Community discussions

MikroTik App
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

WHERE IS MAGIC BUTTON INSTRUCTIONS

Thu Dec 09, 2021 5:36 pm

Is there an MT wiki on how to make netinstall fully functional (avoid hackers accessing router to disable full effects of netinstall)
 
User avatar
deadkat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sun Nov 15, 2020 11:14 pm
Location: Alabama, USA

Re: WHERE IS MAGIC BUTTON INSTRUCTIONS

Thu Dec 09, 2021 5:43 pm

I don't know if I understand completely...But it sounds like you're looking for Protected Routerboot to prevent others from netinstalling your devices and stealing them?
"Protected Bootloader" section here: https://help.mikrotik.com/docs/display/ROS/RouterBOARD
not noted in the docs is a recent change in 6.49.1 release:
*) routerboot - enabling "protected-routerboot" feature requires a press of a button;
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WHERE IS MAGIC BUTTON INSTRUCTIONS

Thu Dec 09, 2021 5:49 pm

THanks!!

Okay the instructions are not clear. Which is okay because I think the common approach for most will be to KEEP the default DISABLED mode.

From what I understand the default mode of this setting "protected routerboot" is DISABLED.
In other words, a hacker gaining control of the router will not be able to lock the router and prevent netinstall.

If I as the admin still want to lock the router so to speak to prevent local persons resetting the router etc, I can invoke protected routerboot,
by entering the ROS and .......
a. what software commands do this ?? enable protected mode
b. what hardware commands to this ?? enable protected mode
(assuming its a combo of the two now).

(1) The advantage of the new system is that a remotely hacked router with protected boot mode DISABLED is safe in terms of the unit can be recovered netinstall.
(2) The issue can still occur if protected mode is ENABLED and the router is then hacked...... however it seems there is a method "dangerous" to get control back.

Am I close???
 
User avatar
deadkat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sun Nov 15, 2020 11:14 pm
Location: Alabama, USA

Re: WHERE IS MAGIC BUTTON INSTRUCTIONS

Thu Dec 09, 2021 6:35 pm

With Protected Routerboot enabled you do not enter etherboot (aka netinstall mode) as described here: https://help.mikrotik.com/docs/display/ ... -Etherboot
the above link only applies with protected routerboot disabled

the settings to configure are
/system routerboard settings 
	set protected-routerboot=enabled
	set reformat-hold-button=x
	set reformat-hold-button-max=y
starting with version 6.49.1 (this in only in the 6.49 line afaik, not in 6.48 and older, or v7 -yet!) you need to physically press the reset button (mode button might also work if your device has one, not sure) within 60s of issuing the 'set protected-routerboot=enabled' command

with this enabled all normal function of the reset button is disabled, no more access to caps mode, reset config, or backup bootloader(unsure on this one). You also cannot access etherboot normally. The LED behavior will be different, instead of normal blinking pattern it will come on 1s, off 1s to help you count time. you must hold the reset button somewhere between whatever you set 'reformat-hold-button' and 'reformat-hold-button-max'

i.e. if you set them to 15s and 20s respectively then you would have to hold it down for a min of 15 seconds and release before 20s has passed. at this point it will format the entire flash on the routerboard. and then it will go to etherboot for you to netinstall it

the min/max hold time is your protection against device theft. its pretty hard to brute force as it must be done manually and has potential to make stealing devices a lot harder.

edit: this only really protects against physical theft and some ransom attempts. it does not make up for someone gaining unauthorized login to your router. you still need a strong password for login and a secure firewall config
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: WHERE IS MAGIC BUTTON INSTRUCTIONS

Thu Dec 09, 2021 6:57 pm

(1) The advantage of the new system is that a remotely hacked router with protected boot mode DISABLED is safe in terms of the unit can be recovered netinstall.
(2) The issue can still occur if protected mode is ENABLED and the router is then hacked...... however it seems there is a method "dangerous" to get control back.
Yes, this is my understanding.
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WHERE IS MAGIC BUTTON INSTRUCTIONS

Thu Dec 09, 2021 7:55 pm

Thanks well explained and understood.
The functionality ENABLED is designed for ISP providers equipment where its at a customer site but belongs to the ISP is my understanding and they dont want customers frigging with the routerboot etc.....

In both cases, the router can be hacked remotely and thus username password etc are still important as well as only allowing access to the router in an encrypted manner when done externally (and controlled winbox access in all circumstances). (In other words new routerboot functionality does not prevent being hacked so all other good security practices must be followed).
 
User avatar
deadkat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sun Nov 15, 2020 11:14 pm
Location: Alabama, USA

Re: WHERE IS MAGIC BUTTON INSTRUCTIONS

Thu Dec 09, 2021 8:07 pm

This is correct

Who is online

Users browsing this forum: No registered users and 17 guests