I have a small network behind the NAT-ed internet, ALL ports closed from internet, however my NVR (Network Video Recorder) was hacked last weekend and it was used for the DynDNS attack.: http://thehackernews.com/2016/10/iot-camera-mirai-ddos.html
my network is not reachable from external, unless they made a vpn tunnel from inside but how.
I have only a mikrotic router there and that is it.
Has anyone had similar last weekend??
My hikvision NVR is dead since then, i hope reflashing it will get it back…
I guess you should rather say, ‘your NVR was hacked’ and NOT ‘Mikrotik hacked’ in the subject of the post. However, the Mikrotik could have saved your NVR if you had the right firewalls configured on it.
Or it connects to a DNS name that was hijacked and an the exploit downloaded.
Lots of those dvr systems create connections automaticallly. The little webcam I use to watch my kiddo sleep tunnels out to the net and you can connect to it by knowing a serial # or something.
That’s why you need to log incoming and outgoing connections through your firewall. For some reason people only ever log denies thinking they are fixing a problem by dropping traffic when the reality is. They ARE the problem.
You are right. In this circumstance, I think it is most probably the DNS name that was hi-jacked and the hi-jacker would be controlling all the DVR’s from that point.
okay guys, the fact is the NVR was hacked still not sure how, but all coming via Mikrotik.
Please someone post the really hacker proof mikrotik setup as currenty Mikrotik is not helping me at all. OK, i am just a regular user.
But I use Sophos firewall at work, and there we can block outgoing traffic too even by application signiture, for eg, if it is openvpn traffic we can catch it.
Please post and share best practises for Mikrotik. It is super stable device but it is wide open door looks like as well.
i am not blaming anything, but this is not good at all.
Here is a firm question then.
How can I setup in Mikrotik that one particular host (for eg the NVR) can only reach an IP or a DNS name (IP range) ?
This is very easy to setup in Sophos firewall, but I am not familirar much with Mikrotik.
So, If I could do this with Mikrotik, then the NVR could only reach the Camera vendor Cloud and they could not use it for DDoS stuff.
Is there a instruction or wiki on this? Again, I just want to secure this great little toy, so at least the Mikrotik users wont be effected next time.
There is no hacker proof. And you can’t even get close with mikrotik. A couple of lacking features off the top of my head that prohibit their use as a firewall in an enterprise/smb environment.
SSL decryption and inspection.
Application identification/policy.
Ids/ips signatures.
Vulnerability signatures.
In simple terms, what you need is to setup the firewall to accept all you want to pass through and drop all others. You can modify this and use as follows. Note that the accept rules must come before the drop rule in that sequence:
/ip firewall filter
add action=accept chain=forward dst-address=y.y.y.y src-address=x.x.x.x
add action=drop chain=forward src-address=x.x.x.x
Where y.y.y.y is the IP corresponding to the DNS name. x.x.x.x is the IP of your NVR.