This post was mostly meant to clarify what happened. I realise that this forum is mostly used by security conscious people.
As far as default passwords go … we will have to think about it. There are pros and cons. It’s up for debate. You see there is already a default firewall, it got removed anyway.
Or even better: Upload ssh public keys to the device
[admin@mikrotik] > /user ssh-keys print
Flags: R - RSA, D - DSA
# USER BITS KEY-OWNER
0 R admin 2048 user@host
and keep always-allow-password-login set to no:
[admin@mikrotik] > /ip ssh set always-allow-password-login=no
Password login is no longer possibly and brute force attack can never succeed.
BTW, the RouterOS ssh server supports port forwarding. So if you want to manage a remote device via web interface you can open ssh service for WAN, but close http/https. Then connected to ssh with port forwarding to port 80/443 enabled and use web interface through the tunnel.
I think the typical scenario is:
- device is bought with pre-6.40 firmware and powered up
- it may or may not be updated to 6.40 or later, that does not matter anymore (when no reset to defaults is done afterward)
- firewall only drops everything new from ether1
- a PPPoE interface is added manually following some youtube video directions, instead of by using Quick Set.
- now the internet-facing interface is ppoe-in1 and it allows all input
This will not happen so easily anymore once devices are shipped with 6.40 or later. Or maybe when the update
procedure detects an all-defaults firewall and updates it to the current one when RouterOS is updated.
Another thing that could be considered is to auto-update to some reliable version (maybe a separate release channel is
to be created for that, which would not include new “risky” developments like 6.41 but could be more current than “bugfix”)
where all devices are regularly updated by default (until the admin disables this behavior, when he doesn’t desire it).
That will at least keep devices uptodate in the hands of inexperienced people.
/ip firewall filter
ensure this is at the top of the rule list
add action=accept chain=input comment=“allow admin access to router from authorized clients” dst-port=22222,8888,8291 in-interface-list=!WAN protocol=tcp
Will be very nice if mikrotik add to the dst-address-type an other option like “local-network” which will refers to all locally connected networks, like the local parameter but instead of using only the local address use the netmask. This rule can be changed and only who is connected to the local networks connected to the router will have access .
That is just a different approach to what is already there. The current firewall uses interface lists to group interfaces in categories like WAN and LAN, and filters according to that.
Sometimes it uses “not” operators to make it more failsafe: e.g. using “!LAN” for cases where you would want to write “WAN” makes sure that a new WAN interface is properly handled even when it is not placed in the WAN interface list (because the admin does not know or does not care).
Filtering on address is just a different approach for that. You can do it when you like, but by default it filters on interface.
One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.
It would be a step forward if this was done at first boot. Clearly the chain of trust can’t be validated (as with SSH), but it prevents a class of attacks.
True, but that protection is absolutely zero. It only protects you against people sniffing the password, which is unlikely to be
the scenario of the attacks. The problem is keeping the default (empty) password or using an obvious password that can be
found by trying a small list of common passwords. The https is going to do absolutely nothing about that.
A better protection would be to use a certificate for SSH login instead of a password, but I don’t think that is possible with
https right now.
HTTPS per default rather than HTTP would be on the same basis SSH is used rather than eg telnet.
This is in orthogonal and in addition to the obvious of having a unique default password as already suggested.
PeIchl, I completely disagree with your logic.
I am a perfect example. I don’t have any IT degrees or training.
I have used the basic consumer router many moons ago the netgear RT311 (made by zyxel) and then switched to zyxel every since.
I have programmed their routers at a basic level and through work had to once deal with a CrISCO router as well, simply from good advice and reading tons and asking questions.
No one, I know and I mean no one, goes to their local store and buys Mikrotik. It is not a consumer brand. I dont know a single person other than on the forums that owns one.
It is a niche market that attracts those running WISPS, or are comfortable in LINUX, software, and are in the ubiquiti, pfsense, sophos on a PC search for something cheaper than Fortigate or Juniper etc…
Then there are home owners like me that like to dabble, may have some knowledge, and are willing to take the plunge. I read everything I can get my hands on.
Mt99s post was bang on for someone like me, it makes sense, and is really a compilation of bits and pieces one can find on the net but in one spot.
Maybe it is different in your neck of the woods, so I will cut you some slack.
In summary, instead of dissing mt99s comments, you should have said, its not applicable where I live and leave it at that because your statement is complete BS, where I live (in North America).
ref: Daniel, nice suggestion. Right now i turned off everything except WINBOX on the LAN. Changed my SSH port everything else off. I have always resisted getting a cert for my router mainly due to the expense. However I recently came across some certs for a decent price and you have reminded me to revisit and perhaps take the plunge if nothing else to become familiar with the process. [edit, found the link https://cheapsslsecurity.com/}
Normis, please tell Mikrotik to raise their prices, like about 5-10$ should do it. We all want to see you move out of your car and into an apartment. Oh, and, where do I send a razor, that beard is out of control. 
Those won’t buy a MT device in the first place…
Regarding this, that is not actualy the case.
Even with this option set to no (which is by the way already set by default), the SSH password will always work, unless you put the SSH public key, only then it will not work.
The only way to use SSH key and the password, is to set this option to yes.
Is it safe, to have SSH key and always-allow-password-login=yes?
That’s true, but I did not state anything else. If you look at my post this should be clear. Please do not cite just half of important information.
The only way to use SSH key and the password, is to set this option to yes.
Is it safe, to have SSH key and always-allow-password-login=yes?
Well, it allows password login even if an SSH key is uploaded. It’s up to you whether or not that meets your security requirements.
There seems to be a mistake in ipv6 section (wrong prefix length):
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="accept DHCPv6-Client prefix delegation.
Should probably be:
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="accept DHCPv6-Client prefix delegation.
So i need to set some random password for those ssh users that i want ONLY ssh key login so that won’t get in other services (winbox,telnet,..) without password ?
Hi,
maybe is better to disable default setting and to remove quick set. RouterOS and MikroTik HW should be configured by technical specialist and not by consumer people who does not understand security. This end user people want something that is “click” and “click” ..for this they could buy other products, but not MikroTik.
In current world more people then before know that security is important.
I personally hate that in MikroTik is quick set to set some default setting and is possible by clicking to set “something” that end user does not understand.
I always reset default configuration to have “no configuration” when I am preparing device for my customers.
When there will be no quick set and no default config - simply nothing - it will not do anything unless you know how to setup.
For this reason usually is good for that people who do not know how to setup to find somebody who could setup it.
I understand that MikroTik wants to sell to everybody, but do you really want to be some horrible technology like very cheap units from TP-link, Ubiquity or others ?
Better is to have some option that everybody who buy MikroTik device have to contact some specialist to set it for him - it will make business good for all of us who are technical specialists and know about it.
I thing there could be some list of specialist(not only certified) and customer could get some advantage with new purchased device which will motivate him or really press him to contact somebody.
There could be some form of discount on first setup from specialist or other promo - I thing it is good theme for MikroTik marketing department.
From my point of view I still see MikroTik devices as something more than cheap router from online shop and something that should be set by some technical specialist.
What do you think of this?
What I think is, automate what MikroTik has said for a million time: Securing your router - RouterOS - MikroTik Documentation
@DarkNate … why you quote whole previous post just to add one line sentence? Why you do not “post reply”?
Please read this http://forum.mikrotik.com/t/does-quouting-quotes-of-quotes-in-consecutive-post-make-any-sense/144357/46 and link in my signature.
Why do you keep spamming every post with your quote spam. People will quote how they want to quote and if you dont like it remove the quote feature.
I am now going to report every single time you fill a thread with your quote spam.
Just to teach users to use forum properly … it’s easy … just press another button.
Ahh okay,
Recommend that when users first join, that becomes part of the instruction set !