Community discussions

 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Best practice hardening/NAT rules

Fri Jan 18, 2019 2:03 pm

Hi all,

I currently have a RB750 and RB750GL at two different locations, which have been in place for a couple of years. These have a PPP client connection to the ISP on the WAN side.

I have found over the past year or so a number of issues as a result of my misconfiguration of the devices and had some security "holes" as a result.
I am working to improve my configuration to resolve some of these issues and may take the opportunity to upgrade to the extra RAM in the hex unit as some use of address lists etc is starting to increase the RAM requirement for my configuration.

Other than the default drop rules, which I will need to adjust to include the PPP interface as well as eth1, are there any other rules I should be adding to 'harden' the WAN side of the router?

On a related note, I have a static /32 on the PPP interface, through which a /29 is routed to me. This only gets used on NAT rules and not assigned to any internal clients directly. Do I need the IPs assigned to a router interface for them to work in NAT, or can they just be added to filter/NAT rules? I think having applied the IPs to an interface in error may have created some of the issues I face today.
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1700
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Best practice hardening/NAT rules

Fri Jan 18, 2019 2:30 pm

Hey

Wrt hardening: firewall-wise the default config as provided by Mikrotik is ok. You CAN secure the configuration further following these points https://wiki.mikrotik.com/wiki/Manual:S ... our_Router.

If you Nat all traffic (including router itself) then I would think you don't need to have that ip actually assigned to an interface. Connection tracking & natting will take care of the rest.
 
mkx
Forum Guru
Forum Guru
Posts: 2604
Joined: Thu Mar 03, 2016 10:23 pm

Re: Best practice hardening/NAT rules

Fri Jan 18, 2019 2:32 pm

A good starting point for creating firewall is default setup in current ROS versions. I'm not sure if they are listed somewhere as a reference? Then add things you know you need and be paranoid when deciding that you really need them.

If the extra addresses are simply routed over your PPPoE connection, then you probably don't need to set them anywhere. It's just the matter of using appropriate src-nat and dst-nat rules. If you had more than one WAN interface, you'd have to be careful about routing through correct WAN interface though.
BR,
Metod
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Best practice hardening/NAT rules

Fri Jan 18, 2019 3:23 pm

Thanks guys. I think my problems stem from having moved over to RouterOS several years ago when:

a) I still had a lot to learn about networking and firewalls/routing specifically. (Still do, but it's a lot better now!)

b) I think earlier versions of ROS on which my config was built didn't have so many default drop rules as the current factory build and the ones I added weren't and still aren't quite right.

I plan to build the new units from scratch rather than importing the existing config which will give me a good chance to fix some of my mistakes. Also one of my units fell victim to the Winbox exploit recently, so I'm wary of doing a straight export from that in case any 'nasties' go along with it, even though I think I cleaned everything up.
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Best practice hardening/NAT rules

Fri Jan 18, 2019 3:50 pm

Be sure to do a netinstall of the latest firmware if any devices were hacked.
Feel free to post your config here for comments.
In general, NAT is well handled by the router and setup depends if you have static or near static IP, or clearly dynamic IPs ( I Mean WANIPs).
In terms of port forwarding, if you can use source address lists on incoming traffic, that is best, otherwise whatever server is running best have good security.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Best practice hardening/NAT rules

Fri Jan 18, 2019 4:45 pm

I've started looking to use address lists, both to permit legitimate traffic and block some rogues. The latter is proving a challenge on the 32MB RAM in RB750 (I've had to reduce the timeout to reduce the list size), another reason for hardware upgrade!

Edit: Port knocking - why didn't I do that before?! :lol:
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Best practice hardening/NAT rules

Fri Jan 18, 2019 5:33 pm

In terms of lists, I would point out that a member here understands the limitations of the routers and provides a service that will comb through most of the lists out there, update and maintain them for peanuts........... Check out MOAB on the forum and you will find it. Best value IMHO.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Best practice hardening/NAT rules

Fri Jan 18, 2019 6:24 pm

I have come across that one, thanks. I don't think the 3MB RAM I have left will cope with that right now, but will look once to try it once I've upgraded!
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Best practice hardening/NAT rules

Fri Jan 18, 2019 8:50 pm

It will cope (is tailored to the products available), it will replace the plethora of homegrown probably incoherent setup in place currently. :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Best practice hardening/NAT rules

Sun Jan 27, 2019 12:56 pm

Thanks all - I spent about 6 hours in Winbox yesterday re-crafting my config from the existing RB750 onto the RB750Gr3.
I have a new found appreciation for the ability to backup/export a configuration, though as mentioned I was never going to do that here!

As an aside, in my professional life (ROS is only used on my home kit), I advocate knowledge of the CLI over web/app-based GUIs, even if you regularly use the latter. I've never spent too much time on the ROS CLI, but had to apply some rules that way due to screen resolution/lack of scroll bar issue in Winbox! It gets easier each time I do a bit more, in much the same way as it does for the products I use professionally. :D

I just posted in another thread about the useful new default rule to drop all not from LAN if you forget/don't realise you need to add the PPPoE interface you create to the WAN interface list, so at least this time I have a drop rule that is actually doing something!

Once I've got the new box swapped out, I'll look at adding the scripts for malicious hosts that I've seen elsewhere on the forum as well!
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Best practice hardening/NAT rules

Sun Jan 27, 2019 4:28 pm

As I noted before, check out MOAB before you waste too much time, so that you can protect yourself and get on with other things LOL.
Personally I use this at the moment ( https://axiomcyber.com/shield ) but if not I would be using MOAB.
One will get lost in the cloud of suggestions methods etc, Its actually the blackhole of wasted time IMHO.........

For example I am looking at forgetting about all lists and simply trapping and blocking ALL unwanted traffic, nevermind from where.
Then leaving the freed up time to actually looking at what happens when something is behind the router and trying to get out.
Thats where the real security issue is from my viewpoint (no external access permitted so not worried about that). So catching bitcoin mining outbound or the like is what now interests me.

To catch all the traffic and to forget about all those lists out there.
Use Raw Prerouting to capture source address list for common ports I will never use on my LAN (139, 20-23 for example). This will capture the majority of probing bad guys.
Use Filter to capture source address list for common ports I DO use on my LAN, and specificy in-interface-list=WAN (53, 80 443 for example). May capture more bad guys
Use Raw to drop address sources list for 6hrs........ (bye bye to all of them for six hours).

Done......... everything that is legitimate traffic, established and related (Connection tracked) or dstnatted (see below) will work as per normal, all other traffic will be captured and dropped mostly in RAW which is less load for the CPU.
The only tricky part is if one has some destination nat setup with authorized users.
Again not a problem, ensure the NAT rule includes the authorized users for each rule specific (one rule for company A to server A, one rule for friends to server B etc.........)
In the filter rule that covers all DST NAT connections, simply add the source address list that includes all users - super source list associated with destination nat (A+B+C etc...)

If you see any holes in my thinking feel free to chime in.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 80 guests