Locking access to routerboard

GWISA · Tue Feb 20, 2007 12:55 pm

Does anyone have any idea how one might 'lock' a routerboard from being accessible to anyone unauthorised?

The reason we need this is we are migrating to a licensed band, and don't want anyone poking around and re-using boards/cards purchased from us in our band in unauthorised applications.

You know hoe people are - someone will realise that it can do a broad range of frequencies once the upgrade license has been installed, and might use it on their own...

I need a permanent lock that will not allow a hard-reset/reprogram...

We intend using the RB112, and I thought removing the jumper and/or resistor in-line may be a bit of a deterrent to all but the most determined hackers.

Any other less hackable suggestions?

Tue Feb 20, 2007 1:00 pm

netinstalling it will always clear away your settings, unless you also solder off the serial port and deny admin access (so that he can not turn on boot from network

GWISA · Tue Feb 20, 2007 1:42 pm

netinstalling it will always clear away your settings, unless you also solder off the serial port and deny admin access (so that he can not turn on boot from network

Good thing you mentioned that - hadn't thought of netinstall/serial

Tue Feb 20, 2007 1:50 pm

complete locking of the board, even if it would be possible, would bring many issues - for example troubleshooting it.

GWISA · Tue Feb 20, 2007 3:05 pm

no - I don't mean complete lock - only lock to unauthorised access.

Obviously us as the suppliers would retain admin rights...

GWISA · Tue Feb 20, 2007 3:18 pm

What's the possibilty of including a 'disable hardware reset' switch in future versions of MT?

(with a warning of "disable at your own risk!")

Regarding the serial port - I guess one could just disable it in the OS rather than de-soldering it? Would this work?

Tue Feb 20, 2007 3:20 pm

GWISA, could you specify, what do you want to restrict ?(Physical access or IP acccess) ?

GWISA · Tue Feb 20, 2007 3:34 pm

We'd like to restrict any kind of re-configuring possibilities by a client. Once a CPE has been set up, it must not be accessible at all by a client - only by ourselves for re-programming/whatever.

I do not want any possibility of the board being reset and reconfigured in unauthorised applications, especially as the license upgrade opens many more frequencies outside of the unlicensed bands...

Tue Feb 20, 2007 3:35 pm

first, disable admin user, make a user for yourself, and make a read-only user for client.

that will take care of reconfiguration, but will not take care of reinstall. maybe you can disable the serial ports.

GWISA · Tue Feb 20, 2007 3:36 pm

And preventing hard reset? Remove resistor & jumper?

Tue Feb 20, 2007 3:38 pm

I guess you can use script with netinstall, script that will set configuration to RouterOS.
The particular configuration will be restored, when router is reseted.

Tue Feb 20, 2007 3:39 pm

oh yes! when you install RouterOS with netinstall, and use a script - that script will be loaded after reset. even the hard reset.

GWISA · Tue Feb 20, 2007 3:46 pm

Aha! I'll try that again... didn't have success with that when i tried it some time back.

Does this mean that the router cannot be reset at all, unless the /sys reset command is used? And that would obviously only be accessible by the admin...

Tue Feb 20, 2007 3:49 pm

no, unless you reinstall it again with a different script.

GWISA · Tue Feb 20, 2007 4:09 pm

Another AHA!

/sys routerboard settings set enable-jumper-reset=no

Bingo!

Locking access to routerboard

Locking access to routerboard

Who is online