Community discussions

MikroTik App
 
sasho
just joined
Topic Author
Posts: 9
Joined: Wed Aug 17, 2022 12:21 pm

Script command format from telnet to enable winbox port

Wed Aug 17, 2022 12:35 pm

Hi,
By mistake I have disabled default web 80 port and winbox 8219 port. I can not log In to Mikrotik hexlite router via web Interface or winbox. However I can log In using windows telnet.
Would you please help me to enable again winbox 8219 port using telnet command - what Is correct script for telnet command.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Wed Aug 17, 2022 2:53 pm

/ip service
set www address="" disabled=no port=80
set winbox address="" disabled=no port=8291
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Script command format from telnet to enable winbox port

Wed Aug 17, 2022 8:33 pm

Telnet access?
Are you sure some hacker didnt telnet it and disabled your other access ;-PPP

I have just the thing for you!
viewtopic.php?t=181718

Final comment, you should setup wireguard or some other VPN to provide remote in access to the router as well!
 
sasho
just joined
Topic Author
Posts: 9
Joined: Wed Aug 17, 2022 12:21 pm

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 9:22 am

Thank you for help
I did both set /Ip service commands as per @rextended post, but still have an Issue with web Interface and winbox log In
winbox can not log In and reason Is connection refused

here what I get after /ip service print command

# NAME PORT CERTIFICATE
0 telnet 23
1 ftp 21
2 I www 80
3 ssh 22
4 XI www-sl 443 none
5 api 8728
6 winbox 8291
7 api-ssl 8729 none

there Is a prefix Ignore for www service port 80 and prefix XI for www-sl
Is there a way to add another service Input for web Interface with different than 80 port , for example port 81
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 10:35 am

RouterOS version?

Provide an /export without publishing on forum serial number, email, username and password.
 
sasho
just joined
Topic Author
Posts: 9
Joined: Wed Aug 17, 2022 12:21 pm

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 12:13 pm

@rextended,
thank you for support

Router OS Is 6.34.2

winbox disappear after I changed settings In winbox 3.37 /ip firewall filter
current state Is

add action=reject chain=Input dst-port = 8291 protocol=tcp reject-with=\tcp-reset src-address-list=management

Would you please tell me correct script to remove that rejectin and set winbox dst-port 8291 to normal function
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 1:54 pm

Why are you using such an old version of ROS? At least upgrade to 6.48.6 long term
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 3:54 pm

After this

/ip firewall filter disable [find]

use winbox with "safe mode" button and enable again firewall rules except what block winbox, then upgrade to 6.48.6 and come back here with the export, and probably @anav can help you to make secure the device.
 
sasho
just joined
Topic Author
Posts: 9
Joined: Wed Aug 17, 2022 12:21 pm

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 4:01 pm

I will update firmware version

In order to get back to normal function winbox which current state Is
add action=reject chain=Input dst-port = 8291 protocol=tcp reject-with=\tcp-reset src-address-list=management
I have to execute following command

/ip firewall filter disable [find]

Is that correct
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 4:31 pm

yes, but read all the previous post
 
sasho
just joined
Topic Author
Posts: 9
Joined: Wed Aug 17, 2022 12:21 pm

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 4:39 pm

I am trying
/ip firewall filter disable [find] and that don't work

do I have to specify something In place of [find]

for example Is that correct

/ip firewall filter disable [add action=reject chain=Input dst-port = 8291 protocol=tcp reject-with=tcp-reset src-address-list=management]

here Is what I have In /ip firewall filter
/ip firewall filter
add chain=input dst-port=22 protocol=tcp src-address-list=management
add chain=input dst-port=23 protocol=tcp src-address-list=management
add chain=input dst-port=2000 protocol=tcp src-address-list=management
add action=reject chain=input dst-port=8291 protocol=tcp reject-with=tcp-reset
add action=reject chain=input dst-port=21 protocol=tcp reject-with=tcp-reset
add action=reject chain=input dst-port=22 protocol=tcp reject-with=tcp-reset
add action=reject chain=input dst-port=23 protocol=tcp reject-with=tcp-reset
add action=reject chain=input dst-port=82 protocol=tcp reject-with=tcp-reset
add action=reject chain=input dst-port=443 protocol=tcp reject-with=tcp-reset
add action=reject chain=input dst-port=8291 protocol=tcp reject-with=tcp-reset
add action=reject chain=input dst-port=8728 protocol=tcp reject-with=tcp-reset
Last edited by sasho on Thu Aug 18, 2022 4:46 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 4:46 pm

no, is just
/ip firewall filter disable [find] 
but after the command, you hit enter?
 
sasho
just joined
Topic Author
Posts: 9
Joined: Wed Aug 17, 2022 12:21 pm

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 4:48 pm

yes I hit enter
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 4:49 pm

What are the results of
/ip firewall filter export
?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 4:51 pm

Paste this for be sure winbox is active on both IP and MAC modes:
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/ip service
set winbox address="" disabled=no port=8291

I hope the syntax is not different on old 6.3x
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 4:54 pm

I have only 6 minutes, and I must go away.
 
sasho
just joined
Topic Author
Posts: 9
Joined: Wed Aug 17, 2022 12:21 pm

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 4:59 pm

What are the results of
/ip firewall filter export
?
now every line Is disabled
/ip firewall filter
add chain=input disabled=yes dst-port=22 protocol=tcp src-address-list=management
add chain=input disabled=yes dst-port=23 protocol=tcp src-address-list=management
add chain=input disabled=yes dst-port=2000 protocol=tcp src-address-list=management
add action=reject chain=input disabled=yes dst-port=8291 protocol=tcp reject-with=tcp-reset
add action=reject chain=input disabled=yes dst-port=21 protocol=tcp reject-with=tcp-reset
add action=reject chain=input disabled=yes dst-port=22 protocol=tcp reject-with=tcp-reset
add action=reject chain=input disabled=yes dst-port=23 protocol=tcp reject-with=tcp-reset
add action=reject chain=input disabled=yes dst-port=82 protocol=tcp reject-with=tcp-reset
add action=reject chain=input disabled=yes dst-port=443 protocol=tcp reject-with=tcp-reset
add action=reject chain=input disabled=yes dst-port=8291 protocol=tcp reject-with=tcp-reset
add action=reject chain=input disabled=yes dst-port=8728 protocol=tcp reject-with=tcp-reset
that is a problem
Last edited by sasho on Thu Aug 18, 2022 5:04 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 5:01 pm

Six minutes makes life easy when doing manual navigation and fixes.........
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 5:04 pm

If the original poster was running such an old version of ROS, he is also likely also running an ancient version of WinBox. I don't remember which version it was, but at least one of the ROS updates a while back required a WinBox update. Make sure to be running a current version of WinBox. 3.37 is the current WinBox version and can be downloaded near the top of this page:
https://mikrotik.com/download
 
sasho
just joined
Topic Author
Posts: 9
Joined: Wed Aug 17, 2022 12:21 pm

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 5:07 pm

looks like /ip firewall filter disable [find]
disabled everythig In firewall filter list
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Thu Aug 18, 2022 5:19 pm

now you can open winbox?
on winbox 3.37, you have enable on Tool menu the "legacy mode"?

if you successfully login inside, at that point you can re-enable what you want.
 
sasho
just joined
Topic Author
Posts: 9
Joined: Wed Aug 17, 2022 12:21 pm

Re: Script command format from telnet to enable winbox port

Fri Aug 19, 2022 9:02 am

Thank you for support
yes I did log In and re enabled settings

I enabled port 23 for telnet and 8291 for winbox, but I would like to ask how can I prevent these ports from outside attackers
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Script command format from telnet to enable winbox port

Fri Aug 19, 2022 10:10 am

"reject with tcp reset" on WAN side = DDoS

I do not like your firewall settings at all.

If you can, export the config, reset to default the router (that have a good default firewall rules) and configure only the item that you need.

If you «Provide an /export without publishing on forum serial number, email, username and password» probably @anav can help you, if you are collaborative.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Script command format from telnet to enable winbox port

Fri Aug 19, 2022 1:21 pm

jajajajaja you did the brain surgery, now I have to clean the poopy diaper. ;-)

Who is online

Users browsing this forum: cmmike and 46 guests