The original thread was locked. viewtopic.php?f=2&t=137278
I followed the instructions and yet my routers were compromised again. Running 6.42.6
Not sure what's going on but I would appreciate it if you guys could fix this.
It is not safe to have winbox/ssh/telnet/https/http admin ports on the MikroTik open to the Internet. There's no reason to do so. If you need to allow remote administration, there are two avenues that are more secure:I will echo these statements. Just had devices with 6.40' & 6.42 hacked. 8291 open to interwebz, but locked with secure password... i guess I need to use longer than 12. sigh
Both are very reasonable ideas, you can VPN to your cloud VM and then connect via winbox from that IP. You can use GenieACS to push config changes to a device even if you can't log into it, for instance, adding entries to an address list to allow you to gain access is fairly easy.I'm thinking about configuring a VM in the cloud as a "JUMP" box for winbox / ssh to customer mikrotiks. Set an obscure admin password and then a secondary login as worst case.
Looking into GenieACS now as well...
3. You could also use Port knocking. Give the try of right combination of the port and management port will be open for 5 min to connect.1. Add an address list for trusted admin IPs, you can use dynamic DNS names in there (ex. IP cloud), besides allowing winbox from the local network, allow it from those trusted IPs.
2. Set up some kind of VPN (ex. L2TP/IPsec) so that when you are elsewhere you can connect via VPN and admin the router
Yes, port knocking is a perfectly fine alternative. It's not a big deal though in modern RouterOS to set up l2tp over ipsec on all of your clients devices, and then you can vpn to them from anywhere.3. You could also use Port knocking. Give the try of right combination of the port and management port will be open for 5 min to connect.
No, please! Port knocking is dangerous "security-through-obscurity" practice. You should warn against that, not agree that it is "fine alternative". It is not even "obscure" because every MITM can see the ports being knocked. It has exactly same level of security as sending password in plain-text. And today, nobody would send his password in plain-text.Yes, port knocking is a perfectly fine alternative.