Stop hack mikrotik

Halsaara · September 10, 2015, 10:34pm

Dear all :
We have problems …
Some guy has an application
In their smartphone can be changed ip & Mac ..

They steal user’s ip &Mac and use their account. ..

How we can stop this case.

Beast regards

PeterDoBrasil · September 20, 2015, 6:11pm

Dhcp server-lease Host-Name !!!

PeterDoBrasil · September 20, 2015, 6:16pm

It’s very dificult to change the Host-Name with your Android or other Smartphone, Scripting using the Hostname Resolve your Problem in 98% !!!

PeterDoBrasil · September 26, 2015, 4:42am

Block Hacker per Host Name

{
:local hack "Documentos-PC";
/ip dhcp-server lease make-static [/ip dhcp-server lease find dynamic=yes host-name="$hack"];
/ip dhcp-server lease set use-src-mac=yes block-access=yes comment="hack" [/ip dhcp-server lease find dynamic=no host-name="$hack"];
}
{
:local hack "android-25dfbf8d3d84f047";
/ip dhcp-server lease make-static [/ip dhcp-server lease find dynamic=yes host-name="$hack"];
/ip dhcp-server lease set use-src-mac=yes block-access=yes comment="hack" [/ip dhcp-server lease find dynamic=no host-name="$hack"];
}
{
:local hack "vitinhoo--_-";
/ip dhcp-server lease make-static [/ip dhcp-server lease find dynamic=yes host-name="$hack"];
/ip dhcp-server lease set use-src-mac=yes block-access=yes comment="hack" [/ip dhcp-server lease find dynamic=no host-name="$hack"];
}

In my Case this works very well, the problem is when more than one user have the same Host Name or when the Host Name is in Blanc !!!!!!!!! Study your system, observe, search and destroy the Shameless !!!!!!!!!!! Run the Script on Scheduler every 1 or 2 Minutes !

PeterDoBrasil · September 26, 2015, 4:51am

Script to Prevent Manual Configuration

/ip hotspot host remove [/ip hotspot host find dynamic=yes]

1: set your Hotspot Interface to arp-reply only ( in my case the bridge-local)
2: set dhcp server to add-arp=yes
3: add the script to Scheduler and run it every 10 seconds

bajodel · September 26, 2015, 12:27pm

If I remember well.. if you remove ip pool from hotspot config (not in dhcp!) the dynamic hotspot host are disabled so you can avoid removing via script. Worth a try

Zorro · October 1, 2015, 7:28pm

thats are what are 802.1x 2008 and other port security features are for.
802.11ae, 802.11ar, etc(macsec, portsec, etc)
but most ISP “forget to implement them” sadly.
relying on “broken by design” ARP or NDP for authentication and security is naive and fail/fail decision anyway.

SystemErrorMessage · October 1, 2015, 7:42pm

There are old cisco tutorials that actually deal with this and many more hacks however there are no attempts to convert this into mikrotik usable configs even though mikrotik routerboards have the capability to implement the security.

Infact some of the tutorials use mikrotik routers for certain things.
Fact is mikrotik bridging/switching has filters that can be used and applied. Switches can be managed and so on. This sort of security needs to be applied to both the router and layer 2.

I havent yet seen any good mikrotik tutorials for quite a few years now. A lot of good mikrotik tutorials are quite old.