It has come to our attention, that somebody has created a script that logs into unprotected devices and sets a password, along with a new identity name. This affects devices that have public IP addresses.
Most MikroTik devices have a firewall on the public interface - please remember that disabling your public firewall is not a good idea. If you have a good reason to open your device to the outside world, make sure you create a new user with a strong password and then disable your default admin user.
Thanks for this post. It is true, we have been receiving many inquiries during this past week regarding articles talking about a MikroTik security break, when it seems all of them have been related to insecure router setup. The steps suggested may seem obvious, but the truth is there are many, many devices out there without the minimum attention to security. Lets secure our routers and avoid bad reputation on MikroTik / RouterOS.
Set networks for ALL services even if they are disabled.
Set networks for ALL users, with strong passwords.
Disable Mac Servers for interfaces that do not need it.
Disable IP Neighbour for interfaces that do not need it.
IF Deploying Romon consider segment key usage and have different hops for different stuff in your net.
Another improvement would be when devices are not shipped with empty admin password, but initially would have
some password that cannot be so easily guessed from outside. Even using the ether1 MAC address as initial password
would be better than nothing (as normally the MAC address is not visible to an attacker on internet).
Of course it is not optimal (an attacker on WiFi can see the MAC address of the WiFi and quite easily guess the ether1 MAC)
but it would be a change that does not require manufacturing changes. The MAC is already on the label and available
to the software.
Other manufacturers are already a step ahead and have an initial password that is printed on the label, and apparently
stored in some flash memory at manufacturing.
It would also be advisable to have a default auto-upgrade or at least an initial upgrade when the device first gets internet
connectivity. That would also be the moment when changes like the above would get incorporated into already manufactured
devices.
I agree that Mikrotik should move toward unique default passwords, which many other manufacturers have done (usually some component of the MAC address). But at least so far, it seems like these defacements have been happening in instances where the router’s administrative services were available from the Internet and no password was set. Admins who open the firewall need to understand the ramifications of what they’re doing. To help keep your router secure from the Internet, here’s what I recommend from most to least important:
Ensure that your administrative services aren’t available on the WAN interface. By default the firewall will prevent this of course. But maybe people either disabled that to get something working and never turned it back on, or forgot to turn it back on, or didn’t realize that Mikrotik devices have an implicit allow at the end of the firewall ruleset. Doing something like the following and moving it to the top of the ruleset would help, assuming you run SSH, HTTP, and Winbox on the default ports with your WAN interface in the WAN interface list:
/ip firewall filter add action=drop chain=input comment=“no admin access to router from WAN” dst-port=22,80,8291 in-interface-list=!WAN protocol=tcp
Change the admin user name to something else, and set a strong password.
In IP > Services, disable unused services and minimally set custom ports for SSH and HTTP as in the following example:
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=22222
set api disabled=yes
set www port=8888
Of course, when setting custom ports ensure that they aren’t available from the Internet as in step 1.
Back to IP > Services: disable unencrypted services (telnet, HTTP, FTP, api) and use encrypted services like SSH and Winbox. If you need a web interface, set up a CA and issue yourself a cert that can be used for HTTPS (custom port for that too). For enabled admin services, I would also consider setting an appropriate network that is allowed as in the following example: /ip service set winbox address=192.168.88.0/24.
Disable the Btest server - it listens on the WAN interface: /tool bandwidth-server set enabled=no
In IP > Neighbors, ensure that discovery is not available on your WAN interface at a minimum.
/ip neighbor discovery-settings
set discover-interface-list=!WAN
In Tools > MAC Server, ensure that only your LAN interfaces are available. I’m less concerned about this from the Internet since it’s layer 2.
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
Enable strong ciphers on the SSH server, which is command line only: /ip ssh set strong-crypto=yes
This should be the default, and there should instead be a command-line options to disable weak ciphers.
There’s a lot more you can do (disable unused accounts, remove unused packages, etc.), but this list is basically the minimum I’d recommend to protect the router from the Internet. Right now, go to Shodan.io and search for your public IP (you don’t even need a login to do this). You might be surprised what you find there…
mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?
really, the only thing that can be done is using good default settings. then some people might improve or customize them,
and those that do not know or do not care are not left vulnerable.
I will assure you that not everyone who buys a MikroTik device will buy and read an o’reilly book on securing cisco routers with it!
That is why manufacturers, especially of devices that are also used by home customers, need to sell things that are secure by default.
The firewall is now better than it was before, but of course that only applies to devices that have 6.40 or later firmware and are reset to defaults.
This week I bought a hAP AC, also a device that is sold to home customers, and it came with 6.39.2 so after I upgrade it to 6.41 I still
needed to do a reset to defaults to get the new firewall config.
AND, it still comes with admin-with-no-password and WiFi-with-no-security. These all have to be setup by the customer and there
is NO warning in the user interface that this should be done (I think it is in the leaflet but it has very small grey print that is hard to read).
Other manufacturers are way ahead in this aspect, with unique default admin passwords and unique WPA2 passwords on WiFi for
every device as it comes out of the box. Or prompting to set a password the moment the first logon is done.
yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won’t read it and probably won’t understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.
Following the above steps is good, but having logging configurations in place that notify you when an event occurs (ie. Failed logon attempts/port scanning) AND sending your logs off site is invaluable; of someone gets in, they will probably delete the logs.
One step to improve RouterOS’ security is to finally make IP > Services bind on specific IPs/Interfaces.
That way even if someone does not set up their firewall properly, those management services can be configured to not be available on the WAN.
It’s much simpler for a novice user to set those services to bind only on LAN interfaces/IPs than set up a proper firewall.
Also it’s helpful for core routers that do not (want to) use any firewall rules at all but still need to limit access to it.
Right now we can only limit the IP ranges that are allowed to connect to those services, but this doesn’t reduce the attack surface much, and they can potentially give out information about the router.
Also, what’s mikrotik’s position on the Spectre and Meltdown CPU bugs that were announced recently?
Can we expect a kernel update for RouterOS for x86?
No, that’s why you script it. I would never hand edit all that stuff, plus scripting eliminates the possibility of mistakes. I have a deployment script that I run on every router that has baseline security settings, plus other things like setting NTP and time zone, logging, and more. Here’s a short example.
initial deployment script built off of RouterOS 6.41
remove the hashtags below this line after you’ve set your values
set your time zone below
/system clock
set time-zone-autodetect=no time-zone-name=Country/City
/ip firewall filter
ensure this is at the top of the rule list
add action=accept chain=input comment=“allow admin access to router from authorized clients” dst-port=22222,8888,8291 in-interface-list=!WAN protocol=tcp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set ssh port=22222
set www port=8888
change the below to your admin network
set winbox address=192.168.88.0/24
set your preferred admin username below
/user set 0 name=myuser
/ip cloud
set update-time=no
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/ip ssh
set strong-crypto=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
To my understanding, RouterOS x86 and CHR are definitely affected, but since you cannot run your own binaries there they cannot be exploited (unless there are other vulnerabilities that allow one to execute arbitrary code on a router). ARM devices may also be affected, but the same “exploitability” considerations apply.
And taking into account the inevitable performance degradation, the necessity to apply Meltdown and Spectre patches to RouterOS is rather arguable.
if you know the username, it is very easy to brute-force simple passwords. if you don’t know the username, brute-force is basically out of the question.
It merely squares the search space.
Anyway, the point is that users are hit that did not take basic security measures. It is useless to post advises, because those users do not read advises.
The only thing that helps is setting up a default configuration that is secure. As of now, the default firewall is much better than before
(because addition of a PPPoE interface does not open the device for world access anymore), but unfortunately the default is determined during
first powerup so routers that are now in the stores often still get the old firewall even when they are upgraded immediately.
What is also still missing is a reasonable default password or security behaviour. I.e. an initial password that is more difficult to guess and/or
the obligation to change the password on the first login.
