Usage graphs publicly accessible...

evert · October 14, 2005, 10:52am

Hi all!

Is there a way to block off public access to the graphs in 2.9? A Google like http://www.google.com/search?q="configuration+interface+for+RouterOS"&hl=en&filter=0 makes it easy to locate 2.9 Mikrotik units, and the whole world has access to any defined graphs…

Just mentioning it so that 2.9 users are aware of this…

changeip · October 14, 2005, 4:00pm

I agree… however there are some security precautions that should be taken anyhow, like changing from port 80 to something else. If anything is on port 80 at all its asking for a hack.

Sam

sergejs · October 16, 2005, 6:38pm

you can configure allow address for graphs, if you do not want to allow public access for them.

Thundercat · October 25, 2005, 4:07pm

Just one IP address is not enough - an address LIST would be much better.
BTW: This is a problem in many other areas of ROS - maybe a good (and very easy) improvement for the next release!?!?!

Thundercat

wildbill442 · October 25, 2005, 4:32pm

I setup my firewall to drop all requests going to my routers/AP’s and only allow specfic IP addresses (ie: my home, office, etc..).

easy solution huh!?

andrewluck · October 25, 2005, 4:39pm

You really need to think about what unsolicited traffic you’re allowing into your router from untrusted networks. Work on the principle of Deny everything, then let in what you absolutely need. This is done with the INPUT chain.

In this example, the router operates as a DNS cache and VPN server. So, the required rules in the input chain are as follows:

8   ;;; Drop TCP invalid
     chain=input protocol=tcp connection-state=invalid action=drop

9   ;;; Permit local LAN traffic
     chain=input in-interface=Internal action=accept

12   ;;; Accept Internet Established
     chain=input in-interface=Internet connection-state=established
     action=accept

14   ;;; PPTP Tunnel
     chain=input protocol=gre action=accept

15   ;;; PPTP control
     chain=input protocol=tcp dst-port=1723 action=accept

57   chain=input in-interface=Internet action=drop

Rule 9 is pretty permissive in my example. You may wish to tighten this to restrict access from the local LAN if required. As DNS queries to the ISP are initiated from the router, returned answers will be allowed in by rule 12.

Remote management is handled by using a VPN connection.

Regards

Andrew