www-ssl secure?

RouterOS General
1

I just discovered that I can run a batch file (Windows) to call a series of powershell scripts to remotely run ROS scripts – and am loving it!

This requires /ip/services/www-ssl to be enabled.

Is there any downside? Security risk?

FYI, this is the thread that helped me:

http://forum.mikrotik.com/t/rest-api-powershell-running-a-script-remotely-from-windows/156792/2

I took that and (being a total non-programmer), I made a batch file with this:

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.0.11 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.0.13 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.0.31 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.0.32 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.0.80 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.1.2 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.2.2 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.2.5 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.2.7 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.20.1 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.20.5 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.20.21 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.20.22 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.30.2 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.40.1 -user admin -password <password> -executionmode script -data "export-download""

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\users\<windows-user>\Downloads\Invoke-mikrotikrestapi.ps1' -routerip 192.168.70.1 -user admin -password <password> -executionmode script -data "export-download""

If I knew a little programming, I could keep a separate list of the router IPs and invoke the ps1 file for each.

But, for now, this is a major time saver over logging into each router and running the script. (Yes, the scripts are scheduled, but sometimes I want to make a manual backup.)

2

As with every ROS service, if enabled it’s important to protect it from being available too widely. And that’s achieved using firewall.
Default firewall allows access to (all) router services from LAN. If firewall is not at default (or your device is one of those coming without default config), then … yup, make sure the service is only accessible from where you absolutely need it.
Another thing is sending passwords accross network in plaintext. If your API service doesn’t use SSL for encryption of communications, then password is visible to any device that might be sniffing the traffic … it seems you’re using www-ssl, so this shouldn’t be an issue.

3

@mkx – as always, thank you so much!

I ran an open port checker on a couple of sites and 443 remains closed to the outside world.

443 to the MT devices is wide open via Wireguard, as I believe it should be.

I could block 443 input from everywhere except the couple of machines I would want to use this batch file/script.

4

Agree that best you can do. Password should be encrypted (at least to key size of certificate used for it)

But I’d add it’s important to consider the calling script has the username/password stored in it… so the script file should be secured via an ACL to limit who can view the file.

Now, it be nice if the REST API support X.509 client certificates to avoid need to store the username/password on the calling machine, but it does not today.

5

If remote side requires any sort of authentication, then it’s necessary to store something on local side. If authentication requires username/password pair, then this pair has to be stored locally (inside a script). If authentication requires X.509 certificate, then client certificate has to be stored locally (in home directory). In both cases it’s up to local side user (or admin) to protect the authentication secrets as good as possible (e.g. by setting file permissions so that any other ordinary user can not read the contents of the file, be it script with username/password or X.509 certificate file).

And I don’t see how using X.509 can improve security in this aspect. The only difference is that if using password as command line parameter, then other users can find it out. But this one is on client binary … e.g. one can run curl using –netrc (or –netrc-file ) and store username/password in a read-protected file instead. Similarly wget can use netrc file (even more, it’s default for wget to use .netrc file if found). The only thing remaining is to ensure that username/password is not transmitted over internet unencrypted … using X.509 certificate does this automatically (certificates are useless without https being used).

6

@mkx my main point was the password storage is likely a better issue (assuming one is using “www-ssl” and not “www”). The example shows credentials stored inside the script, which I think is bad practice…

For Linux .netrc is good suggestion. But I think OP is using Windows PowerShell, and that does not support .netrc.


Certificates are typically not stored in the home directory, rather some OS-specific “key store” with additional proections (i.e. even RouterOS protect certs from direct export).

Now, I think the same Windows key store for certs can also store username/password, and those should be readable via PowerShell’s Get-Credential. See https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential?view=powershell-7.4