Community discussions

 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24127
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Securing your device is important

Fri Jan 12, 2018 4:19 pm

It has come to our attention, that somebody has created a script that logs into unprotected devices and sets a password, along with a new identity name. This affects devices that have public IP addresses.

Most MikroTik devices have a firewall on the public interface - please remember that disabling your public firewall is not a good idea. If you have a good reason to open your device to the outside world, make sure you create a new user with a strong password and then disable your default admin user.

We have created a great article about the steps you need to take to protect a device that has a public IP address:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

In short:
- don't use the default admin user
- use a strong password for your own user
- improve upon the default firewall rules, do not disable it
- turn off the services you don't use
- keep your device up to date
No answer to your question? How to write posts
 
jaqsoo
Trainer
Trainer
Posts: 1
Joined: Wed Jul 29, 2015 6:17 pm
Location: Costa Rica
Contact:

Re: Securing your device is important

Fri Jan 12, 2018 5:06 pm

Thanks for this post. It is true, we have been receiving many inquiries during this past week regarding articles talking about a MikroTik security break, when it seems all of them have been related to insecure router setup. The steps suggested may seem obvious, but the truth is there are many, many devices out there without the minimum attention to security. Lets secure our routers and avoid bad reputation on MikroTik / RouterOS.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 249
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: Securing your device is important

Fri Jan 12, 2018 5:33 pm

Set networks for ALL services even if they are disabled.
Set networks for ALL users, with strong passwords.
Disable Mac Servers for interfaces that do not need it.
Disable IP Neighbour for interfaces that do not need it.
IF Deploying Romon consider segment key usage and have different hops for different stuff in your net.

Disable Packages that you do not need.

This is basic security.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5694
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Fri Jan 12, 2018 6:17 pm

Another improvement would be when devices are not shipped with empty admin password, but initially would have
some password that cannot be so easily guessed from outside. Even using the ether1 MAC address as initial password
would be better than nothing (as normally the MAC address is not visible to an attacker on internet).
Of course it is not optimal (an attacker on WiFi can see the MAC address of the WiFi and quite easily guess the ether1 MAC)
but it would be a change that does not require manufacturing changes. The MAC is already on the label and available
to the software.
Other manufacturers are already a step ahead and have an initial password that is printed on the label, and apparently
stored in some flash memory at manufacturing.
It would also be advisable to have a default auto-upgrade or at least an initial upgrade when the device first gets internet
connectivity. That would also be the moment when changes like the above would get incorporated into already manufactured
devices.
 
mt99
just joined
Posts: 24
Joined: Wed Jan 03, 2018 6:07 pm

Re: Securing your device is important

Sat Jan 13, 2018 7:38 am

I agree that Mikrotik should move toward unique default passwords, which many other manufacturers have done (usually some component of the MAC address). But at least so far, it seems like these defacements have been happening in instances where the router's administrative services were available from the Internet and no password was set. Admins who open the firewall need to understand the ramifications of what they're doing. To help keep your router secure from the Internet, here's what I recommend from most to least important:

1. Ensure that your administrative services aren't available on the WAN interface. By default the firewall will prevent this of course. But maybe people either disabled that to get something working and never turned it back on, or forgot to turn it back on, or didn't realize that Mikrotik devices have an implicit allow at the end of the firewall ruleset. Doing something like the following and moving it to the top of the ruleset would help, assuming you run SSH, HTTP, and Winbox on the default ports with your WAN interface in the WAN interface list:

/ip firewall filter add action=drop chain=input comment="no admin access to router from WAN" dst-port=22,80,8291 in-interface-list=!WAN protocol=tcp

2. Change the admin user name to something else, and set a strong password.

3. In IP > Services, disable unused services and minimally set custom ports for SSH and HTTP as in the following example:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=22222
set api disabled=yes
set www port=8888

Of course, when setting custom ports ensure that they aren't available from the Internet as in step 1.

4. Back to IP > Services: disable unencrypted services (telnet, HTTP, FTP, api) and use encrypted services like SSH and Winbox. If you need a web interface, set up a CA and issue yourself a cert that can be used for HTTPS (custom port for that too). For enabled admin services, I would also consider setting an appropriate network that is allowed as in the following example: /ip service set winbox address=192.168.88.0/24.

5. Disable the Btest server - it listens on the WAN interface: /tool bandwidth-server set enabled=no

6. In IP > Neighbors, ensure that discovery is not available on your WAN interface at a minimum.

/ip neighbor discovery-settings
set discover-interface-list=!WAN

7. In Tools > MAC Server, ensure that only your LAN interfaces are available. I'm less concerned about this from the Internet since it's layer 2.

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

8. Enable strong ciphers on the SSH server, which is command line only: /ip ssh set strong-crypto=yes
This should be the default, and there should instead be a command-line options to disable weak ciphers.

There's a lot more you can do (disable unused accounts, remove unused packages, etc.), but this list is basically the minimum I'd recommend to protect the router from the Internet. Right now, go to Shodan.io and search for your public IP (you don't even need a login to do this). You might be surprised what you find there...
Last edited by mt99 on Sat Jan 13, 2018 8:50 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5694
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Sat Jan 13, 2018 12:23 pm

mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?
really, the only thing that can be done is using good default settings. then some people might improve or customize them,
and those that do not know or do not care are not left vulnerable.
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 601
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Securing your device is important

Sat Jan 13, 2018 12:29 pm

mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?
really, the only thing that can be done is using good default settings. then some people might improve or customize them,
and those that do not know or do not care are not left vulnerable.
What's wrong with it? Have you even read o'reilly's book on securing cisco routers? So why should we care less for MikroTik routers???

mt99 +1 :)

Sent from Tapatalk

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
pe1chl
Forum Guru
Forum Guru
Posts: 5694
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Sat Jan 13, 2018 1:11 pm

I will assure you that not everyone who buys a MikroTik device will buy and read an o'reilly book on securing cisco routers with it!

That is why manufacturers, especially of devices that are also used by home customers, need to sell things that are secure by default.
The firewall is now better than it was before, but of course that only applies to devices that have 6.40 or later firmware and are reset to defaults.
This week I bought a hAP AC, also a device that is sold to home customers, and it came with 6.39.2 so after I upgrade it to 6.41 I still
needed to do a reset to defaults to get the new firewall config.
AND, it still comes with admin-with-no-password and WiFi-with-no-security. These all have to be setup by the customer and there
is NO warning in the user interface that this should be done (I think it is in the leaflet but it has very small grey print that is hard to read).
Other manufacturers are way ahead in this aspect, with unique default admin passwords and unique WPA2 passwords on WiFi for
every device as it comes out of the box. Or prompting to set a password the moment the first logon is done.
 
freemannnn
Long time Member
Long time Member
Posts: 656
Joined: Sun Oct 13, 2013 7:29 pm

Re: Securing your device is important

Sat Jan 13, 2018 1:38 pm

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recomendations. Nice guide thanx
 
pe1chl
Forum Guru
Forum Guru
Posts: 5694
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Sat Jan 13, 2018 2:04 pm

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recomendations.
yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.
 
Arcee
Member Candidate
Member Candidate
Posts: 267
Joined: Fri Jun 27, 2014 2:33 pm

Re: Securing your device is important

Sat Jan 13, 2018 2:07 pm

Then there is logging...

Following the above steps is good, but having logging configurations in place that notify you when an event occurs (ie. Failed logon attempts/port scanning) AND *sending your logs off site* is invaluable; of someone gets in, they will probably delete the logs.

Sent from my Pixel 2 using Tapatalk

 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Oct 11, 2005 4:53 pm

Re: Securing your device is important

Sat Jan 13, 2018 5:21 pm

One step to improve RouterOS' security is to finally make IP > Services bind on specific IPs/Interfaces.

That way even if someone does not set up their firewall properly, those management services can be configured to not be available on the WAN.
It's much simpler for a novice user to set those services to bind only on LAN interfaces/IPs than set up a proper firewall.

Also it's helpful for core routers that do not (want to) use any firewall rules at all but still need to limit access to it.
Right now we can only limit the IP ranges that are allowed to connect to those services, but this doesn't reduce the attack surface much, and they can potentially give out information about the router.

Also, what's mikrotik's position on the Spectre and Meltdown CPU bugs that were announced recently?
Can we expect a kernel update for RouterOS for x86?
 
mt99
just joined
Posts: 24
Joined: Wed Jan 03, 2018 6:07 pm

Re: Securing your device is important

Sat Jan 13, 2018 8:59 pm

mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?

No, that's why you script it. I would never hand edit all that stuff, plus scripting eliminates the possibility of mistakes. I have a deployment script that I run on every router that has baseline security settings, plus other things like setting NTP and time zone, logging, and more. Here's a short example.

Code: Select all

# initial deployment script built off of RouterOS 6.41
#
# remove the hashtags below this line after you've set your values

# set your time zone below
# /system clock
# set time-zone-autodetect=no time-zone-name=Country/City
/ip firewall filter
# ensure this is at the top of the rule list
add action=accept chain=input comment="allow admin access to router from authorized clients" dst-port=22222,8888,8291 in-interface-list=!WAN protocol=tcp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set ssh port=22222
set www port=8888
# change the below to your admin network
# set winbox address=192.168.88.0/24
# set your preferred admin username below
# /user set 0 name=myuser
/ip cloud
set update-time=no
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/ip ssh
set strong-crypto=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 274
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: Securing your device is important

Sat Jan 13, 2018 9:51 pm

Is mikrotik affected by Spectre and meltdown bugs?

Sent from my C6833 using Tapatalk

 
andriys
Forum Guru
Forum Guru
Posts: 1130
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Securing your device is important

Sun Jan 14, 2018 12:27 pm

Is mikrotik affected by Spectre and meltdown bugs?
To my understanding, RouterOS x86 and CHR are definitely affected, but since you cannot run your own binaries there they cannot be exploited (unless there are other vulnerabilities that allow one to execute arbitrary code on a router). ARM devices may also be affected, but the same "exploitability" considerations apply.

And taking into account the inevitable performance degradation, the necessity to apply Meltdown and Spectre patches to RouterOS is rather arguable.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8305
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Securing your device is important

Mon Jan 15, 2018 10:03 am

- don't use the default admin user
But... why? :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24127
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Securing your device is important

Mon Jan 15, 2018 10:30 am

- don't use the default admin user
But... why? :)
if you know the username, it is very easy to brute-force simple passwords. if you don't know the username, brute-force is basically out of the question.
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8305
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Securing your device is important

Mon Jan 15, 2018 10:39 am

if you know the username, it is very easy to brute-force simple passwords. if you don't know the username, brute-force is basically out of the question.
https://en.wikipedia.org/wiki/Security_ ... _obscurity :)

Is that advice actual when you
use a strong password
?

Anyway, why not just rename 'admin' user? That was actually the point...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24127
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Securing your device is important

Mon Jan 15, 2018 10:47 am

Renaming admin is the same as not using admin.
No answer to your question? How to write posts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5694
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Mon Jan 15, 2018 11:38 am

if you know the username, it is very easy to brute-force simple passwords. if you don't know the username, brute-force is basically out of the question.
It merely squares the search space.
Anyway, the point is that users are hit that did not take basic security measures. It is useless to post advises, because those users do not read advises.
The only thing that helps is setting up a default configuration that is secure. As of now, the default firewall is much better than before
(because addition of a PPPoE interface does not open the device for world access anymore), but unfortunately the default is determined during
first powerup so routers that are now in the stores often still get the old firewall even when they are upgraded immediately.
What is also still missing is a reasonable default password or security behaviour. I.e. an initial password that is more difficult to guess and/or
the obligation to change the password on the first login.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24127
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Securing your device is important

Mon Jan 15, 2018 12:11 pm

This post was mostly meant to clarify what happened. I realise that this forum is mostly used by security conscious people.
As far as default passwords go ... we will have to think about it. There are pros and cons. It's up for debate. You see there is already a default firewall, it got removed anyway.
No answer to your question? How to write posts
 
User avatar
eworm
Member
Member
Posts: 376
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Securing your device is important

Mon Jan 15, 2018 12:14 pm

Or even better: Upload ssh public keys to the device
[admin@mikrotik] > /user ssh-keys print 
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                                                                                                                                                
 0 R admin                      2048 user@host
and keep always-allow-password-login set to no:
[admin@mikrotik] > /ip ssh set always-allow-password-login=no
Password login is no longer possibly and brute force attack can never succeed.

BTW, the RouterOS ssh server supports port forwarding. So if you want to manage a remote device via web interface you can open ssh service for WAN, but close http/https. Then connected to ssh with port forwarding to port 80/443 enabled and use web interface through the tunnel.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5694
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Mon Jan 15, 2018 12:27 pm

You see there is already a default firewall, it got removed anyway.
I think the typical scenario is:
- device is bought with pre-6.40 firmware and powered up
- it may or may not be updated to 6.40 or later, that does not matter anymore (when no reset to defaults is done afterward)
- firewall only drops everything new from ether1
- a PPPoE interface is added manually following some youtube video directions, instead of by using Quick Set.
- now the internet-facing interface is ppoe-in1 and it allows all input

This will not happen so easily anymore once devices are shipped with 6.40 or later. Or maybe when the update
procedure detects an all-defaults firewall and updates it to the current one when RouterOS is updated.

Another thing that could be considered is to auto-update to some reliable version (maybe a separate release channel is
to be created for that, which would not include new "risky" developments like 6.41 but could be more current than "bugfix")
where all devices are regularly updated by default (until the admin disables this behavior, when he doesn't desire it).

That will at least keep devices uptodate in the hands of inexperienced people.
 
ivanfm
newbie
Posts: 46
Joined: Sun May 20, 2012 5:07 pm

Re: Securing your device is important

Sat Jan 20, 2018 11:54 am

Code: Select all

/ip firewall filter
# ensure this is at the top of the rule list
add action=accept chain=input comment="allow admin access to router from authorized clients" dst-port=22222,8888,8291 in-interface-list=!WAN protocol=tcp
Will be very nice if mikrotik add to the dst-address-type an other option like "local-network" which will refers to all locally connected networks, like the local parameter but instead of using only the local address use the netmask. This rule can be changed and only who is connected to the local networks connected to the router will have access .
 
pe1chl
Forum Guru
Forum Guru
Posts: 5694
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Sat Jan 20, 2018 12:15 pm

Will be very nice if mikrotik add to the dst-address-type an other option like "local-network" which will refers to all locally connected networks, like the local parameter but instead of using only the local address use the netmask.
That is just a different approach to what is already there. The current firewall uses interface lists to group interfaces in categories like WAN and LAN, and filters according to that.
Sometimes it uses "not" operators to make it more failsafe: e.g. using "!LAN" for cases where you would want to write "WAN" makes sure that a new WAN interface is properly handled even when it is not placed in the WAN interface list (because the admin does not know or does not care).
Filtering on address is just a different approach for that. You can do it when you like, but by default it filters on interface.
 
User avatar
DanielJB
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Mon May 27, 2013 3:05 pm

Re: Securing your device is important

Fri Mar 16, 2018 11:22 am

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.

It would be a step forward if this was done at first boot. Clearly the chain of trust can't be validated (as with SSH), but it prevents a class of attacks.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5694
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Fri Mar 16, 2018 11:29 am

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.
True, but that protection is absolutely zero. It only protects you against people sniffing the password, which is unlikely to be
the scenario of the attacks. The problem is keeping the default (empty) password or using an obvious password that can be
found by trying a small list of common passwords. The https is going to do absolutely nothing about that.

A better protection would be to use a certificate for SSH login instead of a password, but I don't think that is possible with
https right now.
 
User avatar
DanielJB
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Mon May 27, 2013 3:05 pm

Re: Securing your device is important

Fri Mar 16, 2018 11:45 am

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.
True, but that protection is absolutely zero. It only protects you against people sniffing the password, which is unlikely to be
the scenario of the attacks. The problem is keeping the default (empty) password or using an obvious password that can be
found by trying a small list of common passwords. The https is going to do absolutely nothing about that.

A better protection would be to use a certificate for SSH login instead of a password, but I don't think that is possible with
https right now.
HTTPS per default rather than HTTP would be on the same basis SSH is used rather than eg telnet.

This is in orthogonal and in addition to the obvious of having a unique default password as already suggested.
 
anav
Forum Guru
Forum Guru
Posts: 2936
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Securing your device is important

Fri Mar 16, 2018 3:41 pm

PeIchl, I completely disagree with your logic.
I am a perfect example. I don't have any IT degrees or training.
I have used the basic consumer router many moons ago the netgear RT311 (made by zyxel) and then switched to zyxel every since.
I have programmed their routers at a basic level and through work had to once deal with a CrISCO router as well, simply from good advice and reading tons and asking questions.

No one, I know and I mean no one, goes to their local store and buys Mikrotik. It is not a consumer brand. I dont know a single person other than on the forums that owns one.
It is a niche market that attracts those running WISPS, or are comfortable in LINUX, software, and are in the ubiquiti, pfsense, sophos on a PC search for something cheaper than Fortigate or Juniper etc.....

Then there are home owners like me that like to dabble, may have some knowledge, and are willing to take the plunge. I read everything I can get my hands on.
Mt99s post was bang on for someone like me, it makes sense, and is really a compilation of bits and pieces one can find on the net but in one spot.
Maybe it is different in your neck of the woods, so I will cut you some slack.
In summary, instead of dissing mt99s comments, you should have said, its not applicable where I live and leave it at that because your statement is complete BS, where I live (in North America).


ref: Daniel, nice suggestion. Right now i turned off everything except WINBOX on the LAN. Changed my SSH port everything else off. I have always resisted getting a cert for my router mainly due to the expense. However I recently came across some certs for a decent price and you have reminded me to revisit and perhaps take the plunge if nothing else to become familiar with the process. [edit, found the link https://cheapsslsecurity.com/}

Normis, please tell Mikrotik to raise their prices, like about 5-10$ should do it. We all want to see you move out of your car and into an apartment. Oh, and, where do I send a razor, that beard is out of control. ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
netflow
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sat Oct 01, 2016 3:53 pm

Re: Securing your device is important

Fri Mar 23, 2018 9:16 pm

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recomendations.
yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.
Those won't buy a MT device in the first place...
 
User avatar
Nexon
just joined
Posts: 14
Joined: Tue Jan 31, 2006 9:38 am
Location: Serbia
Contact:

Re: Securing your device is important

Thu Nov 22, 2018 12:37 pm

and keep always-allow-password-login set to no:
[admin@mikrotik] > /ip ssh set always-allow-password-login=no
Password login is no longer possibly and brute force attack can never succeed.

Regarding this, that is not actualy the case.

Even with this option set to no (which is by the way already set by default), the SSH password will always work, unless you put the SSH public key, only then it will not work.
The only way to use SSH key and the password, is to set this option to yes.

Is it safe, to have SSH key and always-allow-password-login=yes?
 
User avatar
eworm
Member
Member
Posts: 376
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Securing your device is important

Mon Dec 10, 2018 12:14 pm

and keep always-allow-password-login set to no:
[admin@mikrotik] > /ip ssh set always-allow-password-login=no
Password login is no longer possibly and brute force attack can never succeed.
Regarding this, that is not actualy the case.

Even with this option set to no (which is by the way already set by default), the SSH password will always work, unless you put the SSH public key, only then it will not work.
That's true, but I did not state anything else. If you look at my post this should be clear. Please do not cite just half of important information.
The only way to use SSH key and the password, is to set this option to yes.

Is it safe, to have SSH key and always-allow-password-login=yes?
Well, it allows password login even if an SSH key is uploaded. It's up to you whether or not that meets your security requirements.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts

Who is online

Users browsing this forum: No registered users and 4 guests