Hi,
Just tried update to 7.15.3 and I see that my account has no permissions to do anything.
There are no other accounts only me and some System account.
Router is on 7.15.1 , RB1100
It sounds like your device has been attacked/hacked, there are several reports that an user “system” is created with all privileges and admin is limited to only a few ones.
http://forum.mikrotik.com/t/router-possibly-hacked/172357/1
Only way out - I believe - is netinstall and start again from scratch.
You were thrown out of your own router. My condolences.
Make an export if possible, that will help you reconfigure after netinstall.
Unless there is some other trick, I don't think so, If it is the same attack as on the given link the admin user is prevented from opening Terminal.
I still not understand why ROS does not give any possibility to re-gain access and/or reset users to default (either admin=nopassword or admin=passworddsticker) by performing some actions than can only be performed if one has physical access to device.
Or, like Synology have, 2FA. Simple app that generates OTP that needs to be entered if extra security is needed.
Possibly because that would enable users to steal CPEs from ISPs if the method of regaining access would be too straight-forward (such as password printed on a sticker attached to device itself).
The basic problem in such cases is that firewall config on router is not good enough to defend it from remote attacks. IIRC RB1100 comes with empty default config so creating appropriate firewall rules is entirely on device’s admin.
One common error (present also in Mikrotik’s default config) is that LAN side of router is generally trusted. We all know about exploits which (often with help of a user) compromise some LAN-connected computer which then serves as entry point for further attacks.
Yeah, then give ISP a hardened bootloader mode which prevents reset. AFAIK this is already possible if I am not wrong by a feature called “protected routerboot”.
But on the other hand: I am not aware of other vendors having such a “reset users and but keep config” feature. But I do not have any professional experience with other vendors at all. So can tell.
With all due respect, surely they exist, but what is the ratio from_LAN/from_WAN,
more like 1:100
or
more like 1:10000000000000000 zillion
occurring in real life?
@jaclaz: I’m not saying that default setup should block everything from LAN as well. I’m just saying that attacks from LAN are possible and one should not dismiss such possibility when doing a pist-mortem (with intent to harden router’s config). Yes, I agree that attacks from WAN are whole lot more frequent and if one blocks WAN attacks, 99% (if not more) of work is done.
Ah, ok, it should be clear that nothing is ever perfectly secure, but the probabilities of something happening (or not happening) should always be considered when attempting to implement settings or procedures intended as defense or countermeasures.
In a post-mortem it is of course different and until the case is solved all possibilites need to be explored, still the probabilities should play a part in deciding the priorities of the directions in which the investigations should be carried.