This morning I started experiencing problems with the https certificates of various websites such as google, msn etc. In the beginning i thought there is a temporary problem maybe with google but after surfing some more I realised it wasn’t just google but other sites as well. After upgrading my routers to 6.42.3 from 6.40.4 (main ones are a 1036 and a 1100 used as a load balancer) I started looking into the devices and I found out that there were two entries in the DNS settings 128.14.6.12 and 13 as DNS servers on the 1100 (load balancing). I removed the entries and all is back to normal. I obviously was hacked. I had all services disabled except www and winbox on which I changed the default ports (www was changed from day one but decided to change it again). My bad that I used the default admin account with an 8 digit password (although letters+symbols+numbers), so I’ve changed the username and the password as well and disabled the admin account. So my question is
What else should I do to further secure my devices and if there is anything else I should look for in them
Is there anything I can do about reporting these IPs to someone? From what I found the 128.14.0.0/17 subnet belongs to zenlayer.com (some chinese-usa ISP?)
It seems that one can not be 100% sure about the extent of damage done by hackers.
It also seems that the cure is as follows:
take device off-line
create full configuration export and copy file off device
thoroughly examine the exported configuration script to find any signs of hacked configuration and remove or repair the compromised configuration part
do netinstall of device
load configuration from sanitized configuration file
make sure you rigorously filter any connectivity possibilities to your router from internet. If your really need webfig/winbox/any_other_admin access, limit it to a few known remote IP addresses that you (kind of) have under control
Use L2TP/IPSec and not expose administrative ports
Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.
For the last one, it seems hackers are using distributed port scans. For my routers, about 1000 unique IPs are slowly checking my ports. I ban these IPs. My rule to block banned IPs says about 10,000 TCP/SYN packets are dropped daily. The rule is near the top, so the banned IPs don’t get to connect to ports that are actually open.
I use this as “first line barrier”.
Proper WAN ports should be added to WAN_LIST and port 65432 in the first rule should be set to port which Winbox access is set to
Rule 1 is straight forward, drop packets that are in banned list. I put this under my L2TP/IPSec input rule in case I ban myself, I can VPN in and remove myself.
Rule 2 applies to TCP connections with the SYN flag set and applies to all ports except my services.
Rule 3 is the same but for UDP, in my example above I’m expecting no inbound UDP packets.
I thought if since i was using the INPUT filter, that inbound NAT forwarded packets would be excluded from this rule but it seems they’re not. So I explicitly define the ports that this rule applies.
With default config, a rule to allow established and related already exists. I move this up between Rule 1 and 2. Not sure if this is required.
CPU doesn’t get impacted much my clients aren’t load demanding. If you host a busy website you may want to do your own tests.
My banned address list sits at 15,000 entries on a HEX router. If you’re concerned about memory, set the entries to use dynamic timeouts. If your device becomes unstable, just reboot it and the address list is cleared.
For me these looks like three static Rules.
What I do not understand is where the IP and the BANNED list came from.
Or is there some I do understand with this?
That is a nice exercise to see what is possible with the firewall, but for actual protection of the router it is of course completely useless.
As it also increases the risk (memory overflowing, or locking yourself out because you are behind the same NAT as some kiddie doing a portscan)
I would advise against that. The other options mentioned are good.