I see on shodan.io that the following ports are open externally
80, 2000, 8291, 8728.


More info states that

80 / TCP
HTTP/1.1 200 OK
Cache-Control: max-age=31536000
Connection: Keep-Alive
Content-Length: 7063
Content-Type: text/html
Date: Tue, 08 Feb 2022 16:38:33 GMT
Expires: Wed, 08 Feb 2023 16:38:33 GMT
X-Frame-Options: sameorigin


MikroTik RouterOS:
Version: 7.1.1
-1538260461 | 2022-01-11T20:50:45.045237
2000 / TCP
MikroTik bandwidth-test server
\x01\x00\x00\x00
528309196 | 2022-02-04T02:41:25.385111
8291 / TCP
\x13\x02index\x00\x00\x00\x00\x00\x00\x02\x00\x80\x00\x00\x00\x00\x02
2142810711 | 2022-02-05T23:36:31.700023
8728 / TCP
MikroTik RouterOS API Service
\x05!done%=ret=8d93364563e0cf666d18be64b508d168\x00

This is my export config

# feb/09/2022 08:58:18 by RouterOS 7.1.1
# software id = Y7E5-SEZ7
#
# model = RB1100x4
# serial number = D8580E4D7A72
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add limit-at=5M/5M max-limit=100M/100M name=queuebw5 target=192.168.1.0/24
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip arp
add address=192.168.1.234 interface=bridge1 mac-address=2C:76:8A:AD:27:86
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
add address=192.168.1.16 interface=bridge1 mac-address=00:15:5D:01:EA:01
add address=192.168.1.33 interface=bridge1 mac-address=00:15:5D:01:EA:08
add address=192.168.1.35 interface=bridge1 mac-address=00:15:5D:01:EA:09
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.5 client-id=1:8:55:31:c1:67:57 mac-address=08:55:31:C1:67:57 server=dhcp1
add address=192.168.1.30 mac-address=58:9E:C6:19:81:1D server=dhcp1
add address=192.168.1.100 mac-address=10:BF:48:89:F3:3C server=dhcp1
add address=192.168.1.10 client-id=1:0:25:90:4b:6b:4b mac-address=00:25:90:4B:6B:4B server=dhcp1
add address=192.168.1.40 mac-address=18:16:C9:D0:8B:B2 server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes log=yes log-prefix="fast-track for established,related"
add action=accept chain=forward comment="accept established,related" connection-state=established,related log=yes
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix="drop access to clients behind NAT form WAN"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.22
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=mt-ro-homered
/tool graphing interface
add allow-address=192.168.1.0/24 interface=bridge1
add allow-address=192.168.1.0/24
/tool graphing resource
add allow-address=192.168.1.0/24

Also I see logon attempts in my logs, but I missed to copy them and not sure how to restore those log entries.


I am seriously concerned about this and do not want it. Never had it before using Mikrotik. It was blank.

Advice?

Your firewall is not complete, herewith the default firewall rules:

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

This has to be your starting point!

Next step can be making improvements, make sure to read this guide carefully:
https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall

OK, haven’t done that. Did read it though.

I thought the default config had basic protection.

Jeez, so many manual things to do.

The reason I did not look in to this more is that I plan to set up a PFSense or something like that but the hardware for it is not ready.

Once again, your firewall rules are not complete (someone did this…). If you add the on mentioned above and remove the current, your config will be safe.
Unless your device is compromised, then netinstall and reconfigure is the only option.

The default config has a basic protection. Someone or you either removed default config or just messed it up

no the device is not compromised…

eh, well, it works, I see no other logged in sessions… nor any abnormal activity or bw hogs…

Should I expect a a message telling me the device is compromised? How do I know for sure?

THIS IS A FRIENDLY MESSAGE FROM YOUR ROUTER
I HAVE BEEN HACKED / TAKEN OVER / CRACKED / ABUSED

PLEASE RESET ME

When you get a Mikrotik Router, it has a default configuration that is an OK starting point.
I this case some has either removed default config and add own config, or reset the router with opt out default configuration to start to make the config from scratch.
It does not go away by it self. So if you have not done it, some else has done it.
I can not see any strange in the config, so it does not look like its hacked.

Edit:

It was blank.

Do you mean that you get it without any configuration?
If so, you can use Quick Set in winbox/web and set a default configuration that you can add custom stuff to it.

I have added

/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input

As a start to protect the router. Will review more as posted by @Erlinden

I do not know what I may have done to remove the basic protection some of you refer to, but I did reset the router and followed the startup instructions before implementing everything posted here and above.


@Jotne: The “blank” part was my shodan.io lookup before The Age of Mikrotik, when my Asus Router handled this.

How do I know for sure?

You actually never know for sure, if the device has been exposed unprotected to the internet or a malicious network.

Read about “rootkit”. A well known malware kind that is able to stay hidden, even for the strongest debug tools. (And RouterOS tools give no access to the Linux layer). That’s why NetInstall is the only safe option after suspicion of beeing compromised

I know, I may be a noob when it come to Mikrotik, but I have dealt with these kinda things before and at work.

If this was even possible, no malware would ever exist. Because if the router was able to detect that it has been compromised, it could also self-repair - it’s the detection part that is complicated.

Default firewall rules of SoHo models of Mikrotik form up a pretty good firewall against malware attacking your network directly from outside. If you start tampering with it before understanding what that actually means, the only thing the Mikrotik folks could do about that is to make the router scream as soon as you change anything in the firewall configuration.

The default firewall rules are totally useless against threats coming from inside your LAN. Mikrotik does not do deep packet inspection and TLS man-in-the-middle sniffing, so it cannot prevent you from downloading malware from an infected web site or downloading en e-mail message with a malware attachment. And such malware running on one of your LAN hosts can then spread across your LAN, and/or try to log in to the Mikrotik itself and modify its configuration or even software.

ok,

got rid of the external port 80 access, not sure exactly which rule did that, but I guess a combo of 2-3 diff.

then set up the rest, one at a time in the webfig interface

/ip firewall address-list
add address=192.168.1.2-192.168.1.245 list=allowed_to_router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes log=yes log-prefix="fast-track for established,related"
add action=accept chain=forward comment="accept forward established,related, untracked" connection-state=established,related,untracked log=yes
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix="drop access to clients behind NAT form WAN"
add action=accept chain=input comment="default configuration, input accept established,related,untracked" connection-state=established,related,untracked src-address-list=""
add action=accept chain=input comment="allowed to router" log=yes src-address-list=allowed_to_router
add action=accept chain=input comment="icmp allowed" log=yes protocol=icmp
add action=drop chain=input comment="drop access"
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.22

will test some more later


hum, seems I am missing something here

add action=accept chain=input comment="default configuration, input accept established,related,untracked" connection-state=established,related,untracked src-address-list=""

I thought @Anav might have a bit of a laugh…

Well I did laugh reading the firewall config

Check it out, specifically LINK B. - https://forum.mikrotik.com/viewtopic.php?t=182373

Something is blocking the webfig terminal.
Configuration as posted above. Any ideas?

Never mind, works

From the export

model = RB1100x4

Default firewall is added only to home routers. RB1100 is not considered a home router. You can see the list of config types and applied devices here:

Interesting. Learned some new to day. So with this type of routers, you have to take even more care and maybe ask some professional to set it up.

I am happy to help, sort of. I prefer learning by doing, even if I will admit some of my posts may be confusing to the knowledgeable.

Those ports I mentioned up top are still marked as open as shodan.io reports, but the Router interface do no longer pop up. 80 is blocked. I would really like to close that a bit more, but seems less urgent for now.

Well I started here: https://help.mikrotik.com/docs/display/ROS/Firewall according to Anav’s advice earlier… way earlier, weeks ago. So did not look a lot at those default configs for different models.

The link I noted in this thread is this one…
https://forum.mikrotik.com/viewtopic.php?t=180838

It has reasonable starting points for firewall config.
Also curious as to what this shows on your device, entered into the command line via Terminal…
/system default-configuration print