MikroTik

Community discussions
https://forum.mikrotik.com/

Am I protected with this settings?

https://forum.mikrotik.com/viewtopic.php?t=163228

Page 1 of 1

Am I protected with this settings?

Posted: Sat Jul 04, 2020 12:27 pm
by Max2
I have a small Mikrotik router for home use and I am wondering if I need to do other settings in order to be protected from router hacking.

Are these settings are enough to protect me from WAN attacks on the router?
Capture999.PNG
Before restarting the router, I had around 6000 login attempts(winbox/ssh/http/etc ports) in just 2 weeks of uptime:
Capture98.PNG

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 12:34 pm
by Pea
NO!
Show your firewall setup first.

And follow these instructions:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 12:37 pm
by Max2
NO!
Show your firewall setup first.

And follow these instructions:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
Pea, how do I show my firewall setup?

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 12:43 pm
by nichky
/ip firewall filter export

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 1:09 pm
by jvanhambelgium
NO!
Show your firewall setup first.

And follow these instructions:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
I do not agree with you.
All services are disabled, the Winbox is running but protected with ACL 10/8
To protect THE ROUTER, this is already pretty good. Even if you do not have any specific added firewall rules, the Mikrotik SHOULD NOT allow anyone to connect on the Winbox service port if not coming from 10.0.0.0/8 and all other services are simply not running.

Extra tips :
1) do not use default "login" like admin but create a complex username for this, and disable "admin"
2) Think about running Winbox on a different port and not the default.

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 2:25 pm
by Pea
Sorry but router wan port fully open to internet without firewall filtering is naive and seriously wrong. Even Mikrotik strongly suggest to keep at least default firewall on. Disabled or limited services are fine till new exploit comes...

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 3:56 pm
by anav
The default settings that come with the firmwares is safe to use out of the box.
DO NOT tinker with this until you know what you are doing - and avoid youtube recommendations - forum is safer.
This is the recommended starting point.
Nothing wrong with turning off all services not required and leaving winbox up and running.
I would change the winbox port to a different port however and dont tell us what it is
Make sure you add a new admin user name and then remove the old admin user name.
Make sure you have a decent strong password.

If you want to show us your config you go to winbox and select terminal.
then type in
/export hide-sensitive file=anynameyouwish

This will cause the config to be shown in winbox under files.
Right click this file and download to your desktop.
Open the file in Notepadd ++
Review and remove if by chance your WANIP is displayed or winbox port number etc.......

Then Copy and paste into the thread.
Best if you then select the text and apply the code tags above (to the right of Bold and Italic - black square with white square brackets)

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 5:18 pm
by Max2
Guys, these are my firewall rules:
Code: Select all
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=10.223.45.0/26 src-address=10.223.44.0/29
add action=drop chain=forward disabled=yes src-address=10.223.44.5
add action=drop chain=forward disabled=yes dst-address=10.223.44.0/29 src-address=10.223.45.0/26
add action=drop chain=forward disabled=yes dst-address=10.223.44.5
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="ping checkers" address-list-timeout=2w chain=input comment="Ping checkers" icmp-options=8:0-255 protocol=\
    icmp
add action=drop chain=input comment="dropping Ping checkers" icmp-options=0:0-255 protocol=icmp src-address-list="ping checkers"
add action=add-src-to-address-list address-list=winbox_login_attempt address-list-timeout=none-dynamic chain=input dst-port=8291 in-interface=pppoe-out1 \
    protocol=tcp
add action=add-src-to-address-list address-list=ssh_attempt address-list-timeout=none-dynamic chain=input dst-port=60001 in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=http_attempt address-list-timeout=none-dynamic chain=input dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=https_attempt address-list-timeout=none-dynamic chain=input dst-port=443 in-interface=pppoe-out1 protocol=tcp

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 5:34 pm
by Max2
@anav, this would be my configuration, I've deleted every line that had disabled=yes, because there were some past queue prioritization attempts of mine that I disabled after some time.

Can you spot anything sketchy? Or things that I should have configured/enabled?
I am by no means advanced in networking, barely a beginner.
Code: Select all
/export hide-sensitive
# jul/04/2020 17:20:08 by RouterOS 6.47
# software id = VWEW-Z7AR
#
# model = 450G
# serial number = 
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mru=1492 max-mtu=1492 name=pppoe-out1 use-peer-dns=yes user=...
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] group-ciphers="" supplicant-identity=MikroTik unicast-ciphers=""
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=10.223.44.2-10.223.44.254
add name=dhcp_pool2 ranges=10.223.45.2-10.223.45.6
add name=openvpnpool1 ranges=172.25.10.1-172.25.10.2
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=ether2 lease-time=3d name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no interface=ether3 lease-time=3d name=dhcp2
/ppp profile
add local-address=dhcp_pool1 name=openvpnprofile remote-address=dhcp_pool1
/queue simple
/queue type
set 1 pfifo-limit=1000
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
/queue simple
/queue tree
/routing bgp instance
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=500
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip firewall connection tracking
set tcp-syn-received-timeout=1m tcp-syn-sent-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=discover
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=openvpnprofile enabled=yes port=... require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=default-encryption
/ip address
add address=10.223.44.1/24 interface=ether2 network=10.223.44.0
add address=10.223.45.1/26 interface=ether3 network=10.223.45.0
/ip dhcp-server lease
add address=10.223.44.2 mac-address=...
add address=10.223.44.5 lease-time=4d3h mac-address=...
/ip dhcp-server network
add address=10.223.44.0/24 gateway=10.223.44.1
add address=10.223.45.0/26 gateway=10.223.45.1
/ip dns
set max-udp-packet-size=512 servers=1.1.1.1,1.0.0.1
/ip firewall address-list
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="ping checkers" address-list-timeout=2w chain=input comment="Ping checkers" icmp-options=8:0-255 protocol=icmp
add action=drop chain=input comment="dropping Ping checkers" icmp-options=0:0-255 protocol=icmp src-address-list="ping checkers"
add action=add-src-to-address-list address-list=winbox_login_attempt address-list-timeout=none-dynamic chain=input dst-port=8291 in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=ssh_attempt address-list-timeout=none-dynamic chain=input dst-port=60001 in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=http_attempt address-list-timeout=none-dynamic chain=input dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=https_attempt address-list-timeout=none-dynamic chain=input dst-port=443 in-interface=pppoe-out1 protocol=tcp
/ip firewall mangle
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.223.44.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat src-address=10.223.45.0/26
/ip firewall service-port
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=1 gateway=pppoe-out1
/ip service
set winbox address=10.0.0.0/8
/ip ssh
set allow-none-crypto=yes always-allow-password-login=yes forwarding-enabled=both
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp secret
/system clock
set time-zone-autodetect=no time-zone-name=Europe/...
/system identity
set name=Nord
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
/system logging
set 1 action=disk
set 3 action=disk
add topics=info
add topics=pppoe
/system ntp client
set enabled=yes primary-ntp=... secondary-ntp=...
/system scheduler
/system script
/tool bandwidth-server
set enabled=no
/tool sniffer
set file-limit=10KiB filter-interface=ether1 filter-ip-address=0.0.0.0/32 filter-stream=yes memory-limit=10KiB memory-scroll=no
/tool traffic-monitor
/tool user-manager database
set db-path=web-proxy1

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 5:44 pm
by Max2
5.5 hours later. 55 attempts to check/try to do something:
Capture1.PNG

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 5:45 pm
by Pea
Congratulations, you have no firewall :)
Who did this?
Seeing the rest I recommend to start again with the default as proposed by anav. Then study documentation or ask here or follow the wiki advise (see second post).

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 5:50 pm
by Max2
How do I enable the firewall? By adding the rules stated here? https://wiki.mikrotik.com/wiki/Manual:S ... r#Firewall

Code: Select all
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router

/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related"  connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 6:50 pm
by anav
My advice was to reset to defaults and start from there.
Dare I repeat myself. :-)

I will go further, as was pointed out you have very little protection on your router.
Therefore I would go on the premise that its been compromised.
In fact you should pull the plug on the router ASAP but first.

What you need to do is download NETINSTALL and choose 6.45.9 as its a decent stable recent version
ALso download the corresponding version of 6.45.9 (the one for your router type ARM, tile MIPSBE etc..)

Then follow the instructions here... (copy a version to your desktop)
https://help.mikrotik.com/docs/display/ROS/Netinstall

Then you will have a clean router with default firewall rules.
Then you can change the user from admin, strong password, change winbox port etc.....

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 9:48 pm
by Max2
I want to add the rules without resetting it. Where can I find the rules?

How can I check if it was ever compromised? Is Mikrotik that lousy? The password is like 20-30 characters long.

How can you bet on it being compromised if you don't see anything suspicious in the config? There are no suspicious files stored on it, either.

Now I'm scared. It has been running for 10 years on this configuration.

I want to understand how did my config made my router vulnerable. Can you give an example?

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 10:01 pm
by anav
Instead of panicking just follow the plain advice to ensure your router is setup properly with a clean config.
To get the default rules simply reset the router to defaults and they will magically appear.
Then add in your old config bits for setup but not touching the firewall rules.

However since it appears you have no input rules to protect the router itself, it is advisable to 'swipe' the router to a clean state,
hence the recommendation for netinstall.

Take the advice or leave it, peace out.

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 10:03 pm
by Max2
Can you give some examples for input rules that protect the router itself?
I just want to understand the situation.

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 10:14 pm
by sutrus
Take a look factory default configuration
Code: Select all
/system default-configuration print

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 10:18 pm
by Max2
can you explain me with an example, how I destroyed my security with my configuration?

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 10:40 pm
by jvanhambelgium
I want to understand how did my config made my router vulnerable. Can you give an example?
Certain RouterOS versions had really some flaws in them in the sense that IF you ever exposed the mangement interfaces externally (eg. http/https) your device could be hacked! No login needed ;-)
I was under the impression that you had a "default" config (with enabled/active firewall rules rules) hence my remark that what you did extra was pretty OK.

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 10:41 pm
by Max2
anav, you scared me so much that i've just reset the router, reinstalled routeros 6.45 using netinstall and I've connected to it's default ip/credentials.
I went straight to the Firewall window in Winbox, and I find it empty.
Why?

jvanhambelgium, they are talking about some default configuration for the firewall rules that I was somehow missing and that could have had some bad consequences. So I reset and reinstalled RouterOS, and I see no default firewall config to exist.

Where is the mistake?

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 10:48 pm
by jvanhambelgium
How do I enable the firewall? By adding the rules stated here? https://wiki.mikrotik.com/wiki/Manual:S ... r#Firewall

Code: Select all
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router

/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related"  connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
These rules are indeed a good start. At least for the INPUT-chain (= traffic targetted at Mikrotik itself) you clearly now have a DROP at the end of chain which you config did not have !)
For the FORWARD-chain (=traffic through the Mikrotik to/from internal hosts) you can use these rules to start with yes.
Offcourse you need to adapt slightly to match your internal IP-range. (eg. "allowed-to-router" here in this example is 192.168.88.x space while you seem to use 10.0.0.0/8)

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 10:53 pm
by Max2
what can happen if i don't have a DROP?

I have a feeling that I've formatted this router for no good reason, and everything that was missing could have been added manually over the existing config:
1) there are no predefined firewall rules with default configuration
2) i don't remember deleting any rule, even if it was 8-10 years ago.

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 11:30 pm
by anav
Hi Max,
Congrats you now have a new clean config to work from and dont have to worry.
However, having no default firewall files means one of two things.
the install didnt go as it should or more likely
you do not have a home router you have one of the MTs higher end business class models that expects the admin to configure them totally.

Since you didnt communicate which model of router you have, now might be the time LOL.

The list that our Belgium friend posted is not exactly the default set that now comes with the home routers.....
This is what it should look like...............
.....
Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
You will note there is no drop all rule at the end of either the forward chain or input chain and that is because employing such a rule takes some knowledge to apply properly.
For instance if you put that on your input chain as its currently configured, you would lock yourself out of the router too.
For instance if you put that on your your forward chain you would lose access to the internet.

The drop all concept demands that you identify all needed traffic flow because the drop all rule will then drop all other traffic you have not specifically allowed.
Most of us prefer that approach.

So, in the input chain you should put something like this........
add action=accept chain=input comment="Allow ADMIN to Router" \
src-address-list=adminaccess
(This allows any IP in the admin access firewall address list to be allowed to config the router be it your desktop, laptop, tablet, iphone for ex.)

add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
(These rules demonstrate that we want to allow some access to the router services to those on the LAN, that you probably didnt know was happening automatically, the default rules allow this which is fine, but from a security standpoint, most prefer to allow access to those on the LAN to the router ONLY for the services required.)

You see this default rule on the input chain does two things. It stops those from the WAN accessing the router and at the same time allow everyone on the LAN to access the router.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

We replace this with specific what we actually want to allow rules
(1) the admin access to the router
(2) lan user access to the DNS services of the router.

Finally, once those are in place we can put in the drop all else rule as the LAST rule in the input chain which effectively blocks not only WAN traffic to the router but any other LAN traffic we didnt specifically authorize.

Similarly we can look at the forward chain.
What traffic do we want to forward, well the most obvious is lan to wan traffic.
So we need to tell the router to allow such traffic. In its simplest form:
add action=accept chain=forward comment="Lan 2 Wan traffic " \
in-interface-list=LAN out-interface-list=WAN
Then after this we can put the last rule of dropping all other traffic and lan to wan traffic will not be affected.

You will note that there is a default rule, in the forward chain, such as in the input chain that is affected by the drop rule and needs some modification.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

You can see with a drop rule at the end, wan to lan traffic is going to be dropped anyway and the rule above It states drop all coming from the WAN except if it heading for a port number on the LAN that we have identified is going to a server............ (has a dst-nat rule already in place). We now know that if we put a drop all else rule at the end of the forward chain all that wan to lan traffic will be blocked anyway, and thus maybe we dont need the port forwarding aspect of that rule.

if we did we can modify/replace this complex looking rule with a clearer simpler version,,,,,,,,, specifically allow dst-nat traffic (port forwarding).
add action=accept chain=forward comment=\
"Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN

The nice thing here as stated is that if you have no intention of doing any port forwarding then you can simply remove the default rule, not put in this new rule (not needed) and you have blocking wan to lan covered by the last rule DROP ALL.

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 11:31 pm
by Max2
RB450G

Re: Am I protected with this settings?

Posted: Sat Jul 04, 2020 11:44 pm
by anav
Interesting that is old, I have the RB450Gx4, the Hex and they are both home routers and all the others I am aware come with the default configuration including the firewall stated above? Strange.
My CCR1009 came as a blank slate but thats a higher end model.

Well the best thing to do is add the default rules as shown in my previous post and then post here your complete config for viewing and possible tweaks.

/export hide-sensitive file=anynameyouwish

Re: Am I protected with this settings?

Posted: Sun Jul 05, 2020 1:24 am
by Max2
Is it bad if I put them like this?
Code: Select all
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=\
    21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="ping checkers" address-list-timeout=2w chain=input comment="Ping checkers" icmp-options=8:0-255 protocol=\
    icmp
add action=drop chain=input comment="dropping Ping checkers" icmp-options=0:0-255 protocol=icmp src-address-list="ping checkers"
add action=add-src-to-address-list address-list=winbox_login_attempt address-list-timeout=none-dynamic chain=input dst-port=8291 in-interface=pppoe-out1 \
    protocol=tcp
add action=add-src-to-address-list address-list=ssh_attempt address-list-timeout=none-dynamic chain=input dst-port=60001 in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=http_attempt address-list-timeout=none-dynamic chain=input dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=add-src-to-address-list address-list=https_attempt address-list-timeout=none-dynamic chain=input dst-port=443 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop_invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix=not_lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop_invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Re: Am I protected with this settings?

Posted: Sun Jul 05, 2020 8:53 am
by Max2
Also, I see many packets for Bittorrent 6881 port, in the log file, that are dropped, both UDP and TCP. Could the firewall be too restrictive?
I have no port-forwarding set-up for the Bittorrent port.

Re: Am I protected with this settings?

Posted: Sun Jul 05, 2020 9:00 am
by jvanhambelgium
Also, I see many packets for Bittorrent 6881 port, in the log file, that are dropped, both UDP and TCP. Could the firewall be too restrictive?
I have no port-forwarding set-up for the Bittorrent port.
You have uPNP enabled ? (you should NOT btw)
Because then your application might punch holes in the firewall itself, but without uPNP you indeed need to forward ports manually. eg. in your application you can set a range (eg. 6800-6900) of ports for example and then make sure your firewall follows that same principle.

Re: Am I protected with this settings?

Posted: Sun Jul 05, 2020 9:23 am
by Max2
Yes, I see now, there is uPnP enabled in the application settings. But I also see that it is not enabled on the router.

Re: Am I protected with this settings?

Posted: Sun Jul 05, 2020 9:52 am
by jvanhambelgium
Yes, I see now, there is uPnP enabled in the application settings. But I also see that it is not enabled on the router.
Then disable uPNP in the application, set a range of ports and configure a DNAT (portforwarding) that matches this range.

Eg in my case, on the INPUT-chain ;
add action=dst-nat chain=dstnat comment="Torrent DNAT TCP" dst-address-list=WAN_IP dst-port=6800-6900 in-interface="My_ISP" protocol=tcp to-addresses=X.X.X.X (internal IP Torrent)
add action=dst-nat chain=dstnat comment="Torrent DNAT UDP" dst-address-list=WAN_IP dst-port=6800-6900 in-interface="My_ISP" protocol=udp to-addresses=X.X.X.X (internal IP Torrent)

Then also in the FORWARD-chain (on its way to the Torrent host) ;
add action=accept chain=forward comment="INTERNET : Accept any packet with valid DNAT entry" connection-nat-state=dstnat connection-state=established,related,new in-interface="My_ISP"

Seems to work for me.

Re: Am I protected with this settings?

Posted: Tue Jul 07, 2020 3:00 pm
by francolini
To get the default rules simply reset the router to defaults and they will magically appear.
[...]
Having no default firewall files means one of two things.
[...]
you do not have a home router you have one of the MTs higher end business class models that expects the admin to configure them totally.
Is there a place where the the models without default firewall rules are listed? I can imagine the confusion for users if some models come with firewall rules, and other doesn't.
Especially since the wiki also states that the default firewall rules should be kept, and optionally supplemented with some additional hardening.

For models without any default rules, that could leave the system wide open, only protected by the admin password

Re: Am I protected with this settings?

Posted: Tue Jul 07, 2020 3:55 pm
by anav
Hi francolini, that was what really confused me.
All the home models I am aware of come with default rules enabled. I recently got the CCR1009 which was blank but was fully expecting this more business class device to be fully configured by the admin. The RB450 line up should have defaults................
Unfortunately I dont have one to test and no one else has piped up in the thread to state how it behaves one way or another so I am left with uncertainty on the OPs situation, is it a bad upload or just the way it is......... :-(

Re: Am I protected with this settings?

Posted: Sun Aug 02, 2020 3:59 pm
by Tubeorange667
System: hAP Ac. Os. 6.47.1. I Have only added a few rules to the default firewall rules. Do i Need to add anything else to make my hAp Ac secure?
My configuration is as given below.
Code: Select all
 RouterOS 6.47.1
# model = RouterBOARD 962UiGS-5HacT2HnT

/interface bridge
add admin-mac=xxxxxxxx auto-mac=no comment=defconf mtu=1492 name=\
    bridge
/interface ethernet
set [ find default-name=ether1 ] mtu=1492
set [ find default-name=ether2 ] mtu=1492
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-eC \
    country=india disabled=no frequency=auto mode=ap-bridge mtu=1492 ssid=\
    Skynet2 wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-eeCe \
    country=india disabled=no frequency=auto mode=ap-bridge mtu=1492 ssid=\
    Skynet5 wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=.............
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=......... comment=defconf interface=ether2 network=\
    ..................
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no

/ip dns
set allow-remote-requests=yes use-doh-server=\
    https://dns.nextdns.io/xxxxxxx/Mikrotik verify-doh-cert=yes
/ip dns static
add address=45.90.28.0 name=dns.nextdns.io type=A
add address=45.90.30.0 name=dns.nextdns.io type=A
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=drop chain=input comment="Drop Dns from Wan" dst-port=53 \
    in-interface=ether1 log=yes protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 log=yes protocol=\
    tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop winbox from net" dst-port=xxxx \
    in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=xxxx in-interface=ether1 protocol=udp
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp to-addresses=\
    192.xxx.xx.xx to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=\
    192.xxx.xx.xx to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=xxxx
set api disabled=yes
set winbox port=xxxx
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip socks
set auth-method=password
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Kolkata

/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

Re: Am I protected with this settings?

Posted: Mon Aug 03, 2020 2:17 pm
by creatin
Disable services you don't need, disable guest user account (if exists), rename default admin account to something else.
Restrict access to your router only to local LAN, you can narrow it down to a specific address.
Deny acces sto UTP and TCP protocols on ports 53,2000,80,443 and 161.

My router is available from outside through specific service only (random port).
Password is shorter and easier to remember than username :)
Access granted from specific IP addresses.
Didn't find any attempt of remote access to the router so far.

Re: Am I protected with this settings?

Posted: Mon Aug 03, 2020 3:49 pm
by karlisi
System: hAP Ac. Os. 6.47.1. I Have only added a few rules to the default firewall rules. Do i Need to add anything else to make my hAp Ac secure?
My configuration is as given below.
Code: Select all
 /ip firewall filter

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

add action=drop chain=input comment="Drop winbox from net" dst-port=xxxx \
    in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=xxxx in-interface=ether1 protocol=udp
Default ruleset is reasonably secure, luckily you haven't destroyed it. Last 2 rules you added in input chain are not needed, you already have default "drop all not coming from LAN" rule before them. For better understanding how it works I recommend to read Mikrotik documentation.
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/