Hi all, how do we block access to the default page on the MT box without killing access to usermanager (at same address). If customers drop off the “/userman” they get the default page and the abiltiy to view other customers PPPoE interfaces.
I really need to make this more secure.
yup... 
for temporary, we used userman for manage user and only our admins know and had access it. many arguments why our user can't access our '/userman' or '/user', that's our policy....!!!
again, this opinion for us...
Thanks Balimore, I just realised its not the “/userman” but the “/user” that they need access to for changing their own password looking at usage etc.
Can the developers put some kind of “switch” to disable the default page at the routers root URL?
since userman can't customizing, we never try to user tought the '/useman' or '/user'.
i don't know, when 'userman' will have customize.... !!!
*) about default page: i used apache [local webserver]
I hope this is the right feed for this post.
At all the hotspots using UM I’ve setup, I add a static DNS entry (something like hotspot.clientname.com) which points to the MT. So I tell the client to logon to UM admin using http://hotspot.clientname.com/userman
Clients allways forgot about the /userman. Any idea’s on how to fix this? Perhaps somehow “adding a switch” (as airstream mentioned) to enable Winbox/ROS Default Page only on certain interfaces and userman as default on other interfaces. Or perhaps do it IP based.
I think this is a relatively important thing for many/most clients.
Re, G
You know how you could handle this is to perhaps set up a DNS record in the router of whatever, say, user.customer.com and point that to an IP address of a web server somewhere in your network. Set the default page on the webserver to do a redirect to the correct usermanager page and you’re sorted.
Hope that helps.
Regards
Paul
Hi all, is there any plans to take this security hole seriously. By saying “hole” I dont think its anything that can be remotley compromised, but customers that hit the root page have a abilty to look at other peoples pppoe interfaces, this is a privacy issue right there, especially that in my country we have specific laws that deal with this.
Essentially, viewing other peoples records (all beit just interfaces values), needs to be blocked either by interface or IP, or better to turn it off.
Can the developers shed any light?
Cheers
If you are talking about ‘graphs’ available at the RouterOS webpage. To restrict access per address specify ‘allow-address’, ‘allow-address’ is available at each graph.
Hi, Best Friend
no, i think we are talking about default page.....[root page]
do you have solution about that..?
please, your suggestion...
Yes indeed, as Balimore indicated, we want to “turn off” mikrotik’s default root page.
Cheers
Why not change the default www port on the router to something else, then tell the user to go to some webpage on your website or something with a link to the router http://routername:port_number_you_changed_www_to/user.
This is how we get around the problem, it also removes an open port 80 on your router which people always try once they know the address range they are on.
We never ever leave port 80 open !
Regards
Paul
yes, i know
last 4 months ago i did try like yours, but i think 10% point solution.
so, sorry we talking about [how to kill default page]
I do not see any other opportunity to view information about PPPoE as graphs, graphs access is limited using above mentioned options.
Access for simple HotSpot (User Manager) user and even for User Manager subscriber is not possible,
to Winbox,
Telnet,
Webbox.
What is the problem with default page displaying ?
Hi all,
Lets make it simple. I and others want a feature to restrict the mikrotik default web page (change it, turn it off - MORE CONTROL OF THIS COMPONENT), for many reasons, some of which are listed in this thread.
Debating what can be accessed etc from the default page is irrelevant. Workarounds are not the solution we are seeking, and I have made it clear the feature we desperatly require.
are the developers reading this?
BUMP
Still seeking some solution to this, is there any way to disable the default page on MT?
goto ip services
disable www
If i disable WWW service, there is no access to usermanager.
Change the User manager port to 81.
Create a firewall rule to redirect http traffic destined for the router to port 81.
Thanks for the tip, i can create the firewall rule to do that easy enough but could you possibly direct me to the command to change the port Usermanager web interface listens on.
Cheers
We have a 99% workaround. It requires web proxy package. Redirect all inward port 80 requests to proxy with firewall. Create access rules for deny all and one allow rule with IP of MT and “/um*” as the action.
After this, the root page is blocked by proxy and /um* works for the usermanager features.