Community discussions

 
mikrotikuser123
just joined
Topic Author
Posts: 2
Joined: Thu Oct 11, 2018 11:36 am

Can my ISP access my Mikrotik Router and make changes?

Thu Oct 11, 2018 11:46 am

Hello,
We have this weird issue since some months and it happened three times now. I made some rules through Winbox like to block Facebook/Youtube in our office through Layer7, and allowed some MAC Addresses to keep the access to Facebook/Youtube.
1st time) The password of router was changed. Many people could access Facebook/Youtube and many can't, especially no one can access whom I have allowed the access to Layer7 rule I created. First time when it happened I thought it's just a one time issue so no worries and I re-setted router with my backup.
2nd time) Again the password of router was changed and same issue as above. Now I also blocked 8291 from remote access. Previously I allowed 8291 access but this time I blocked it, thinking that ISP might be accessing my router through remote connection. I verified that port is blocked through multiple checks.
3rd time) This time password is not changed and I'm sure that password is not with anyone else except me but issue is same as above. When I got to know that one of the person is using Facebook, I immediately accessed my router. Password is not changed, but I see many rules in Filter Rules page which I didn't created myself. As I said 8291 port is blocked. The interesting part is all the names/comment of Rules (those I didn't created) were with the suffix of name of my ISP. So I'm sure they are creating it.

Can anyone tell me if it's possible for ISP to access our router and make changes? Is there any way to stop it? Or according to your expertise what would be causing such issue?
 
erlinden
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Jun 12, 2013 1:59 pm

Re: Can my ISP access my Mikrotik Router and make changes?

Thu Oct 11, 2018 2:29 pm

Was the MT supplied by your ISP? If Yes...sure they can. If Not...they won't touch it.
Sure the MT is not compromised by a hacker?
 
mikrotikuser123
just joined
Topic Author
Posts: 2
Joined: Thu Oct 11, 2018 11:36 am

Re: Can my ISP access my Mikrotik Router and make changes?

Thu Oct 11, 2018 3:39 pm

By MT you mean Mikrotik box? Yes they supplied it. So you mean they have some exploit in the device that they could gain access anytime?
 
usdmatt
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Oct 29, 2013 6:18 pm

Re: Can my ISP access my Mikrotik Router and make changes?

Thu Oct 11, 2018 3:56 pm

If the Mikrotik was supplied by the ISP then it's entirely possible they will give themselves remote access by adding an allow rule in the input chain from their network. We often do this as if we provide a Mikrotik, we tend to also look after it - Most people struggle to open a port on a basic web managed router, they'd have no hope with a Mikrotik so we often do it for them. (But this would be because they'd contacted us to ask us to help them do it)

It's highly unlikely they would be messing with your firewall rules though, or making any changes without you being involved. Also, any remote access would simply be by allowing themselves in the firewall, they wouldn't add any sort of backdoor or exploit. (Unless this is a really dodgy ISP).

What do the rules that are being added look like (and what's currently in your firewall input chain)?
 
tippenring
Member Candidate
Member Candidate
Posts: 179
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Can my ISP access my Mikrotik Router and make changes?

Thu Oct 11, 2018 4:39 pm

So you mean they have some exploit in the device that they could gain access anytime?
Depending on your software version, yes, that is correct. See https://blog.mikrotik.com/security/winb ... ility.html

Also, it's a good idea to monitor https://blog.mikrotik.com/security/
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Can my ISP access my Mikrotik Router and make changes?

Fri Oct 12, 2018 11:57 am

check if you have ssh enabled and mutiple user with Full Access.

ISP can block your access to facebook / youtube on their part of the network, without having to access your router. Plus, it does not make any sence for them to do this. Remeber ISP is a business, time is money, why spend the time and effort but not get paid ?

you can disalbe port 80, ssh and telnet. and add your own LAN IP to Winbox Service. This is more restrict then the firewall rule
/ip service set winbox address=Your_Lan_IP
make sure you lan IP is static and remember that it is...
MTCNA MTCTCE UEWA
 
sindy
Forum Guru
Forum Guru
Posts: 3974
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can my ISP access my Mikrotik Router and make changes?

Fri Oct 12, 2018 6:16 pm

You say you restrict access to the machine on the WAN side, but the hacker can be inside your LAN, especially if the result of their activity is only that they permit access to facebook and youtube.

Or in a more sophisticated way, a malware on one of your LAN clients' PCs may connect to your Mikrotik if it had the Winbox service open in the past, without the user of that PC being aware.

So I would
  • export (not backup) the configuration into a file
  • download the file, analyze and understand the purpose of every single line of it, and remove everything dangerous from it
  • netinstall the mikrotik (upgrade is not enough) with 6.43.2 or at least 6.42.9
  • create the users and set to all of them different passwords than they had ever before
  • upload the sanitized configuration file to the netinstalled Mikrotik, named e.g. clean-cfg.rsc
  • use /system reset-configuration run-after-reset=clean-cfg.rsc to restore the previous configuration from the sanitized export
Netinstall will invalidate all your certificates if any, but that's the price to pay unfortunately.

To further increase security, you can disable http, telnet, api and Winbox completely (even for access from LAN) and permit only https access (which requires to create a certificate) and/or ssh access.

In any case, the ISP is the least likely source of the issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: Can my ISP access my Mikrotik Router and make changes?

Fri Oct 12, 2018 6:39 pm

That's what happens when you put restrictions on people: Le Chatelier's principle. The system changes to escape the constrain.
I would look for the "hacker" on the inside. But if they are your employees, this could rather trigger personnel fluctuations instead of increased productivity.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.

Who is online

Users browsing this forum: MSN [Bot] and 139 guests