A number of vulnerabilities, including ones allowing to break in without knowing the password, has been fixed since 6.37.1, so this is the most likely reason - along with firewall rules which did not block access to management services from the internet.It was running OS version v6.37.1 and current firmware was 3.29.
How did this happend?
However, keep in mind i had a strong password.
Now export (not backup) the current configuration into a file, download the file to your PC, and then netinstall the router with the long-term version of RouterOS. Use the default configuration of that version and only modify it with what is really necessary - your saved export will help you with that. Do not import the file with the export as a whole, just use it as an information source.And what can i do to prevent this from ever happening again?
See the youtube presentation as mentioned in here. (The whole Vault7 thread might also interest you)Are you sure i need to do a clean netinstall to save the device?
According to MikroTik i should
2. Change Password
3. Make sure winbox is only accessed from my network
I just want to make my information right, thanks for all replys and i've already learned alot.
Strong password is not enough if this was used to administrate the box from outside (internet).However, keep in mind i had a strong password.
There is no such thing as "a hardware firewall" . Sure there are brands with specifically designed ASIC's (chips) in them to obtain multi-gigabit full feature performance but that is a completely other league... but still there is software that is running on the hardware.Somedays I think I need a hardware FW in front of my router...If MT can focus on security with every new release, I will stick with them...if not...will be time to give up on MT after 8 years and move onto something else.
I do it slightly more relaxed Within a time-frame of several hours, I accept "a few" probes for TCP & UDP. Once exceeded they go on the blacklistI have an access rule that if anyone tries one port that is not open on the outside, he will be blocked for 24 hour on any port.
This gives me an access list with from 2000 to 15000 IPs at any time.
If this for some reason is me that has been blocked from outside, I can use port knock to whitelist my own IP and get inn to the system.
Is there a different mitigation for a "metered" (E.G. 4G subscription) versus an "unmetered" connection (E.G. DSL line, cable modem, FTH, ...) ?But I do it purely out of interest (just like yourself I guess)
Exactly. If your WAN address is a public one, you likely asked for one on purpose, so you run some service which needs to be available from the internet, so the ISP (mobile or not) won't filter what comes from the world to that address. If your WAN address is a private one, nothing can get in from outside unless you've asked for it (possibly indirectly, see how teredo works, same techniques is used by peer to peer networks, but that's unlikely to work on mobile ISPs' networks anyway).Is there a different mitigation for a "metered" (E.G. 4G subscription) versus an "unmetered" connection (E.G. DSL line, cable modem, FTH, ...) ?
The ISP is mostly filtering already quite a lot on mobile connections.
Nobody mentioned "tarpit" as protection: https://wiki.mikrotik.com/wiki/DoS_attack_protection. Recommended mitigation or not ?
That attack traffic is on your ISP connection anyway, and I would like to have that rather minimal. One cannot hold off a DDoS that would eat all of your bandwidth.
This rule just prevents your uplink bandwidth from being wasted by ill-configured software or malware running on devices in your LAN.I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........?
Let me rephrase my question so it fits the answer...This rule just prevents your uplink bandwidth from being wasted by ill-configured software or malware running on devices in your LAN.I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........?
99.999% of these attacks are machine scan, so if they test one port, the possibility are large for that they tries more ports later and since I do have some port open, its better to block them so my open port will not be attacked.Others will say this approach makes no sense, why go through all the hassle of doing this : just drop any packet that is not part of a session or targeted towards non DNAT'ed ports and get on with your life and don't even bother logging this "noise" that exists "by default"
OK, if you put it this way, then no, I don't see much value in using it. Most malware will attack public addresses anyway. Out of curiosity, you may add it an let it log, to see whether some stupid malware is running in your LAN.Now, lets get back to the question asked........ ;-P
So you are saying it is worth it, or a waste of time......??....