Community discussions

MikroTik App
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Securing your device is important

Fri Jan 12, 2018 4:19 pm

It has come to our attention, that somebody has created a script that logs into unprotected devices and sets a password, along with a new identity name. This affects devices that have public IP addresses.

Most MikroTik devices have a firewall on the public interface - please remember that disabling your public firewall is not a good idea. If you have a good reason to open your device to the outside world, make sure you create a new user with a strong password and then disable your default admin user.

We have created a great article about the steps you need to take to protect a device that has a public IP address:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

In short:
- don't use the default admin user
- use a strong password for your own user
- improve upon the default firewall rules, do not disable it
- turn off the services you don't use
- keep your device up to date
 
jaqsoo
Trainer
Trainer
Posts: 1
Joined: Wed Jul 29, 2015 6:17 pm
Location: Costa Rica
Contact:

Re: Securing your device is important

Fri Jan 12, 2018 5:06 pm

Thanks for this post. It is true, we have been receiving many inquiries during this past week regarding articles talking about a MikroTik security break, when it seems all of them have been related to insecure router setup. The steps suggested may seem obvious, but the truth is there are many, many devices out there without the minimum attention to security. Lets secure our routers and avoid bad reputation on MikroTik / RouterOS.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: Securing your device is important

Fri Jan 12, 2018 5:33 pm

Set networks for ALL services even if they are disabled.
Set networks for ALL users, with strong passwords.
Disable Mac Servers for interfaces that do not need it.
Disable IP Neighbour for interfaces that do not need it.
IF Deploying Romon consider segment key usage and have different hops for different stuff in your net.

Disable Packages that you do not need.

This is basic security.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Fri Jan 12, 2018 6:17 pm

Another improvement would be when devices are not shipped with empty admin password, but initially would have
some password that cannot be so easily guessed from outside. Even using the ether1 MAC address as initial password
would be better than nothing (as normally the MAC address is not visible to an attacker on internet).
Of course it is not optimal (an attacker on WiFi can see the MAC address of the WiFi and quite easily guess the ether1 MAC)
but it would be a change that does not require manufacturing changes. The MAC is already on the label and available
to the software.
Other manufacturers are already a step ahead and have an initial password that is printed on the label, and apparently
stored in some flash memory at manufacturing.
It would also be advisable to have a default auto-upgrade or at least an initial upgrade when the device first gets internet
connectivity. That would also be the moment when changes like the above would get incorporated into already manufactured
devices.
 
mt99
newbie
Posts: 43
Joined: Wed Jan 03, 2018 6:07 pm

Re: Securing your device is important

Sat Jan 13, 2018 7:38 am

I agree that Mikrotik should move toward unique default passwords, which many other manufacturers have done (usually some component of the MAC address). But at least so far, it seems like these defacements have been happening in instances where the router's administrative services were available from the Internet and no password was set. Admins who open the firewall need to understand the ramifications of what they're doing. To help keep your router secure from the Internet, here's what I recommend from most to least important:

1. Ensure that your administrative services aren't available on the WAN interface. By default the firewall will prevent this of course. But maybe people either disabled that to get something working and never turned it back on, or forgot to turn it back on, or didn't realize that Mikrotik devices have an implicit allow at the end of the firewall ruleset. Doing something like the following and moving it to the top of the ruleset would help, assuming you run SSH, HTTP, and Winbox on the default ports with your WAN interface in the WAN interface list:

/ip firewall filter add action=drop chain=input comment="no admin access to router from WAN" dst-port=22,80,8291 in-interface-list=!WAN protocol=tcp

2. Change the admin user name to something else, and set a strong password.

3. In IP > Services, disable unused services and minimally set custom ports for SSH and HTTP as in the following example:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=22222
set api disabled=yes
set www port=8888

Of course, when setting custom ports ensure that they aren't available from the Internet as in step 1.

4. Back to IP > Services: disable unencrypted services (telnet, HTTP, FTP, api) and use encrypted services like SSH and Winbox. If you need a web interface, set up a CA and issue yourself a cert that can be used for HTTPS (custom port for that too). For enabled admin services, I would also consider setting an appropriate network that is allowed as in the following example: /ip service set winbox address=192.168.88.0/24.

5. Disable the Btest server - it listens on the WAN interface: /tool bandwidth-server set enabled=no

6. In IP > Neighbors, ensure that discovery is not available on your WAN interface at a minimum.

/ip neighbor discovery-settings
set discover-interface-list=!WAN

7. In Tools > MAC Server, ensure that only your LAN interfaces are available. I'm less concerned about this from the Internet since it's layer 2.

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

8. Enable strong ciphers on the SSH server, which is command line only: /ip ssh set strong-crypto=yes
This should be the default, and there should instead be a command-line options to disable weak ciphers.

There's a lot more you can do (disable unused accounts, remove unused packages, etc.), but this list is basically the minimum I'd recommend to protect the router from the Internet. Right now, go to Shodan.io and search for your public IP (you don't even need a login to do this). You might be surprised what you find there...
Last edited by mt99 on Sat Jan 13, 2018 8:50 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Sat Jan 13, 2018 12:23 pm

mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?
really, the only thing that can be done is using good default settings. then some people might improve or customize them,
and those that do not know or do not care are not left vulnerable.
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 632
Joined: Fri Apr 30, 2010 3:25 pm
Location: Prévost, QC, Canada
Contact:

Re: Securing your device is important

Sat Jan 13, 2018 12:29 pm

mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?
really, the only thing that can be done is using good default settings. then some people might improve or customize them,
and those that do not know or do not care are not left vulnerable.
What's wrong with it? Have you even read o'reilly's book on securing cisco routers? So why should we care less for MikroTik routers???

mt99 +1 :)

Sent from Tapatalk

 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Sat Jan 13, 2018 1:11 pm

I will assure you that not everyone who buys a MikroTik device will buy and read an o'reilly book on securing cisco routers with it!

That is why manufacturers, especially of devices that are also used by home customers, need to sell things that are secure by default.
The firewall is now better than it was before, but of course that only applies to devices that have 6.40 or later firmware and are reset to defaults.
This week I bought a hAP AC, also a device that is sold to home customers, and it came with 6.39.2 so after I upgrade it to 6.41 I still
needed to do a reset to defaults to get the new firewall config.
AND, it still comes with admin-with-no-password and WiFi-with-no-security. These all have to be setup by the customer and there
is NO warning in the user interface that this should be done (I think it is in the leaflet but it has very small grey print that is hard to read).
Other manufacturers are way ahead in this aspect, with unique default admin passwords and unique WPA2 passwords on WiFi for
every device as it comes out of the box. Or prompting to set a password the moment the first logon is done.
 
freemannnn
Forum Veteran
Forum Veteran
Posts: 700
Joined: Sun Oct 13, 2013 7:29 pm

Re: Securing your device is important

Sat Jan 13, 2018 1:38 pm

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recomendations. Nice guide thanx
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Sat Jan 13, 2018 2:04 pm

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recomendations.
yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.
 
Arcee
Member Candidate
Member Candidate
Posts: 272
Joined: Fri Jun 27, 2014 2:33 pm

Re: Securing your device is important

Sat Jan 13, 2018 2:07 pm

Then there is logging...

Following the above steps is good, but having logging configurations in place that notify you when an event occurs (ie. Failed logon attempts/port scanning) AND *sending your logs off site* is invaluable; of someone gets in, they will probably delete the logs.

Sent from my Pixel 2 using Tapatalk

 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1135
Joined: Tue Oct 11, 2005 4:53 pm

Re: Securing your device is important

Sat Jan 13, 2018 5:21 pm

One step to improve RouterOS' security is to finally make IP > Services bind on specific IPs/Interfaces.

That way even if someone does not set up their firewall properly, those management services can be configured to not be available on the WAN.
It's much simpler for a novice user to set those services to bind only on LAN interfaces/IPs than set up a proper firewall.

Also it's helpful for core routers that do not (want to) use any firewall rules at all but still need to limit access to it.
Right now we can only limit the IP ranges that are allowed to connect to those services, but this doesn't reduce the attack surface much, and they can potentially give out information about the router.

Also, what's mikrotik's position on the Spectre and Meltdown CPU bugs that were announced recently?
Can we expect a kernel update for RouterOS for x86?
 
mt99
newbie
Posts: 43
Joined: Wed Jan 03, 2018 6:07 pm

Re: Securing your device is important

Sat Jan 13, 2018 8:59 pm

mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?

No, that's why you script it. I would never hand edit all that stuff, plus scripting eliminates the possibility of mistakes. I have a deployment script that I run on every router that has baseline security settings, plus other things like setting NTP and time zone, logging, and more. Here's a short example.

Code: Select all

# initial deployment script built off of RouterOS 6.41
#
# remove the hashtags below this line after you've set your values

# set your time zone below
# /system clock
# set time-zone-autodetect=no time-zone-name=Country/City
/ip firewall filter
# ensure this is at the top of the rule list
add action=accept chain=input comment="allow admin access to router from authorized clients" dst-port=22222,8888,8291 in-interface-list=!WAN protocol=tcp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set ssh port=22222
set www port=8888
# change the below to your admin network
# set winbox address=192.168.88.0/24
# set your preferred admin username below
# /user set 0 name=myuser
/ip cloud
set update-time=no
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/ip ssh
set strong-crypto=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
ErfanDL
Member
Member
Posts: 366
Joined: Thu Sep 29, 2016 9:13 am

Re: Securing your device is important

Sat Jan 13, 2018 9:51 pm

Is mikrotik affected by Spectre and meltdown bugs?

Sent from my C6833 using Tapatalk

 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Securing your device is important

Sun Jan 14, 2018 12:27 pm

Is mikrotik affected by Spectre and meltdown bugs?
To my understanding, RouterOS x86 and CHR are definitely affected, but since you cannot run your own binaries there they cannot be exploited (unless there are other vulnerabilities that allow one to execute arbitrary code on a router). ARM devices may also be affected, but the same "exploitability" considerations apply.

And taking into account the inevitable performance degradation, the necessity to apply Meltdown and Spectre patches to RouterOS is rather arguable.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Securing your device is important

Mon Jan 15, 2018 10:03 am

- don't use the default admin user
But... why? :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Securing your device is important

Mon Jan 15, 2018 10:30 am

- don't use the default admin user
But... why? :)
if you know the username, it is very easy to brute-force simple passwords. if you don't know the username, brute-force is basically out of the question.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Securing your device is important

Mon Jan 15, 2018 10:39 am

if you know the username, it is very easy to brute-force simple passwords. if you don't know the username, brute-force is basically out of the question.
https://en.wikipedia.org/wiki/Security_ ... _obscurity :)

Is that advice actual when you
use a strong password
?

Anyway, why not just rename 'admin' user? That was actually the point...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Securing your device is important

Mon Jan 15, 2018 10:47 am

Renaming admin is the same as not using admin.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Mon Jan 15, 2018 11:38 am

if you know the username, it is very easy to brute-force simple passwords. if you don't know the username, brute-force is basically out of the question.
It merely squares the search space.
Anyway, the point is that users are hit that did not take basic security measures. It is useless to post advises, because those users do not read advises.
The only thing that helps is setting up a default configuration that is secure. As of now, the default firewall is much better than before
(because addition of a PPPoE interface does not open the device for world access anymore), but unfortunately the default is determined during
first powerup so routers that are now in the stores often still get the old firewall even when they are upgraded immediately.
What is also still missing is a reasonable default password or security behaviour. I.e. an initial password that is more difficult to guess and/or
the obligation to change the password on the first login.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26289
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Securing your device is important

Mon Jan 15, 2018 12:11 pm

This post was mostly meant to clarify what happened. I realise that this forum is mostly used by security conscious people.
As far as default passwords go ... we will have to think about it. There are pros and cons. It's up for debate. You see there is already a default firewall, it got removed anyway.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Securing your device is important

Mon Jan 15, 2018 12:14 pm

Or even better: Upload ssh public keys to the device
[admin@mikrotik] > /user ssh-keys print 
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                                                                                                                                                
 0 R admin                      2048 user@host
and keep always-allow-password-login set to no:
[admin@mikrotik] > /ip ssh set always-allow-password-login=no
Password login is no longer possibly and brute force attack can never succeed.

BTW, the RouterOS ssh server supports port forwarding. So if you want to manage a remote device via web interface you can open ssh service for WAN, but close http/https. Then connected to ssh with port forwarding to port 80/443 enabled and use web interface through the tunnel.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Mon Jan 15, 2018 12:27 pm

You see there is already a default firewall, it got removed anyway.
I think the typical scenario is:
- device is bought with pre-6.40 firmware and powered up
- it may or may not be updated to 6.40 or later, that does not matter anymore (when no reset to defaults is done afterward)
- firewall only drops everything new from ether1
- a PPPoE interface is added manually following some youtube video directions, instead of by using Quick Set.
- now the internet-facing interface is ppoe-in1 and it allows all input

This will not happen so easily anymore once devices are shipped with 6.40 or later. Or maybe when the update
procedure detects an all-defaults firewall and updates it to the current one when RouterOS is updated.

Another thing that could be considered is to auto-update to some reliable version (maybe a separate release channel is
to be created for that, which would not include new "risky" developments like 6.41 but could be more current than "bugfix")
where all devices are regularly updated by default (until the admin disables this behavior, when he doesn't desire it).

That will at least keep devices uptodate in the hands of inexperienced people.
 
ivanfm
newbie
Posts: 48
Joined: Sun May 20, 2012 5:07 pm

Re: Securing your device is important

Sat Jan 20, 2018 11:54 am

Code: Select all

/ip firewall filter
# ensure this is at the top of the rule list
add action=accept chain=input comment="allow admin access to router from authorized clients" dst-port=22222,8888,8291 in-interface-list=!WAN protocol=tcp
Will be very nice if mikrotik add to the dst-address-type an other option like "local-network" which will refers to all locally connected networks, like the local parameter but instead of using only the local address use the netmask. This rule can be changed and only who is connected to the local networks connected to the router will have access .
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Sat Jan 20, 2018 12:15 pm

Will be very nice if mikrotik add to the dst-address-type an other option like "local-network" which will refers to all locally connected networks, like the local parameter but instead of using only the local address use the netmask.
That is just a different approach to what is already there. The current firewall uses interface lists to group interfaces in categories like WAN and LAN, and filters according to that.
Sometimes it uses "not" operators to make it more failsafe: e.g. using "!LAN" for cases where you would want to write "WAN" makes sure that a new WAN interface is properly handled even when it is not placed in the WAN interface list (because the admin does not know or does not care).
Filtering on address is just a different approach for that. You can do it when you like, but by default it filters on interface.
 
User avatar
DanielJB
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon May 27, 2013 3:05 pm

Re: Securing your device is important

Fri Mar 16, 2018 11:22 am

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.

It would be a step forward if this was done at first boot. Clearly the chain of trust can't be validated (as with SSH), but it prevents a class of attacks.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Fri Mar 16, 2018 11:29 am

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.
True, but that protection is absolutely zero. It only protects you against people sniffing the password, which is unlikely to be
the scenario of the attacks. The problem is keeping the default (empty) password or using an obvious password that can be
found by trying a small list of common passwords. The https is going to do absolutely nothing about that.

A better protection would be to use a certificate for SSH login instead of a password, but I don't think that is possible with
https right now.
 
User avatar
DanielJB
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon May 27, 2013 3:05 pm

Re: Securing your device is important

Fri Mar 16, 2018 11:45 am

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.
True, but that protection is absolutely zero. It only protects you against people sniffing the password, which is unlikely to be
the scenario of the attacks. The problem is keeping the default (empty) password or using an obvious password that can be
found by trying a small list of common passwords. The https is going to do absolutely nothing about that.

A better protection would be to use a certificate for SSH login instead of a password, but I don't think that is possible with
https right now.
HTTPS per default rather than HTTP would be on the same basis SSH is used rather than eg telnet.

This is in orthogonal and in addition to the obvious of having a unique default password as already suggested.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Securing your device is important

Fri Mar 16, 2018 3:41 pm

PeIchl, I completely disagree with your logic.
I am a perfect example. I don't have any IT degrees or training.
I have used the basic consumer router many moons ago the netgear RT311 (made by zyxel) and then switched to zyxel every since.
I have programmed their routers at a basic level and through work had to once deal with a CrISCO router as well, simply from good advice and reading tons and asking questions.

No one, I know and I mean no one, goes to their local store and buys Mikrotik. It is not a consumer brand. I dont know a single person other than on the forums that owns one.
It is a niche market that attracts those running WISPS, or are comfortable in LINUX, software, and are in the ubiquiti, pfsense, sophos on a PC search for something cheaper than Fortigate or Juniper etc.....

Then there are home owners like me that like to dabble, may have some knowledge, and are willing to take the plunge. I read everything I can get my hands on.
Mt99s post was bang on for someone like me, it makes sense, and is really a compilation of bits and pieces one can find on the net but in one spot.
Maybe it is different in your neck of the woods, so I will cut you some slack.
In summary, instead of dissing mt99s comments, you should have said, its not applicable where I live and leave it at that because your statement is complete BS, where I live (in North America).


ref: Daniel, nice suggestion. Right now i turned off everything except WINBOX on the LAN. Changed my SSH port everything else off. I have always resisted getting a cert for my router mainly due to the expense. However I recently came across some certs for a decent price and you have reminded me to revisit and perhaps take the plunge if nothing else to become familiar with the process. [edit, found the link https://cheapsslsecurity.com/}

Normis, please tell Mikrotik to raise their prices, like about 5-10$ should do it. We all want to see you move out of your car and into an apartment. Oh, and, where do I send a razor, that beard is out of control. ;-)
 
netflow
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Sat Oct 01, 2016 3:53 pm

Re: Securing your device is important

Fri Mar 23, 2018 9:16 pm

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recomendations.
yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.
Those won't buy a MT device in the first place...
 
User avatar
Nexon
newbie
Posts: 27
Joined: Tue Jan 31, 2006 9:38 am
Location: Serbia
Contact:

Re: Securing your device is important

Thu Nov 22, 2018 12:37 pm

and keep always-allow-password-login set to no:
[admin@mikrotik] > /ip ssh set always-allow-password-login=no
Password login is no longer possibly and brute force attack can never succeed.

Regarding this, that is not actualy the case.

Even with this option set to no (which is by the way already set by default), the SSH password will always work, unless you put the SSH public key, only then it will not work.
The only way to use SSH key and the password, is to set this option to yes.

Is it safe, to have SSH key and always-allow-password-login=yes?
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Securing your device is important

Mon Dec 10, 2018 12:14 pm

and keep always-allow-password-login set to no:
[admin@mikrotik] > /ip ssh set always-allow-password-login=no
Password login is no longer possibly and brute force attack can never succeed.
Regarding this, that is not actualy the case.

Even with this option set to no (which is by the way already set by default), the SSH password will always work, unless you put the SSH public key, only then it will not work.
That's true, but I did not state anything else. If you look at my post this should be clear. Please do not cite just half of important information.
The only way to use SSH key and the password, is to set this option to yes.

Is it safe, to have SSH key and always-allow-password-login=yes?
Well, it allows password login even if an SSH key is uploaded. It's up to you whether or not that meets your security requirements.
 
User avatar
Etz
Member Candidate
Member Candidate
Posts: 178
Joined: Thu Mar 27, 2014 10:09 am
Location: Estonia

Re: Securing your device is important

Sat Oct 05, 2019 2:33 pm

There seems to be a mistake in ipv6 section (wrong prefix length):
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="accept DHCPv6-Client prefix delegation.
Should probably be:
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="accept DHCPv6-Client prefix delegation.
 
greebo
just joined
Posts: 10
Joined: Wed Jul 24, 2013 4:01 pm

Re: Securing your device is important

Tue Jun 01, 2021 1:29 pm

"to have SSH key and always-allow-password-login=yes?"

Well, it allows password login even if an SSH key is uploaded. It's up to you whether or not that meets your security requirements.
So i need to set some random password for those ssh users that i want ONLY ssh key login so that won't get in other services (winbox,telnet,..) without password ?
 
PavelRadvan
just joined
Posts: 10
Joined: Sat Nov 13, 2010 2:49 am
Location: Prague, Czech Republic

Re: Securing your device is important

Sat Jun 26, 2021 9:41 am

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recommendations.
yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.
Hi,
maybe is better to disable default setting and to remove quick set. RouterOS and MikroTik HW should be configured by technical specialist and not by consumer people who does not understand security. This end user people want something that is "click" and "click" ..for this they could buy other products, but not MikroTik.
In current world more people then before know that security is important.
I personally hate that in MikroTik is quick set to set some default setting and is possible by clicking to set "something" that end user does not understand.
I always reset default configuration to have "no configuration" when I am preparing device for my customers.
When there will be no quick set and no default config - simply nothing - it will not do anything unless you know how to setup.
For this reason usually is good for that people who do not know how to setup to find somebody who could setup it.
I understand that MikroTik wants to sell to everybody, but do you really want to be some horrible technology like very cheap units from TP-link, Ubiquity or others ?
Better is to have some option that everybody who buy MikroTik device have to contact some specialist to set it for him - it will make business good for all of us who are technical specialists and know about it.
I thing there could be some list of specialist(not only certified) and customer could get some advantage with new purchased device which will motivate him or really press him to contact somebody.
There could be some form of discount on first setup from specialist or other promo - I thing it is good theme for MikroTik marketing department.
From my point of view I still see MikroTik devices as something more than cheap router from online shop and something that should be set by some technical specialist.
What do you think of this?
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Securing your device is important

Sat Jun 26, 2021 10:12 am

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recommendations.
yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.
Hi,
maybe is better to disable default setting and to remove quick set. RouterOS and MikroTik HW should be configured by technical specialist and not by consumer people who does not understand security. This end user people want something that is "click" and "click" ..for this they could buy other products, but not MikroTik.
In current world more people then before know that security is important.
I personally hate that in MikroTik is quick set to set some default setting and is possible by clicking to set "something" that end user does not understand.
I always reset default configuration to have "no configuration" when I am preparing device for my customers.
When there will be no quick set and no default config - simply nothing - it will not do anything unless you know how to setup.
For this reason usually is good for that people who do not know how to setup to find somebody who could setup it.
I understand that MikroTik wants to sell to everybody, but do you really want to be some horrible technology like very cheap units from TP-link, Ubiquity or others ?
Better is to have some option that everybody who buy MikroTik device have to contact some specialist to set it for him - it will make business good for all of us who are technical specialists and know about it.
I thing there could be some list of specialist(not only certified) and customer could get some advantage with new purchased device which will motivate him or really press him to contact somebody.
There could be some form of discount on first setup from specialist or other promo - I thing it is good theme for MikroTik marketing department.
From my point of view I still see MikroTik devices as something more than cheap router from online shop and something that should be set by some technical specialist.
What do you think of this?
What I think is, automate what MikroTik has said for a million time: https://help.mikrotik.com/docs/display/ ... our+router
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Securing your device is important

Sun Jun 27, 2021 6:40 pm

@DarkNate ... why you quote whole previous post just to add one line sentence? Why you do not "post reply"?
Please read this viewtopic.php?p=864613#p864613 and link in my signature.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Securing your device is important

Sun Jun 27, 2021 7:24 pm

Why do you keep spamming every post with your quote spam. People will quote how they want to quote and if you dont like it remove the quote feature.
I am now going to report every single time you fill a thread with your quote spam.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Securing your device is important

Sun Jun 27, 2021 7:26 pm

Just to teach users to use forum properly ... it's easy ... just press another button.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Securing your device is important

Sun Jun 27, 2021 7:53 pm

Ahh okay,
Recommend that when users first join, that becomes part of the instruction set !
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Securing your device is important

Mon Jun 28, 2021 4:12 pm

@DarkNate ... why you quote whole previous post just to add one line sentence? Why you do not "post reply"?
Please read this viewtopic.php?p=864613#p864613 and link in my signature.
Remove the feature if you don't want it to be used.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Securing your device is important

Mon Jun 28, 2021 5:26 pm

Does it cost you so much to use the forum correctly,
instead of replying in this stupid way?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Thu Nov 11, 2021 12:04 pm

It seems that someone has become victim of a hacker that locked down their router and made it impossible for him to reset it.
I think that in addition to requiring users to secure a device, it can also be expected from MikroTik to secure their system against such events.
In this case the /system routerboard settings like "reformat hold button", "reformat hold button max" and "protected routerboard" were changed by the attacker.
These settings are only for niche applications, like for a ISP giving out routers to customers. Normal users do not use this, yet it can be dangerous.
I hope MikroTik can consider either removing these features (I see they are not present in my RB4011 running v7.1rc6, maybe they already are in the process of removing them), or at least put them behind some considerable physical protection, e.g. to enable such settings you need to briefly press the button within a minute of applying them, or else they will be reverted.
This should restrict these features from being enabled remotely by an attacker.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Securing your device is important

Thu Nov 11, 2021 12:27 pm

I concur with pe1chl and the less restrictive press button within a minute is easier to accept to users than the my proposal to to press that button after in the just set time.
I would also suggest to not be able to set the timespan between start and end-time less than three seconds.

And I will repeat what I wrote earlier, that is disappionting that Mikrotik did not implement a this confirmation from the start.

Now there are out there a lot of routers that can be held hostage....for years to come if not upgraded to a fixed RouterOS.
 
eddieb
Member
Member
Posts: 305
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: Securing your device is important

Thu Nov 11, 2021 12:36 pm

I concur with writers above.
once someone has physical access to a router, it should always be resetable ...
limiting these "times" is the least that could be done
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Securing your device is important

Thu Nov 11, 2021 12:49 pm

It a feature that is usefull when it protected against missuse.

When you able to reset the router in any case then the feature has become useless.
Addition when locking:

Lock but able to reset (new), to those who not want to show/edit the config. Hardware theft/reuse is still available

Lock and no reset (current), only access/reuse when the correct timeframe is known.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Securing your device is important

Thu Nov 11, 2021 12:52 pm

Better if it is, for example, to enable this functionality only with serial port or on netinstall event...
Never from winbox / ssh / web.

As an ISP I use netinstall to prepare the devices before putting them in the users' house or roof.
 
sid5632
Long time Member
Long time Member
Posts: 552
Joined: Fri Feb 17, 2017 6:05 pm

Re: Securing your device is important

Thu Nov 11, 2021 1:20 pm

to enable such settings you need to briefly press the button
Press what button?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Thu Nov 11, 2021 2:10 pm

I concur with writers above.
once someone has physical access to a router, it should always be resetable ...
Well, the "protected routerboot" with these times is there exactly to prevent that. It is for routers that are not owned by you but are placed in a location where you have physical access.
I can understand the usefulness of this feature but I think it should not be possible to enable it from a remote logon.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Securing your device is important

Thu Nov 11, 2021 2:11 pm

to enable such settings you need to briefly press the button
Press what button?
"the button". also known as the "reset button". some routers have 2 buttons, but all of them have at least 1 I think.
 
slvnet
newbie
Posts: 28
Joined: Wed Feb 12, 2014 4:23 pm

Re: Securing your device is important

Thu Nov 25, 2021 3:04 pm

For me, 99% MT is behind FW
If I need access to it from outsite - VPN
SSH by the keys. Password - random generated
User Admin changed to another one, just in case
Another user to use for daily usage
All services not need to access from outsite - disabled/blocked at FW
FW rules to slow down scaning/brutal force

So, from public point of view - usually VPN(openvpn) only

Who is online

Users browsing this forum: AndiiiHD, bschapendonk, Dish, holvoetn, kivimart, lubolubo, TeWe and 22 guests