Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

logging in without actual login

Sat Mar 11, 2023 12:07 pm

Hello For all MT Users and professionals...!
i am trying to access my MT router through public IP, so sometime i get this message -(as the picture below)- just logging in and it remain just like that without log in.
i dont have a firewall rule to block login from a public address...also as i mentioned that sometime i login normaly without any problem.
so why this happen..? anyone encounter this problem before..!?
how can i know that my ISP provider is not a part of this problem..?
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: logging in without actual login

Sat Mar 11, 2023 12:23 pm

First off: it's a bad idea to allow winbox access from WAN. In past there were a few exploits of winbox access.

Second: winbox saying "logging in" and nothing more very probably means some device is (silently) dropping packets and winbox is re-trying to establish connection. As you can login sometimes, this either means that your firewall/winbox service config is slightly selective or that some entity (either of ISPs) blocks winbox access. To verify if it's your router blocking it, you could run sniffer to see if winbox packets arrive to your WAN interface or not.

But, as I wrote in first paragraph, allowing winbox access from WAN is a bad idea in the first place. You should set up some secure tunnel (wireguard if you're running ROS v7 or IPSEC otherwise) and run winbox through that tunnel.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: logging in without actual login

Sat Mar 11, 2023 12:26 pm

You need to follow MikroTik Advice as stated in the following otherwise you are asking for serious hacking trouble ... and its got nothing to do with your ISP ...
Securing Your Router
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: logging in without actual login

Sat Mar 11, 2023 12:44 pm

Follow mkx's advice.
No direct access.
Only via VPN.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: logging in without actual login

Sat Mar 11, 2023 6:23 pm

First off: it's a bad idea to allow winbox access from WAN. In past there were a few exploits of winbox access.

Second: winbox saying "logging in" and nothing more very probably means some device is (silently) dropping packets and winbox is re-trying to establish connection. As you can login sometimes, this either means that your firewall/winbox service config is slightly selective or that some entity (either of ISPs) blocks winbox access. To verify if it's your router blocking it, you could run sniffer to see if winbox packets arrive to your WAN interface or not.

But, as I wrote in first paragraph, allowing winbox access from WAN is a bad idea in the first place. You should set up some secure tunnel (wireguard if you're running ROS v7 or IPSEC otherwise) and run winbox through that tunnel.
so if i run a sniffer, what interface will be the target and if i opened using wireshark what i have to look in the sniffer file to identify the problem..?

i hear alot of people out there that say you shouldn't login to your MT router using your public ip but actually until now no one tell me why..!!
so where is the risk in this case ..?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: logging in without actual login

Sat Mar 11, 2023 6:33 pm

Anyone getting hands on your password can get in.
Simple.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: logging in without actual login

Sat Mar 11, 2023 6:38 pm

so if i run a sniffer, what interface will be the target and if i opened using wireshark what i have to look in the sniffer file to identify the problem..?
Obviously it'll be WAN interface (if your winbox access is open). And the sniffer contents? Let me google that for you ...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: logging in without actual login

Sat Mar 11, 2023 7:31 pm

i dont have a firewall rule to block login from a public address...also as i mentioned that sometime i login normaly without any problem.
You need a rule to allow 8291 on input before any drops. But given you're saying it works sometimes, do you have multiple WANs? Because the router input traffic to router has to specially treated.

But I note that Mikrotik's default don't allow by default as an indicator of risk & listen to the advice here. And if troubleshooting winbox access is hard, I'd stick to the default and setup a VPN like WireGuard or ZeroTier. ZeroTier works particular well for winbox, since winbox will show any discovered routers in the login screen.

Now I'm not a fan of the "password leaks out" is why winbox is a bad idea. That's always a problem, winbox isn't special there. e.g. if WG keys becomes known, you may be actual worse since WG given a tunnel to a network – no need for malware to muck/understand ROS, with a likely larger attack surface at the other end of the VPN....
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: logging in without actual login

Sat Mar 11, 2023 7:37 pm

My view
I don't like a single line of defense.
If a real hacker wants to get in, they will.
Just make it a bit more difficult and they might lose interest.
So a second line of defense...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3250
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: logging in without actual login

Sat Mar 11, 2023 7:43 pm

i hear alot of people out there that say you shouldn't login to your MT router using your public ip but actually until now no one tell me why..!!
so where is the risk in this case ..?
Mikrotik's "winbox encryption" algorithm isn't public, so it's not subject to any meaningful scrutiny. And since it support a variety of older versions, its fixed/dated encryption is likely more and more decryptable as CPU power increases by the day. Which is how the password can become known, and then used in an attack, now or later.

So a second line of defense...
No argument against layers. And since Mikrotik only has "single factor" authentication be another one...
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: logging in without actual login

Sat Mar 11, 2023 7:59 pm

so if i run a sniffer, what interface will be the target and if i opened using wireshark what i have to look in the sniffer file to identify the problem..?
Obviously it'll be WAN interface (if your winbox access is open). And the sniffer contents? Let me google that for you ...
lol...very interesting ..!! :lol:
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: logging in without actual login

Sat Mar 11, 2023 8:09 pm

i dont have a firewall rule to block login from a public address...also as i mentioned that sometime i login normaly without any problem.
You need a rule to allow 8291 on input before any drops. But given you're saying it works sometimes, do you have multiple WANs? Because the router input traffic to router has to specially treated.

But I note that Mikrotik's default don't allow by default as an indicator of risk & listen to the advice here. And if troubleshooting winbox access is hard, I'd stick to the default and setup a VPN like WireGuard or ZeroTier. ZeroTier works particular well for winbox, since winbox will show any discovered routers in the login screen.

Now I'm not a fan of the "password leaks out" is why winbox is a bad idea. That's always a problem, winbox isn't special there. e.g. if WG keys becomes known, you may be actual worse since WG given a tunnel to a network – no need for malware to muck/understand ROS, with a likely larger attack surface at the other end of the VPN....
yes i have two WAN interface..!
you are right..! i agree with that .. what i always did in my network config that i put a very hard password -(sometime a hash pass with salt)- and i change the winbox port and closed all the others, i think that make some sence..well at lest for me .

Who is online

Users browsing this forum: nike78 and 39 guests