Community discussions

MUM Europe 2020
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

block default page on MT

Sun Dec 03, 2006 12:43 pm

Hi all, how do we block access to the default page on the MT box without killing access to usermanager (at same address). If customers drop off the "/userman" they get the default page and the abiltiy to view other customers PPPoE interfaces.

I really need to make this more secure.
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Re: block default page on MT

Sun Dec 03, 2006 1:09 pm

Hi all, how do we block access to the default page on the MT box without killing access to usermanager (at same address). If customers drop off the "/userman" they get the default page and the abiltiy to view other customers PPPoE interfaces.

I really need to make this more secure.
----
yup... :wink:
for temporary, we used userman for manage user and only our admins know and had access it. many arguments why our user can't access our '/userman' or '/user', that's our policy....!!!
again, this opinion for us...

regards
Hasbullah.com
----
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Sun Dec 03, 2006 9:29 pm

Thanks Balimore, I just realised its not the "/userman" but the "/user" that they need access to for changing their own password looking at usage etc.

Can the developers put some kind of "switch" to disable the default page at the routers root URL?
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Mon Dec 04, 2006 6:27 am

Thanks Balimore, I just realised its not the "/userman" but the "/user" that they need access to for changing their own password looking at usage etc.

Can the developers put some kind of "switch" to disable the default page at the routers root URL?
---
since userman can't customizing, we never try to user tought the '/useman' or '/user'.
i don't know, when 'userman' will have customize.... !!! :wink:

*) about default page: i used apache [local webserver]

regards
Hasbullah.com
---
 
User avatar
Giepie
Member
Member
Posts: 431
Joined: Mon Sep 13, 2004 12:33 pm
Location: Western Cape, South Africa
Contact:

Sat Jan 06, 2007 12:32 am

I hope this is the right feed for this post.

At all the hotspots using UM I've setup, I add a static DNS entry (something like hotspot.clientname.com) which points to the MT. So I tell the client to logon to UM admin using http://hotspot.clientname.com/userman

Clients allways forgot about the /userman. Any idea's on how to fix this? Perhaps somehow "adding a switch" (as airstream mentioned) to enable Winbox/ROS Default Page only on certain interfaces and userman as default on other interfaces. Or perhaps do it IP based.

I think this is a relatively important thing for many/most clients.

Re, G
 
pjulian
Member Candidate
Member Candidate
Posts: 267
Joined: Mon May 31, 2004 12:16 pm
Location: Sydney, Australia

Sun Jan 14, 2007 2:46 pm

You know how you could handle this is to perhaps set up a DNS record in the router of whatever, say, user.customer.com and point that to an IP address of a web server somewhere in your network. Set the default page on the webserver to do a redirect to the correct usermanager page and you're sorted.

Hope that helps.

Regards
Paul
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Tue Jan 16, 2007 12:50 am

Hi all, is there any plans to take this security hole seriously. By saying "hole" I dont think its anything that can be remotley compromised, but customers that hit the root page have a abilty to look at other peoples pppoe interfaces, this is a privacy issue right there, especially that in my country we have specific laws that deal with this.

Essentially, viewing other peoples records (all beit just interfaces values), needs to be blocked either by interface or IP, or better to turn it off.

Can the developers shed any light?

Cheers
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Tue Jan 16, 2007 8:14 am

If you are talking about 'graphs' available at the RouterOS webpage. To restrict access per address specify 'allow-address', 'allow-address' is available at each graph.
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Tue Jan 16, 2007 12:38 pm

If you are talking about 'graphs' available at the RouterOS webpage. To restrict access per address specify 'allow-address', 'allow-address' is available at each graph.
----
Hi, Best Friend
no, i think we are talking about default page.....[root page]
do you have solution about that..?
please, your suggestion...

regards
Hasbullah.com
---
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Wed Jan 17, 2007 12:26 am

Yes indeed, as Balimore indicated, we want to "turn off" mikrotik's default root page.

Cheers
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
pjulian
Member Candidate
Member Candidate
Posts: 267
Joined: Mon May 31, 2004 12:16 pm
Location: Sydney, Australia

Fri Jan 26, 2007 1:29 pm

Why not change the default www port on the router to something else, then tell the user to go to some webpage on your website or something with a link to the router http://routername:port_number_you_changed_www_to/user.
This is how we get around the problem, it also removes an open port 80 on your router which people always try once they know the address range they are on.

We never ever leave port 80 open !

Regards
Paul
 
User avatar
balimore
Forum Veteran
Forum Veteran
Posts: 892
Joined: Mon Apr 10, 2006 3:38 am

Fri Jan 26, 2007 2:22 pm

Why not change the default www port on the router to something else, then tell the user to go to some webpage on your website or something with a link to the router http://routername:port_number_you_changed_www_to/user.
This is how we get around the problem, it also removes an open port 80 on your router which people always try once they know the address range they are on.

We never ever leave port 80 open !

Regards
Paul
---
yes, i know
last 4 months ago i did try like yours, but i think 10% point solution.
so, sorry we talking about [how to kill default page]

regards
Hasbullah.com
---
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Fri Jan 26, 2007 2:33 pm

I do not see any other opportunity to view information about PPPoE as graphs, graphs access is limited using above mentioned options.
Access for simple HotSpot (User Manager) user and even for User Manager subscriber is not possible,
to Winbox,
Telnet,
Webbox.

What is the problem with default page displaying ?
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Fri Jan 26, 2007 9:37 pm

Hi all,

Lets make it simple. I and others want a feature to restrict the mikrotik default web page (change it, turn it off - MORE CONTROL OF THIS COMPONENT), for many reasons, some of which are listed in this thread.

Debating what can be accessed etc from the default page is irrelevant. Workarounds are not the solution we are seeking, and I have made it clear the feature we desperatly require.

are the developers reading this?
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Re: block default page on MT

Mon Jan 21, 2008 3:56 am

*BUMP*
Still seeking some solution to this, is there any way to disable the default page on MT?
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 671
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: block default page on MT

Fri Jan 25, 2008 1:10 am

goto ip services
disable www
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Re: block default page on MT

Fri Jan 25, 2008 4:49 am

If i disable WWW service, there is no access to usermanager.
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 671
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: block default page on MT

Sun Jan 27, 2008 6:23 am

Change the User manager port to 81.
Create a firewall rule to redirect http traffic destined for the router to port 81.
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Re: block default page on MT

Sun Jan 27, 2008 10:58 am

Thanks for the tip, i can create the firewall rule to do that easy enough but could you possibly direct me to the command to change the port Usermanager web interface listens on.

Cheers
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_
 
User avatar
airstream
Member Candidate
Member Candidate
Topic Author
Posts: 188
Joined: Fri Feb 03, 2006 6:33 am
Location: New Zealand

Re: block default page on MT

Sun May 25, 2008 11:25 pm

We have a 99% workaround. It requires web proxy package. Redirect all inward port 80 requests to proxy with firewall. Create access rules for deny all and one allow rule with IP of MT and "/um*" as the action.

After this, the root page is blocked by proxy and /um* works for the usermanager features.
Keep tryin' its bound to work!!
-----
-----
ROOT@COSMOS> Reality.sys corrupted -- Reboot Universe (Y/N)?
>_

Who is online

Users browsing this forum: No registered users and 6 guests