I think it is a security issue to have your router directly accessible via your public ip address. How do i change the way of accessing my router through webfig? I am using v5.2
attached is a snapshot of how vulnerable the router is t any one who knows my ip address.
Set in /ip services allowed address range
or set up firewall rules to block access from public interface.
Hi mrz,
i’m using ports 80 and 433 on RB, but i don’t need webfig
RB shows by webfig directly username…why? That is big issue
How can i block the access to webfig in general (not over local and public interface)?
Please help me! Thanks in advance
Webfig automatically logs in, if you have an “admin” user with no password. Remove the admin user, and Webfig will not log in.
disable http an d www and https command
ip service disable numbers=2,4
http://wiki.mikrotik.com/wiki/Manual:IP/Services
Thanks for answers!
I’ve changed the username “admin” … but webfig shows still “admin”. What is this?
Where from does this name come?
Note: temporary files are removed already by browser, checked it by two pc … receive the same result.
(changed through Winbox → System → Users → system default user “admin”)
Regardless that’s not a nice solution . Please make a function on the future version, with that can we disable the service webfig.
I think, it will take no great effort or?
@mixing
i can not disable “www” and “www-ssl”, because i use “www” for web-server and “www-ssl” for the User Manager
Paka, “admin” is predefined in that page. It has no information about your actual username. It just guesses.
If you completely want to disable that page, email support about a branding package, that lets you customize the HTML
Why is it predefined? It is not difficult to write itself 
I do constantly upgrade operation, whenever a new version comes out. So should i send always the email for new version to receive the modified HTML or need not be?
Paka, maybe it is confusing for you - but for a new customer, when he connects to the device, it is nice that he doesn’t need to look for default username in the manual. He is automatically logged in, where he sees Quickset.
Normis, ok
On the second question you have not answered 
Webfig is the main configuration option on RouterOS. I still don’t understand why you want to disable it ?
/ip service set www address=“” disabled=yes port=8080
For safety reasons we have blocked all connections to configure settings of device over Public IP. But it is reachable still with webfig.
If i leave the access to webfig, where remains my security concept?
Block access from public interface in firewall.
How can i do that? Thank you for your help!
mrz, please answer
/ip firewall filter
add chain=input in-interface= dst-address= protocol=tcp port=80 action=drop
i need the ports 80, 443. see above my posts
port 80 - for “www” (forwarding to web server), port 443 - for “www-ssl” (User Manager)
yes, so with this firewall rule can i block this ports. But i need these for my services …
any ideas?
for now as a workaround maybe proxy with access-list can be used to limit access to certain pages available on the router.
User Manager and Hotspot you don’t need on the public interface. The rule only blocks them on the public port.