What’s the point of dhcp-client in default CHR configuration? If CHR is deployed on owned servers, it’s no problem to setup address through console or even login through MAC. I got caught in a situation, where I did fresh CHR installation on a VPS using dd, and was literally too slow to login though VNC and change password before getting hacked - because router received IP and has no password at default, so had to request OS reinstall.
The DHCP client in the default CHR configuration is mainly for convenience, especially when deploying in cloud environments, where automatic IP assignment is available. However, as you experienced, this can create a security issue if the router receives an IP before you’ve had the chance to secure it with a password, leaving it exposed.
In most cases, cloud providers block all access by default using their firewalls, which is an important security measure. You can configure these firewalls to allow access only from your trusted IPs, ensuring that the CHR is protected before starting the instance and completing the initial setup.
IIRC, it’s pretty new that CHR has dhcp in defconf. And firewall stuff is usually extra-service for extra money, pretty unnecessary after you setup your own security.
I think a good thing is to have all stuff like dhcp, L2 discovery, IP services and MAC-access stuff to be disabled by default, and probably do a prompt at first boot if user runs instance in a secure environment to reenable it back. I’m pretty sure anyone who deploy CHR has some sort of console access anyway and those who deploy bare-metal do it with either IPMI or monitor attached
This is literally what happens when you follow official wiki guide to install CHR into ubuntu VPS (curl → unzip → dd) here. While you enter “admin” through VNC, kindly decline an offer to read full license agreement, type new password twice, a bot that scanned open port just secures your router within a second using open api port. After that - api port changed, I can’t manage users anymore, can’t open terminal anymore.
Yes, I can prepare image by my own and so on, but then it should be also somehow stated in a guide. I propose to make CHR image more secure initially and remove all those stuff or either state in the guide that image should be compiled locally with secure user and extra services disabled. Doubt fixing defconf a bit will hurt convenience a lot.
Use autorun script
Example is here http://forum.mikrotik.com/t/simple-bash-script-for-most-kvms-to-install-chr/170559/1