Locking access to routerboard

GWISA · February 20, 2007, 10:55am

Does anyone have any idea how one might ‘lock’ a routerboard from being accessible to anyone unauthorised?

The reason we need this is we are migrating to a licensed band, and don’t want anyone poking around and re-using boards/cards purchased from us in our band in unauthorised applications.

You know hoe people are - someone will realise that it can do a broad range of frequencies once the upgrade license has been installed, and might use it on their own…

I need a permanent lock that will not allow a hard-reset/reprogram…

We intend using the RB112, and I thought removing the jumper and/or resistor in-line may be a bit of a deterrent to all but the most determined hackers.

Any other less hackable suggestions?

normis · February 20, 2007, 11:00am

netinstalling it will always clear away your settings, unless you also solder off the serial port and deny admin access (so that he can not turn on boot from network

GWISA · February 20, 2007, 11:42am

Good thing you mentioned that - hadn’t thought of netinstall/serial

normis · February 20, 2007, 11:50am

complete locking of the board, even if it would be possible, would bring many issues - for example troubleshooting it.

GWISA · February 20, 2007, 1:05pm

no - I don’t mean complete lock - only lock to unauthorised access.

Obviously us as the suppliers would retain admin rights…

GWISA · February 20, 2007, 1:18pm

What’s the possibilty of including a ‘disable hardware reset’ switch in future versions of MT?
(with a warning of “disable at your own risk!”)

Regarding the serial port - I guess one could just disable it in the OS rather than de-soldering it? Would this work?

sergejs · February 20, 2007, 1:20pm

GWISA, could you specify, what do you want to restrict ?(Physical access or IP acccess) ?

GWISA · February 20, 2007, 1:34pm

We’d like to restrict any kind of re-configuring possibilities by a client. Once a CPE has been set up, it must not be accessible at all by a client - only by ourselves for re-programming/whatever.

I do not want any possibility of the board being reset and reconfigured in unauthorised applications, especially as the license upgrade opens many more frequencies outside of the unlicensed bands…

normis · February 20, 2007, 1:35pm

first, disable admin user, make a user for yourself, and make a read-only user for client.

that will take care of reconfiguration, but will not take care of reinstall. maybe you can disable the serial ports.

GWISA · February 20, 2007, 1:36pm

And preventing hard reset? Remove resistor & jumper?

sergejs · February 20, 2007, 1:38pm

I guess you can use script with netinstall, script that will set configuration to RouterOS.
The particular configuration will be restored, when router is reseted.

normis · February 20, 2007, 1:39pm

oh yes! when you install RouterOS with netinstall, and use a script - that script will be loaded after reset. even the hard reset.

GWISA · February 20, 2007, 1:46pm

Aha! I’ll try that again… didn’t have success with that when i tried it some time back.

Does this mean that the router cannot be reset at all, unless the /sys reset command is used? And that would obviously only be accessible by the admin…

normis · February 20, 2007, 1:49pm

no, unless you reinstall it again with a different script.

GWISA · February 20, 2007, 2:09pm

Another AHA!

/sys routerboard settings set enable-jumper-reset=no

Bingo!