Frankly anybody who comes knocking on port 22 of my router from the WAN gets blacklisted.
ok, will try those.
thanks
Also consider configuring SSH on a nonstandard port. That cuts down on the number of probes like 100x.
While this won’t stop a determined attacker who has specifically targeted you, it will cut down on the number of attempts by scanners looking for easy targets. Sometimes you don’t have to run faster than the charging bear, just faster than the other guy.
ok i think i have figured it out by doing some reading, that firewall rules are processed in the order as they appear in the list.
after moving one rule to correct place, i got what i needed.
firstly i didnt think rules where processed in order so i just created them and then had fun fixing them.
so cheers everyone.