Hello friends
Yesterday i sow something very disturbing
My two Mts are hacked
I know netinstall but …
/ip firewall filter
add action=drop chain=output protocol=tcp src-port=23
is good enough
Is there other solution
Post your config, anything else unusual, scripts entered you didnt know about it?
If you were not secure with your config before what makes you think you know how to deal with it now?
The config is very simple by the way
# model = 2011UAS-2HnD
# serial number =
/interface bridge
add admin-mac=D4:CA:6D:31:F8:59 arp=proxy-arp auto-mac=no comment=LAN mtu=1500 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment="PHILIPS HMP 5000"
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment="Sony Bravia TV"
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment="Brother printer"
set [ find default-name=ether10 ] advertise=100M-full,1000M-full comment=WAN
set [ find default-name=sfp1 ] disabled=yes
/interface pptp-server
add comment=VPN disabled=yes name=pptp-in1 user=
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=bulgaria disabled=no distance=indoors frequency=auto installation=indoor keepalive-frames=disabled \
mode=ap-bridge multicast-buffering=disabled multicast-helper=disabled security-profile=profile1 ssid=MikroTik station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
set wlan1 enable-polling=no
/ip dhcp-server option
add code=43 name=microsoft-disable-netbios-option value=0x010400000002
/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook.com).*\$"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=pool1 ranges=172.16.0.4-172.16.0.254
/ip dhcp-server
add add-arp=yes address-pool=pool1 authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=3d name=server1
/ppp profile
add change-tcp-mss=yes name=profile1 only-one=no
/interface pppoe-client
add add-default-route=yes allow=pap,chap comment="ADSL pppoe" disabled=no interface=ether10 keepalive-timeout=60 name=pppoe-out1 profile=profile1 user=
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface pptp-server server
set default-profile=default enabled=yes max-mru=1460 max-mtu=1460
/interface wireless access-list
add
/ip address
add address=172.16.0.1/24 interface=bridge1 network=172.16.0.0
add address=192.168.1.2/24 disabled=yes interface=ether10 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip dns static
add address=127.0.0.1 name=ad-emea.doubleclick.net
add address=127.0.0.1 name=ads2.msads.net
add address=127.0.0.1 name=msntest.serving-sys.com
add address=127.0.0.1 name=sO.2mdn.net
add address=127.0.0.1 name=aka-cdn-ns.adtech.de
add address=127.0.0.1 name=secure.flashtalking.com
add address=127.0.0.1 name=cdn.atdmt.com
add address=127.0.0.1 name=cdn.adnxs.com
add address=127.0.0.1 name=secure.img-cdn.mediaplex.com
/ip firewall filter
add action=drop chain=output protocol=tcp src-port=23
add action=fasttrack-connection chain=forward comment="fasttrack established+related" connection-state=established,related
add action=accept chain=forward comment="Established connections" connection-state=established
add action=accept chain=forward comment="Related connections" connection-state=related
add action=log chain=input comment="DNS flood log" dst-port=53 in-interface=pppoe-out1 log-prefix="DNS flood" protocol=udp
add action=drop chain=input comment="DNS flood drop" dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=log chain=forward comment="Log invalid connections" connection-state=invalid log-prefix=INVALID
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1 log=yes \
log-prefix="Drop new connections not dst-natted"
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=drop chain=input comment="block facebook via L7" disabled=yes layer7-protocol=facebook
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 to-addresses=0.0.0.0
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface=pppoe-out1 protocol=udp
/ip ipsec policy
add dst-address=0.0.0.0/0 src-address=0.0.0.0/0 template=yes
/ip proxy
set cache-path=web-proxy1 parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=pppoe-out1
/ip service
set telnet address=172.16.0.0/24
set ftp address=172.16.0.0/24
set www address=172.16.0.0/24 disabled=yes
set ssh address=172.16.0.0/24
set api disabled=yes
set winbox address=0.0.0.0/0
set api-ssl address=172.16.0.0/24
/ip smb
set allow-guests=no comment="" domain=Workgroup
/ip smb shares
set [ find default=yes ] disabled=yes
add directory=/disk1 name=share1
/ip smb users
add name=User read-only=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/lcd
set backlight-timeout=5m read-only-mode=yes
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/ppp secret
add local-address=172.16.0.1 name=netmaster profile=profile1 remote-address=172.16.0.11 routes=172.16.0.1 service=pptp
/system clock
set time-zone-name=Europe/Sofia
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
/system routerboard settings
set boot-delay=9s
/system scheduler
add comment="DynDNS updater" disabled=yes interval=1h name=schedule1 on-event="# Set needed variables\r\
\n:local username \"\"\r\
\n:local password \"\"\r\
\n:global hostname \".dyndns.org\"\r\
\n\r\
\n:global dyndnsForce\r\
\n:global previousIP\r\
\n:local resolvedIP [:resolve \$hostname]\r\
\n\r\
\n# print some debug info WHEN YOU F___ THIS UP... THIS WILL HELP YOU FIND WHERE.\r\
\n#:log info (\"UpdateDynDNS: username = \$username\")\r\
\n#:log info (\"UpdateDynDNS: password = \$password\")\r\
\n#:log info (\"UpdateDynDNS: hostname = \$hostname\")\r\
\n#:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\r\
\n#:log info (\"UpdateDynDNS: resolvedIP = \$resolvedIP\")\r\
\n\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-path=\"/dyndns.checkip.html\"\r\
\n:local result [/file get dyndns.checkip.html contents]\r\
\n\r\
\n# parse the current IP result\r\
\n:local resultLen [:len \$result]\r\
\n:local startLoc [:find \$result \": \" -1]\r\
\n:set startLoc (\$startLoc + 2)\r\
\n:local endLoc [:find \$result \"</body>\" -1]\r\
\n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n#:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
\n\r\
\n# Remove the # on next line to force an update every single time - useful for debugging,\r\
\n# but you could end up getting blacklisted by DynDNS!\r\
\n# Edit: Not really needed anymore... the result is not equal... Update will happen.\r\
\n\r\
\n#:set dyndnsForce true\r\
\n\r\
\n# Determine if dyndns update is needed\r\
\n# more dyndns updater request details http://www.dyndns.com/developers/specs/syntax.html\r\
\n#This is where we check the DNS record against actual result. Thanks to jimstolz76\r\
\n:if ((\$currentIP != \$resolvedIP) || (\$dyndnsForce = true)) do={\r\
\n :set dyndnsForce false\r\
\n :set previousIP \$currentIP\r\
\n /tool fetch user=\$username password=\$password mode=http address=\"members.dyndns.org\" \\\r\
\n src-path=\"/nic/update\?hostname=\$hostname&myip=\$currentIP\" dst-path=\"/dyndns.txt\"\r\
\n :local result [/file get dyndns.txt contents]\r\
\n :log info (\"UpdateDynDNS: Dyndns update needed\")\r\
\n :log info (\"Thanks Springs! Update Result: \" . \$result)\r\
\n :put (\"Dyndns Update Result: \" . \$result)\r\
\n} else= {\r\
\n :log info (\"UpdateDynDNS: No dyndns update needed\")\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=dec/06/2012 start-time=00:00:00
add comment="ChangeIP.org updater" interval=1h name=schedule2 on-event="# Dynamic DNS Update / Simple Edition\r\
\n# Written by Sam Norris, ChangeIP.com\r\
\n# Copyright ChangeIP.com 2009-2010\r\
\n# For support send mail to Support@ChangeIP.com\r\
\n#\r\
\n# 2009-06-22 RouterOS 3.25 Tested\r\
\n# 2009-10-05 RouterOS 4.01rc1 Tested\r\
\n#\r\
\n# OVERVIEW: %\r\
\n# This script will update a ChangeIP.com dynamic dns hostname\r\
\n# with an ip address located directly on an interface.\r\
\n# %\r\
\n# NOTES: %\r\
\n# IF THIS SCRIPT DOES NOT PRODUCE ANY OUTPUT PLEASE COPY AND PASTE IT\r\
\n# AGAIN. THERE PROBABLY IS A LINE BREAK IN THE WRONG PLACE! Once you\r\
\n# have created this script and tested that it works by running it\r\
\n# manually you can schedule it to run every few minutes.\r\
\n# %\r\
\n# CONFIGURATION FIELD DEFINITIONS:\r\
\n# ddnsuser: Enter your ChangeIP.com user id.\r\
\n# ddnspass: Enter your ChangeIP.com password.\r\
\n# ddnshost: Enter the hostname (www.example.com) to update.\r\
\n# ddnsinterface: Enter an interface name - case sensative.\r\
\n# %\r\
\n# %\r\
\n# %\r\
\n# %\r\
\n# % % %\r\
\n# % % %\r\
\n# % % %\r\
\n# %\r\
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\
\n# EDIT YOUR DETAILS / CONFIGURATION HERE\r\
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\
\n:global ddnsuser \"\"\r\
\n:global ddnspass \"\"\r\
\n:global ddnshost \".changeip.org\"\r\
\n:global ddnsinterface \"pppoe-out1\"\r\
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\
\n# END OF USER DEFINED CONFIGURATION\r\
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\
\n\r\
\n:global ddnssystem (\"mt-\" . [/system package get [/system package find name=system] version] )\r\
\n:global ddnsip [ /ip address get [/ip address find interface=\$ddnsinterface] address ]\r\
\n:global ddnslastip\r\
\n\r\
\n:if ([:len [/interface find name=\$ddnsinterface]] = 0 ) do={ :log info \"DDNS: No interface named \$ddnsinterface, please check configuration.\" }\r\
\n\r\
\n:if ([ :typeof \$ddnslastip ] = \"nothing\" ) do={ :global ddnslastip 0.0.0.0/0 }\r\
\n\r\
\n:if ([ :typeof \$ddnsip ] = \"nothing\" ) do={\r\
\n\r\
\n:log info (\"DDNS: No ip address present on \" . \$ddnsinterface . \", please check.\")\r\
\n\r\
\n} else={\r\
\n\r\
\n :if (\$ddnsip != \$ddnslastip) do={\r\
\n\r\
\n :log info \"DDNS: Sending UPDATE!\"\r\
\n :log info [ :put [/tool dns-update name=\$ddnshost address=[:pick \$ddnsip 0 [:find \$ddnsip \"/\"] ] key-name=\$ddnsuser key=\$ddnspass ] ]\r\
\n :global ddnslastip \$ddnsip\r\
\n\r\
\n } else={ \r\
\n\r\
\n :log info \"DDNS: No changes necessary.\"\r\
\n\r\
\n }\r\
\n\r\
\n}\r\
\n\r\
\n# END OF SCRIPT" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=dec/06/2012 start-time=00:00:00
add comment="disable/enable pppoe ADSL" disabled=yes interval=1d name=schedule3 on-event="/interface disable pppoe-out1\r\
\ndelay 15s\r\
\n/interface enable pppoe-out1" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jul/03/2014 start-time=23:58:00
/system script
add dont-require-permissions=no name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="# Dynamic DNS Update / Simple Edition\r\
\n# Written by Sam Norris, ChangeIP.com\r\
\n# Copyright ChangeIP.com 2009-2010\r\
\n# For support send mail to Support@ChangeIP.com\r\
\n#\r\
\n# 2009-06-22 RouterOS 3.25 Tested\r\
\n# 2009-10-05 RouterOS 4.01rc1 Tested\r\
\n#\r\
\n# OVERVIEW: %\r\
\n# This script will update a ChangeIP.com dynamic dns hostname\r\
\n# with an ip address located directly on an interface.\r\
\n# %\r\
\n# NOTES: %\r\
\n# IF THIS SCRIPT DOES NOT PRODUCE ANY OUTPUT PLEASE COPY AND PASTE IT\r\
\n# AGAIN. THERE PROBABLY IS A LINE BREAK IN THE WRONG PLACE! Once you\r\
\n# have created this script and tested that it works by running it\r\
\n# manually you can schedule it to run every few minutes.\r\
\n# %\r\
\n# CONFIGURATION FIELD DEFINITIONS:\r\
\n# ddnsuser: Enter your ChangeIP.com user id.\r\
\n# ddnspass: Enter your ChangeIP.com password.\r\
\n# ddnshost: Enter the hostname (www.example.com) to update.\r\
\n# ddnsinterface: Enter an interface name - case sensative.\r\
\n# %\r\
\n# %\r\
\n# %\r\
\n# %\r\
\n# % % %\r\
\n# % % %\r\
\n# % % %\r\
\n# %\r\
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\
\n# EDIT YOUR DETAILS / CONFIGURATION HERE\r\
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\
\n:global ddnsuser \"\"\r\
\n:global ddnspass \"\"\r\
\n:global ddnshost \"\"\r\
\n:global ddnsinterface \"pppoe-out1\"\r\
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\
\n# END OF USER DEFINED CONFIGURATION\r\
\n# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\
\n\r\
\n:global ddnssystem (\"mt-\" . [/system package get [/system package find name=system] version] )\r\
\n:global ddnsip [ /ip address get [/ip address find interface=\$ddnsinterface] address ]\r\
\n:global ddnslastip\r\
\n\r\
\n:if ([:len [/interface find name=\$ddnsinterface]] = 0 ) do={ :log info \"DDNS: No interface named \$ddnsinterface, please check configuration.\" }\r\
\n\r\
\n:if ([ :typeof \$ddnslastip ] = \"nothing\" ) do={ :global ddnslastip 0.0.0.0/0 }\r\
\n\r\
\n:if ([ :typeof \$ddnsip ] = \"nothing\" ) do={\r\
\n\r\
\n:log info (\"DDNS: No ip address present on \" . \$ddnsinterface . \", please check.\")\r\
\n\r\
\n} else={\r\
\n\r\
\n :if (\$ddnsip != \$ddnslastip) do={\r\
\n\r\
\n :log info \"DDNS: Sending UPDATE!\"\r\
\n :log info [ :put [/tool dns-update name=\$ddnshost address=[:pick \$ddnsip 0 [:find \$ddnsip \"/\"] ] key-name=\$ddnsuser key=\$ddnspass ] ]\r\
\n :global ddnslastip \$ddnsip\r\
\n\r\
\n } else={ \r\
\n\r\
\n :log info \"DDNS: No changes necessary.\"\r\
\n\r\
\n }\r\
\n\r\
\n}\r\
\n\r\
\n# END OF SCRIPT"
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing
set store-every=24hours
/tool graphing interface
add allow-address=172.16.0.0/24
/tool graphing queue
add allow-address=172.16.0.0/24
/tool graphing resource
add allow-address=172.16.0.0/24
[admin@MikroTik] >
The default rule at the ends of the forward and input chains accepts all traffic unless you drop it.
Apart from incoming DNS, you have NO effective filter on the input chain. This is a bad thing ™.
Not quite sure what your use of that output rule is for.
Concur with Sid, Simple, yes simple to hack as there in no protection on the input chain firewall rules for the router itself.
Netinstall 7.6 then use this basic novice firewall for starters. - https://forum.mikrotik.com/viewtopic.php?t=180838
Also the scripts at the end, if you do not understand them, what they do, then dont put them back in, they seem way overblown as is.
State instead the requirements to ensure user traffic and router connectivity and I am sure there are better ways to accomplish same now.