Community discussions

MikroTik App
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

RB1100AH - Blocked ports

Tue Jul 13, 2021 5:42 pm

Hi there,

I have blocked the ports on my RB1100AH and... I cannot access my router now. I know, it does sound stupid. I was sure that it will stop access to the router from WAN (I had many attacks),
but now I cannot access it locally by myself... what to say, I`m stuck with it.

I have closed those ports:

Ftp (21),
ssh (22),
telnet (23),
(25),
http (80),
snmp (161),
https (8729),
winbox (8291)

with this command

ip firewall filter
add chain=input protocol=tcp dst-port=25 action=drop

Is there a chance to access router without the need to reset it and doing the restore from backup in this situation?

I will be glad for any help.

Regards,
Fleishmachine
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: RB1100AH - Blocked ports

Tue Jul 13, 2021 7:35 pm

Try connecting with WinBox using MAC-address instead of IP. And if that does not work then the only option is serial console, I guess.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: RB1100AH - Blocked ports  [SOLVED]

Tue Jul 13, 2021 8:03 pm

MAC winbox and MAC telnet work on UDP 20561, if you do not have locked that port, use winbox or another mikrotik devices
If the routerboard do not appear on winbox neigbours, try to open the 1st mac address on product label, placing the cable of pc on ether1

What model of RB1100AH?

If really is that version,
use serial console on front panel

Image
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

Re: RB1100AH - Blocked ports

Thu Jul 15, 2021 6:35 pm

Hi guys,

You are correct - logging via MAC instead IP helped. Thank a lot for your suggestion!

I will need to find another solution to protect Mikrotik from WAN.

BTW, it is this version - I have never used Serial port as it was not necessary, but I can see that just in case I should get a cable just in case.

Take care,
Fleishmachine
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB1100AH - Blocked ports

Thu Jul 15, 2021 8:34 pm

Better security can be afforded by a better understanding.

(1) Therefore, via winbox, go to IP Menu Item and select IP SERVICES.
Here you can disable all the services the router provides users or access to the router for
api, api-ssi, ftp,ssh,telnet,www, www-ssl. THE ONLY ONE YOU SHOULD KEEP ACTIVE is winbox

Its default port is usually 8291 I believe, and that should be changed once you have a stable setup.

(2) Then go to IP Firewall selection and choose SEVICE PORTS on the top bar of the firewall popup.
Here to one should disable all services, not required (from dccp to udplite).
Therefore you have closed most if not all the services and ports that do not need to be accessible.


(3) Go to Firewall Rules and make sure
that

a. the only access to the INPUT CHAIN is the trusted network/interface the admin uses and even better, an additional firewall address list on that rule, identifying which IPs are allowed to access the router (admin laptop, desktop; ipad, smartphone etc......)
b. Ensure other access required by LAN users is allowed aka DNS port 53, NTP etc.................
c. Then add a drop rule at the end of the input chain.

b. Access to the Forward chain is adequately handled by default rules but it is incomplete when one starts making changes to the config. It only blocks wan to lan traffic.
one should do the following conceptually block all unwanted lan to lan, lan to wan, and wan to lan traffic.
This is accomplished by a simple drop; all rule at the end of the forward chain.
This means that you will need to do the following before the last drop all rule.
add a lan users to WAN rule for those permitted internet traffic,
add a single generic port forwarding rule if you plan on having accessible servers (actual server rules are done in the IP NAT subsection).
- one may need to add shared devices between different subnets etc.......

4a. Ensure the trusted interface list that you identify in input chain for access to the router is noted in the TOOLS MAC WINMAC SERVER entry for allowed interface!
b.. Disable the more generic TOOLS MAC MAC SERVER... set interface allowed to NONE.

5.On System USers, Change default admin ID and password to something unique.

6. On both the passwords setting and IP Service list for winbox one can identify the trusted network (as per the input chain rule)

So now you have layered defense.
unique user password and access limited based upon login ---> User settings
limited access based upon winbox settings. -----> Tools MAC settings and IP service Settings
limited access based upon input chain rules -----> Firewall Rules

All other access avenues (ports, services) are cut off.
WAN to ROUTER, LAN to ROUTER traffic is controlled by the admin
WAN to LAN, LAN to WAN, LAN to LAN traffic is limited to what is allowed by the OP.
 
Fleishmachine
newbie
Topic Author
Posts: 25
Joined: Tue Jul 13, 2021 5:31 pm

Re: RB1100AH - Blocked ports

Fri Jul 16, 2021 6:33 pm

Better security can be afforded by a better understanding.

(1) Therefore, via winbox, go to IP Menu Item and select IP SERVICES.
Here you can disable all the services the router provides users or access to the router for
api, api-ssi, ftp,ssh,telnet,www, www-ssl. THE ONLY ONE YOU SHOULD KEEP ACTIVE is winbox

That's correct - I had it done before with winbox available from my local networks only. However it was still annoying to see warnings in the logs

Its default port is usually 8291 I believe, and that should be changed once you have a stable setup.

I got this one done now - so far I have no more warnings in the logs - I will see how it will look after next few hours

(2) Then go to IP Firewall selection and choose SEVICE PORTS on the top bar of the firewall popup.
Here to one should disable all services, not required (from dccp to udplite).
Therefore you have closed most if not all the services and ports that do not need to be accessible.

OK
I will need to look carefully at the points 3-6 very soon, some bits I have got done. I`m really glad for your detailed advice.

All the best!
Fleishmachine

Who is online

Users browsing this forum: bananaboy1101, davidhirka, mtkvvv and 39 guests