What is the safest way to allow for management of my Mikrotik router (which is my WAN router and has a public IP on ether1) remotely? In other words, over the Internet? Thank you.
Use non-standard port + Strong Password and username != admin.
Throttle connection attempts. Mikrotik disconnects connection on invalid login, so only allow one connection per 15 seconds.
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
I use this sneaky trick:
- Server listens on non-standard port.
- To connect, your IP must be on “TEMP_ALLOW” address list.
- To easily add yourself to the TEMP_ALLOW address list, I try and connect to a “trigger” port. This port doesn’t connect to anything, but there is a firewall input rule that adds src IP to TEMP_ALLOW for 1 hour.
- However a port scan by a hacker will inadvertently may cause him to be added to the TEMP_ALLOW list. So I create another firewall input rule for ports on either side of the trigger port that will put the src-address on a BANNED list. Only an IP that is NOT in the BANNED list can will be added to the TEMP_ALLOW list.
- With this method, only 2 additional rules are required.
Thank you. What port does Winbox use to connect and how do I change the listening port on the Mikrotik?
update: I found the IP services list where it shows the ports used by the various services.
I would prefer using VPN over direct connection with port obfuscation.
The VPN part is understood. Can you go into a little more detail on what you mean by port obfuscation?
Port obfuscation just means changing to a different port than default.
Create a new admin and don’t use a common admin name for the username. IE: Don’t use admin.
Use a strong password. And set your firewall to allow only 1 TCP connection per x amount of seconds. This would slow down the brute force attack. I would think this would be secure enough..
If you use a firewall, don’t choose PPTP with MS-CHAPv2 or MS-CHAPv1 as those have known weaknesses. Use SSTP or LT2P.
Would you please provide the firewall rules for the TEMP_ALLOW list and BANNED list
Thanks
You need 2 rules in the filter firewall, in the order below.
In this example my RDP port would be 4000. But first a connection attempt must be made to 4001 before I can connect to 4000. A hacker looking for open ports with a port scan would hit 3399 or 4002 before 4000 and 4001. Once banned, hitting the 4001 port won’t add your to the temp_allow list.
-
Chain=Input, Protocol=6 (tcp), dst Port=3399,4002, In-Interface=ether1-gateway, Action=add src to address list, Address-List=BANNED -
Chain=Input, Protocol=6 (tcp), dst Port=4001, In-Interface=ether1-gateway, src-address-list: ! BANNED, Action=add src to address list, Address-list=TEMP_ALLOW, Timeout=1h
Then for my actual port forwarding rule:
-
Chain=dst-nat, Protocol=6 (tcp), dst Port=4000, src-address-list:TEMP_ALLOW, Action=dst-nat, to-address=....
About 10 IPs per week get added to my BANNED list. So I believe that’s 10 hackers per week doing a port scan.
For my clients, I try to take the stunnel route to secure RDP since users tend to forget they have to connect the VPN first.