Change "factory-defaults"

SwissWISP · November 29, 2012, 2:07pm

Hi

is it possible to change the factory-defaults of a RB?
The goal is to prevent our customers from reseting the router so they can gain access via default user and pw.
Is this possible?

Many thanks for your help!

Mat

SwissWISP · November 30, 2012, 7:24am

anyone?

SwissWISP · December 3, 2012, 10:39am

Hm… does really no one know how to disable the reset button or how to install a default-config with a non-standard password?

Mat

jgellis · March 4, 2013, 3:38pm

Use NetInstall with custom configuration script. ANytime the reset button (or /system reset-configuration) is used, it will revert to the last configuration applied during NetInstall.

prawira · March 5, 2013, 2:12am

has you try :

flashfig at netinstall ??
and disable the jumper reset from winbox ?

P

Davis · March 5, 2013, 9:39pm

As jgellis stated, you can use netinstall to change default config, however:

Users can always use Netinstall to gain access to the router.
Users can buy their own routers and replace RouterBOARDs with them
Disabling reset jumper won’t disable reset button!
Sophisticated users can use special software to reverse engineer (to extract configuration, admin passwords etc.) almost every CPE (customer premises equipment)
In case user would reset RouterBOARD they would have no config there (the same as if they would buy a new routerboard)
Configuration backups would be left after resetting router with reset button, but not with Netinstall (users can extract config, including admin passwords from backups)

I would recommend:

Not using CPE for any restrictions (traffic shaping, firewall rules protecting ISP infrastructure etc.), use your equipment physicaly inaccessible by end users for this
Making CPE administration interfaces inaccessible from internet and other clients (so it’s possible to Winbox to CPEs from ISP internal network)
Using unique passwords for CPEs
Don’t leave backups on CPEs if you haven’t used Netinstall to set custom default password

jgellis · March 6, 2013, 1:14am

I like Davis’s comment:

use your equipment physicaly inaccessible by end users for this

and clarify that most of the custom configuration items could be controlled through the use of PPPoE and Radius, resulting in no useful secrets being stored on the boards.

SwissWISP · March 7, 2013, 10:32am

Thanks for the information.
Netinstall works!

Mat

TJude · May 17, 2013, 2:00am

What if I want to put my own MAC addresses on both ports, and have those load if the user does a hard reset? I guess I’m talking about re-branding.

Or can I use a metarouter to do that?