Page 1 of 1

Default password vulnerability

Posted: Mon Apr 03, 2017 11:37 am
by phaseform
Being a beginner with router os, I configured my mikrotik routers internet connection using ppoe, and set my DSL modem to bridge mode. After opening a terminal I noticed a flood of login attempts. Only because I'd changed the login credentials first, basically by chance, did these login attempts fail... Seems like a pretty big vulnerability in the security for a beginner using quickset!?!

Re: Default password vulnerability

Posted: Mon Apr 03, 2017 11:42 am
by pe1chl
Yes, but this is caused by bad instructions on internet or people "experimenting" without studying the matter.
When you would have used quickset to setup PPPoE it would not be such a problem because there would be
an incoming firewall on the PPPoE.
But when you just configure the router as plain router, then remember PPPoE, watch a naive Youtube movie
on how to add a PPPoE interface, and do not adjust the firewall, yes then you are in trouble!

I have often proposed that the firewall is changed to do a default drop and accept only what is explicitly allowed
(like traffic from the LAN), but MikroTik won't do that. So it is your own responsibility to drop incoming traffic
from any new interface that you add.

Re: Default password vulnerability

Posted: Mon Apr 03, 2017 12:28 pm
by phaseform
My point is why bother with a quickset if it fails to provide fundamental security? Just bugs me that people with specialised IT knowledge often say "lol amateur" rather than create solutions for beginners (specifically change login credentials on first login). -i used quickset and there were no such firewall rules for SSH/telnet etc as I remember

Re: Default password vulnerability

Posted: Mon Apr 03, 2017 1:06 pm
by Quared
Hello,

RouterOS is much more configurable/flexible and powerful, thus not comparable to any of these 'typical' end-user-friendly routers and their GUIs - whether Webfig nor Winbox.

Even those 'typical' end-user-friendly routers allow weak or even NO admin/access password to be set if per user-choice.

Check
https://wiki.mikrotik.com/wiki/Manual:I ... figuration

and

https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

greets

Re: Default password vulnerability

Posted: Mon Apr 03, 2017 1:13 pm
by normis
If you use QuickSet to change internet mode to "PPPoE", the firewall is set on the PPPoE interface. I tested it, and this is what the QuickSet adds:
screen 113.jpg
So as a beginner, I suggest using QuickSet and then using "Firewall router" in QuickSet.

Re: Default password vulnerability

Posted: Mon Apr 03, 2017 2:31 pm
by pe1chl
My point is why bother with a quickset if it fails to provide fundamental security?
But with quickset it works OK!
It only fails when you manually add the PPPoE

Re: Default password vulnerability

Posted: Mon Apr 03, 2017 4:27 pm
by phaseform
Cool thanks for the replies, I'll check it out when I'm Infront of my computer