Good afternoon everyone,

Currently running RouterOS 5.19, we are planning to do some API operations over Internet, and our boss is worried about passwords, if they are sent in plaintext and/or it is secure enough to do it.
We don't want people sniff our passwords and do unwanted operations to our devices

Thank you everyone for your help and time.

Use ssh port forwarding in order to access local (or even remote) API interface. It should help with your security concerns.

Thanks for your reply

Do you mean to use API over a SSH tunnel?
Well, I forgot to say that API commands are going to run on a PHP Server.

Regards

Exactly. SSH allows to forward connections both ways. You can always use following scenario:

1. MikroTik API
a. ip service enable api
b. ip service set api address=127.0.0.1/32

2. PHP Server
a. ssh -L 28728:127.0.0.1:8728 <mt-address>
- run in background or on screen

b. connect to api on: 127.0.0.1:28728
- 127.0.0.1:28728 is local ssh forward port it will redirect all traffic to remote location and connect to remote's 127.0.0.1:8728 (api service)

That way you are fully secure. No additional configuration required ;)


There's always option to make secure VPN network (you have sstp, l2tp, pptp, ovpn) and connect to central VPN server...

Hi sir
that configuration was really helpful! thanks avlot for sharing t with us

have a nice day

Note that even without an SSH tunnel, the RouterOS password is never sent in plain text. The whole procedure is a CHAP challenge, similarly to the one in hotspot. Without a tunnel, all other data is sent and received without any form of encryption though.

Note that even without an SSH tunnel, the RouterOS password is never sent in plain text. The whole procedure is a CHAP challenge, similarly to the one in hotspot. Without a tunnel, all other data is sent and received without any form of encryption though.

Whole process uses md5 and someone may try to bruteforce password.

True, but at least it's not clear text, and it still requires brute force, without rainbow tables and the like.

(Using an SSH tunnel is still better than no tunnel. I'm just saying that without a tunnel, the situation is one notch less dangerous than "everything is clear text".)

Excuse me to take this long to reply.
Actualy we are doing tests and considering the best option to secure our Mikrotik devices. I would gladly thank everyone for their replies and time.

Also, one of our options is to use an Ubuntu Server as PPTP Server, and all Mikrotik connect to it using PPTP Client, forcing all devices to use MS-CHAPv2 as encryption protocol, to enseure secure communications.

Thank you everyone again.

Also, one of our options is to use an Ubuntu Server as PPTP Server, and all Mikrotik connect to it using PPTP Client, forcing all devices to use MS-CHAPv2 as encryption protocol, to enseure secure communications.

ms-chap is not encryption, it's authentication. encryption in PPTP is MPPE*, which is less secure than ssh tunnel

In light of recent work against MS-CHAPv2, and the fact that even Microsoft has deprecated PPTP (in favor of SSTP which is a little more sane from a protocol design standpoint), I'd be very wary of using PPTP in production for anything actually sensitive.

MS-CHAP was weak the day it was announced, which is why MS-CHAPv2 happened in the first place. PPTP is, well, PPTP. It's byzantine from the perspective of protocol design, and when one works through the actual entropy involved in the keyspace, it's ridiculously small.

If you want to read more about the current success against these, I'd suggest looking here.
https://www.cloudcracker.com/blog/2012/ ... s-chap-v2/

For the horse's mouth, you might look here:
http://blogs.technet.com/b/srd/archive/ ... ation.aspx

Also, one of our options is to use an Ubuntu Server as PPTP Server, and all Mikrotik connect to it using PPTP Client, forcing all devices to use MS-CHAPv2 as encryption protocol, to enseure secure communications.

ms-chap is not encryption, it's authentication. encryption in PPTP is MPPE*, which is less secure than ssh tunnel

Sorry for late reply; you're right, I confused terms here. Thanks for correcting me

In light of recent work against MS-CHAPv2, and the fact that even Microsoft has deprecated PPTP (in favor of SSTP which is a little more sane from a protocol design standpoint), I'd be very wary of using PPTP in production for anything actually sensitive.

MS-CHAP was weak the day it was announced, which is why MS-CHAPv2 happened in the first place. PPTP is, well, PPTP. It's byzantine from the perspective of protocol design, and when one works through the actual entropy involved in the keyspace, it's ridiculously small.

If you want to read more about the current success against these, I'd suggest looking here.
https://www.cloudcracker.com/blog/2012/ ... s-chap-v2/

For the horse's mouth, you might look here:
http://blogs.technet.com/b/srd/archive/ ... ation.aspx

Interesting, thank you very much; I'm going to look at this to improve the security of our communications.