RB750GL and basic settings - security

Hi all,
Im new on Mikrotik and I have configured it now, it works fine, but now Im afraid of security (if there is not something that is open for hackers). I`m using mail server and web server on my network (both with IP 192.168.1.200) and VPN trough PPTP.

My configuration is following:

From DSL router to Mikrotik:

PPTP 1723 1723 TCP 1723 1723 192.168.100.2
Mail (SMTP) 25 25 TCP 25 25 192.168.100.2
Web Server (HTTP) 80 80 TCP 80 80 192.168.100.2

Mikrotik:
/ip firewall filter print

0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established
in-interface=ether1-gateway

2 ;;; default configuration
chain=input action=accept connection-state=related
in-interface=ether1-gateway

3 ;;; MAIL
chain=forward action=accept dst-address=192.168.1.200

4 ;;; VPN
chain=input action=accept protocol=tcp dst-port=1723

5 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

/ip firewall nat print

0 ;;; default configuration
chain=srcnat action=masquerade

1 ;;; MAIL
chain=dstnat action=dst-nat to-addresses=192.168.1.200 protocol=tcp
in-interface=ether1-gateway dst-port=25

2 ;;; PPTP
chain=dstnat action=dst-nat to-ports=1723 protocol=tcp
in-interface=ether1-gateway src-port=1723

3 ;;; WEB SERVER
chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=80
protocol=tcp in-interface=ether1-gateway dst-port=80

So I want to know, if there is not something unnecessarily open, that can cause a harm to my network.

Thanks for all answers and tips.

I’d narrow these rules to just pass the specific ports needed to the specific hosts needed. If possible I’d isolate any servers which will be exposed to the WAN in a “DMZ”. See this thread http://forum.mikrotik.com/t/problem-setting-up-a-dmz-and-other-minor-questions/49516/1 where DJLucas did something very similar.

Are you actually running mail and vpn servers? Or are you just trying to reach servers outside of your LAN?

I’d also go through all the services on the router and make them only accessible to machines on the private part of the LAN. See these areas of the menus:

• /snmp community
  /ip service
  /tool graphing interface
  /tool graphing resource

BTW - If your forward chain doesn’t include accepts for established and related connections, machines behind the firewall can’t get responses from outside.

Oh one more thing. Disable any modules and services on the router that you don’t need. Less stuff running, means less open ports, means less places that can be attacked.

I`m running my own mail server and the VPN (PPTP) on Mikrotik.

You mean I should add to the MAIL rule dst-port=25 ?

Thanks.

I would narrow the mail rule to a specific port and the vpn rule to a specific host or hosts. I would also put the mail server and anything else which can be accessed from the outside world on a separate local sub-net on a separate port, and look into some firewall rules to keep spammers from using it as a relay. Limit the number of connections and connection rates for example. See thei wiki article for some ideas: http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling

Securing a LAN is all about limiting access (start by preventing all the incoming connections that you can) and making sure that any systems which are accessible are isolated from the rest of the LAN.

• If possible none of your router services should be accessible from outside the LAN being protected by the firewall. If you need to expose router services for remote access you should keep them to a minimum, only use encrypted connections like ssh and https, put firewall protections in place against brute force attacks, and not use default ports. (Ssh on port 22 will get attacked about 100x more often than on some nonstandard port like 4422.)

• Put the mail server and other semi-public servers on port ether2 or ether5, remove it from the default switch group, and make it it’s own subnet. Make sure that you don’t let those machines forward to the other LAN machines unless the private machines initiate the session. Severely limit the services those machines can access on the router (say only DNS and maybe NTP).

There are whole books on this topic so that’s just for starters. The basic rule is disallow everything, and only allow stuff that you absolutely need to.

Ok, so I have set the src-port and dst-port to 25.

And how can I narrow the VPN (PPTP) that is running on the Mikrotik? I`m using it for directly accessing the email, shared folders on the mail server and also accessing workstations on the local network with radmin.

Thanks for the tip! I have it now on the same subnet as other workstations.

I have already added the “Protocol classifier”, now Im trying to add the rest. I think that Im already on some blacklist.

And what about the “Service ports” on Mikrotik, like ftp, h323, irc, sip and tftp. May I disable it?

Thanks.

those are NAT helpers - it’s not possible to correctly NAT some protocols, so NAT helpers are needed

generally you do not know the src-port of host connecting.

Just limit that from outside your NAT only dst-nats connections directly to SMTP port (#25) on server address, and for VPN, same thing with port you use. also, AFAIR accept gre protocol for tunnels (PPTP needs that)

and do what other guys have told, these are good points.

Also, about accessing router - if you are completely obsessed with security, i would make router accessible only through encrypted tunnel. so, create tunnel, connect to router. From outside world, implement port knocking.