Page 1 of 1

Remove internet-facing login

Posted: Fri Nov 17, 2023 2:21 am
by BiliOslavi
I'd like to remove the internet facing admin login on an RB5009, RouterOS 7.8.

Going into IP--> Services --> www and disabling port 80 unfortunately disables all web
traffic to the router, including internal. So it stops router management.

Is there a way to do this that will just block incoming login attempts from outside, but
leave the internal web connection on LAN intact?

Re: Remove internet-facing login

Posted: Fri Nov 17, 2023 3:40 am
by tangent
Doesn’t the default firewall do that?

Re: Remove internet-facing login

Posted: Sun Nov 19, 2023 12:12 am
by BiliOslavi
Not that I can see. RB5009 out of the box allows www connections on port
80 to the router on the WAN side.

I've blocked www in Services and that stops outside logins, and I use
WinBox to connect internally on the LAN side, but I'd rather have port
80 connections to the router rather than WinBox so that I can connect
from linux - if there's a good way to do it.

Re: Remove internet-facing login

Posted: Sun Nov 19, 2023 12:58 am
by tangent
I wasn't asking; I was hinting. You've done something locally to break this. The default configuration contains a line like this:

/ip/firewall/filter
add chain=input action=drop in-interface-list=!LAN comment="defconf"

That comes from a "/system/default-configuration/print" command on my RB4011.

What you do about this is up to you, but I would at least consider starting over with the default configuration and then reapplying your local changes again, more carefully this time.

Re: Remove internet-facing login

Posted: Sun Nov 19, 2023 11:10 am
by jvanhambelgium
Going into IP--> Services --> www and disabling port 80 unfortunately disables all web
traffic to the router, including internal. So it stops router management.

No need to disable it completely, but add the "Available From" values ? Eg. 192.168.x.y or multiple ranges that you want it to be "managed" from.
Not providing this value means : world wide open

In ADDITION, you should adapt your INPUT-chain to drop anything from the outside world hitting your Mikrotik that is not really needed.
So ALLOW inbound stuff like VPN/IPSEC/...
The last line would be a "drop" on the input chain in total, as other suggest too :

filter add chain=input action=drop in-interface-list=!LAN comment="defconf"

Re: Remove internet-facing login

Posted: Sun Dec 10, 2023 4:53 am
by BiliOslavi
Thanks jvanhambelgium. This did the trick. The RB5009 routers we have
didn't have this locked down by default firewall rules.