I am aware that this question doesn't have a straight answer. But it is my paranoia that is going high lately.
I want to regularly check my routers for anything suspicious. All of them are running latest Long-term or Stable version of RouterOS.
What are those key areas that might eventually give me a clue that something fishy is going on?
1. Firewall
2. Scripts
3. Sheduler
4. Packages
5. Configuration
6. Logs
7. History
/please add more to this list/
Also, is there any way a router to be compromised and the RouterOS to be changed in a way that this will be absolutely hidden and only netinstall can fix it? Is there a way to check the integrity of the currently running RouterOS?
Thank you!
Re: Security audit of a router
There have been reports that compromised router could not be recovered in any other way but using netinstall. Which means that it is possible to hide part of exploit which makes exploit active again after attempted recovery. However action by which router works differently (which is the point of exploiting it) is (so far) always seen in configuration.
If I were paranoid, I'd deploy a script which periodically creates full text export (/export verbose) and e-mail resulting file to some management server. There a procedure would take mailed config export, (inteligently) compare it to known good config and alert my self if there's change. Or if the export failed to arrive ...
If I were paranoid, I'd deploy a script which periodically creates full text export (/export verbose) and e-mail resulting file to some management server. There a procedure would take mailed config export, (inteligently) compare it to known good config and alert my self if there's change. Or if the export failed to arrive ...
Re: Security audit of a router
Not possible to give a simple answer, but hare are some I have done.
a. Log all changes to your router. (I do use splunk, see my signature)
b. Do not open your router for outside change access (Winbox/SSH/Telnet ++), if you need to do it, use VPN, if that can not be done:
---1. Use another port than default.
---2. Use port knocking. This prevents someone from seeing open ports.
---3. Use a long and good password.
---4. Use access list to prevent any random internet from accessing your router.
---5. Log everything. (See my signature for example.)
---6. Upgrade firmware to latest stable release
---7. ++++
c. I have an access rule, so that if some tries any port on my router that are blocked, they will be blocked to all port (even web etc) for 24 hour. This way they get blocked for all access if they try some that they are not allowed to do.
d. Know what all your filter rules and nat rules do.
e. Make sure last filter rule do block all that is not allowed above.
f. Upgrade your router to latest stable. Do not use beta software in production.
g. Have a backup of your config.
h. Ask for help :)
a. Log all changes to your router. (I do use splunk, see my signature)
b. Do not open your router for outside change access (Winbox/SSH/Telnet ++), if you need to do it, use VPN, if that can not be done:
---1. Use another port than default.
---2. Use port knocking. This prevents someone from seeing open ports.
---3. Use a long and good password.
---4. Use access list to prevent any random internet from accessing your router.
---5. Log everything. (See my signature for example.)
---6. Upgrade firmware to latest stable release
---7. ++++
c. I have an access rule, so that if some tries any port on my router that are blocked, they will be blocked to all port (even web etc) for 24 hour. This way they get blocked for all access if they try some that they are not allowed to do.
d. Know what all your filter rules and nat rules do.
e. Make sure last filter rule do block all that is not allowed above.
f. Upgrade your router to latest stable. Do not use beta software in production.
g. Have a backup of your config.
h. Ask for help :)
Who is online
Users browsing this forum: Amazon [Bot], jaclaz and 113 guests