Community discussions

 
chryoung
just joined
Topic Author
Posts: 11
Joined: Sun Dec 18, 2016 8:31 pm

Remote management of the Mikrotik router.

Mon Dec 19, 2016 12:17 am

What is the safest way to allow for management of my Mikrotik router (which is my WAN router and has a public IP on ether1) remotely? In other words, over the Internet? Thank you.
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Remote management of the Mikrotik router.

Mon Dec 19, 2016 9:18 am

Use non-standard port + Strong Password and username != admin.

Throttle connection attempts. Mikrotik disconnects connection on invalid login, so only allow one connection per 15 seconds.
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

I use this sneaky trick:
- Server listens on non-standard port.
- To connect, your IP must be on "TEMP_ALLOW" address list.
- To easily add yourself to the TEMP_ALLOW address list, I try and connect to a "trigger" port. This port doesn't connect to anything, but there is a firewall input rule that adds src IP to TEMP_ALLOW for 1 hour.
- However a port scan by a hacker will inadvertently may cause him to be added to the TEMP_ALLOW list. So I create another firewall input rule for ports on either side of the trigger port that will put the src-address on a BANNED list. Only an IP that is NOT in the BANNED list can will be added to the TEMP_ALLOW list.
- With this method, only 2 additional rules are required.
 
chryoung
just joined
Topic Author
Posts: 11
Joined: Sun Dec 18, 2016 8:31 pm

Re: Remote management of the Mikrotik router.

Mon Dec 19, 2016 3:39 pm

Thank you. What port does Winbox use to connect and how do I change the listening port on the Mikrotik?

update: I found the IP services list where it shows the ports used by the various services.
Last edited by chryoung on Mon Dec 19, 2016 3:48 pm, edited 1 time in total.
 
erlinden
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Jun 12, 2013 1:59 pm

Re: Remote management of the Mikrotik router.

Mon Dec 19, 2016 3:46 pm

I would prefer using VPN over direct connection with port obfuscation.
 
chryoung
just joined
Topic Author
Posts: 11
Joined: Sun Dec 18, 2016 8:31 pm

Re: Remote management of the Mikrotik router.

Mon Dec 19, 2016 3:49 pm

I would prefer using VPN over direct connection with port obfuscation.

The VPN part is understood. Can you go into a little more detail on what you mean by port obfuscation?
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Remote management of the Mikrotik router.

Wed Dec 21, 2016 4:43 am

Port obfuscation just means changing to a different port than default.

Create a new admin and don't use a common admin name for the username. IE: Don't use admin.

Use a strong password. And set your firewall to allow only 1 TCP connection per x amount of seconds. This would slow down the brute force attack. I would think this would be secure enough..

If you use a firewall, don't choose PPTP with MS-CHAPv2 or MS-CHAPv1 as those have known weaknesses. Use SSTP or LT2P.
 
td32
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Nov 18, 2016 5:55 am

Re: Remote management of the Mikrotik router.

Fri Dec 23, 2016 12:31 am

Use non-standard port + Strong Password and username != admin.

Throttle connection attempts. Mikrotik disconnects connection on invalid login, so only allow one connection per 15 seconds.
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

I use this sneaky trick:
- Server listens on non-standard port.
- To connect, your IP must be on "TEMP_ALLOW" address list.
- To easily add yourself to the TEMP_ALLOW address list, I try and connect to a "trigger" port. This port doesn't connect to anything, but there is a firewall input rule that adds src IP to TEMP_ALLOW for 1 hour.
- However a port scan by a hacker will inadvertently may cause him to be added to the TEMP_ALLOW list. So I create another firewall input rule for ports on either side of the trigger port that will put the src-address on a BANNED list. Only an IP that is NOT in the BANNED list can will be added to the TEMP_ALLOW list.
- With this method, only 2 additional rules are required.
Would you please provide the firewall rules for the TEMP_ALLOW list and BANNED list
Thanks
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Remote management of the Mikrotik router.

Fri Dec 23, 2016 9:27 pm

You need 2 rules in the filter firewall, in the order below.

In this example my RDP port would be 4000. But first a connection attempt must be made to 4001 before I can connect to 4000. A hacker looking for open ports with a port scan would hit 3399 or 4002 before 4000 and 4001. Once banned, hitting the 4001 port won't add your to the temp_allow list.

1. Chain=Input, Protocol=6 (tcp), dst Port=3399,4002, In-Interface=ether1-gateway, Action=add src to address list, Address-List=BANNED
2. Chain=Input, Protocol=6 (tcp), dst Port=4001, In-Interface=ether1-gateway, src-address-list: ! BANNED, Action=add src to address list, Address-list=TEMP_ALLOW, Timeout=1h

Then for my actual port forwarding rule:
1. Chain=dst-nat, Protocol=6 (tcp), dst Port=4000, src-address-list:TEMP_ALLOW, Action=dst-nat, to-address=....

About 10 IPs per week get added to my BANNED list. So I believe that's 10 hackers per week doing a port scan.

For my clients, I try to take the stunnel route to secure RDP since users tend to forget they have to connect the VPN first.

Who is online

Users browsing this forum: No registered users and 20 guests