Community discussions

MikroTik App
  4. RouterOS
  5. General

RB1100AHx4 Dude Edition insecure by default

Post Reply
 
silversword
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Tue Jul 23, 2013 3:36 pm

RB1100AHx4 Dude Edition insecure by default

Thu Apr 25, 2019 11:26 pm

I plugged WAN into internet, and within 60 seconds of initializing the internet connection with DHCP the firewall was bot compromised. Disabled ID: admin rights, and new ID of router was created with full control.

Had to Factory reset with button, disconnect internet cable lookup and manually create the default block rules and THEN plug in internet to port 1.

Ridiculous that's the default config. NO default config should ever allow access from port 1/WAN when the default ID: admin has a blank password.

Quicksets only enter "Ethernet" is same config, no other Quicksets available

How many other Mikrotik devices are insecure by default? No wonder Mikrotik is getting a reputation as a worm router.
Top
 
td32
Member Candidate
Member Candidate
Posts: 112
Joined: Fri Nov 18, 2016 5:55 am

Re: RB1100AHx4 Dude Edition insecure by default

Thu Apr 25, 2019 11:29 pm

doubt this was on default config.
On default config wan port drops all input traffic
Top
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1056
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: RB1100AHx4 Dude Edition insecure by default

Thu Apr 25, 2019 11:42 pm

The bigger routers (the ones made to small business and up) don't have a "WAN port". Take a look: they are just numbered ports (eth1, eth2 and so on).

That's because they are routers made to be used in a professional environment. Where You can't say which one (which two, which five?) port(s) will get an internet link.They come without firewall by design. It would only get in the way, anyway.

The smaller ones, made to the SOHO market, (five or less ports, small format, usually white plastic) come with firewall, and a WAN designated port.
Top
 
silversword
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Tue Jul 23, 2013 3:36 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 12:00 am

doubt this was on default config.

As I said, tested again after compromised and manual button reset the default config with ver 6.44.2 firmware does it.

The bigger routers (the ones made to small business and up) don't have a "WAN port". Take a look: they are just numbered ports (eth1, eth2 and so on).

True, not labeled as WAN...but since the config does have Port 1 with DHCP client port it's acting as one.

Hey, I know what Mikrotik devices can do, but if I were Mikrotik I wouldn't want the number of results here to keep increasing:
https://www.google.com/search?source=hp ... ompromised
Top
 
BRMateus2
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Thu Oct 26, 2017 11:18 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 2:46 am

This is your fault, as no device should be placed into Internet before configuration.
It's the same as I uploading a example sketch to a Arduino and putting it to run 24hs in the WAN natted, it's bad.
Top
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1056
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:22 am

The bigger routers (the ones made to small business and up) don't have a "WAN port". Take a look: they are just numbered ports (eth1, eth2 and so on).


True, not labeled as WAN...but since the config does have Port 1 with DHCP client port it's acting as one.

Hey, I know what Mikrotik devices can do, but if I were Mikrotik I wouldn't want the number of results here to keep increasing:
https://www.google.com/search?source=hp ... ompromised
They have a DHCP client just to make easier the first access. No router should be exposed to the internet without proper configuration.

These compromised units are victims of an attack that was patched almost a full year before. And even then: You'd have to allow winbox access from the internet. A bad idea on a good day.

So, sorry. You exposed an unprotected and unpatched router to the internet - without even knowing what kind of firewall/login it had. That one is on you.
Top
 
silversword
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Tue Jul 23, 2013 3:36 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 2:49 pm

No router should be exposed to the internet without proper configuration.

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this:

Code: Select all
# jan/02/1970 00:03:18 by RouterOS 6.44.2
# software id = 20C3-04CF
#
# model = RB1100Dx4
# serial number = 
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0

If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botnets by the hundreds of thousands...and a big reason there are so many Mikrotik worm infected devices is these kinds of stupid insecure default configurations.

#ImOut
Top
 
Samot
Member Candidate
Member Candidate
Posts: 113
Joined: Sat Nov 25, 2017 10:01 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:20 pm

No router should be exposed to the internet without proper configuration.

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this:

Code: Select all
# jan/02/1970 00:03:18 by RouterOS 6.44.2
# software id = 20C3-04CF
#
# model = RB1100Dx4
# serial number = 
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0

If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botnets by the hundreds of thousands...and a big reason there are so many Mikrotik worm infected devices is these kinds of stupid insecure default configurations.

#ImOut
Well honestly part of the reason there are so many worm infected devices out there are because of things like this. People buying an enterprise level router and then treating it like a Netgear Nighthawk Gaming Pro router and just assuming it's OK. Did you not update your ROS version? Did you not do anything to configure a router such as this?

Admin's failing to update, protect or manage their routers properly is not the fault of the vendor. It's the fault of the user. You know during this past year when everyone was losing their crap about all these issues MT was having, I didn't. Many of us didn't, you know why? We manage and keep our routers updated and secured.
Top
 
krisjanisj
Member Candidate
Member Candidate
Posts: 101
Joined: Wed Feb 20, 2019 2:53 pm
Contact:
Contact krisjanisj

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:24 pm

As shown in our wiki (more specifically here(the IP Only part)) nor RB1100, nor CCR, nor CRS series of Routers/switches are meant to be plug-and-play and has only IP for first-time connectivity. They will need to be configured by the end-user before usage, unlike our home-use router lineup (as mentioned by @Paternot), that has firewall rules and other security measures applied beforehand.
We even have a wiki page dedicated on how to apply basic firewall rules and other security so this doesn't happen.
Top
 
Samot
Member Candidate
Member Candidate
Posts: 113
Joined: Sat Nov 25, 2017 10:01 pm

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:28 pm

As shown in our wiki (more specifically here) RB1100, nor CCR, nor CRS series of Routers/switches are meant to be plug-and-play and has only IP for first-time connectivity. They will need to be configured by the end-user before usage, unlike our home-use router lineup (as mentioned by @Paternot), that has firewall rules and other security measures applied beforehand.
We even have a wiki page dedicated on how to apply basic firewall rules and other security so this doesn't happen.
Reading manuals or documentation for how things work is for suckers. Your stuff should just know what I need and do it.
Top
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1056
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 3:52 pm

No router should be exposed to the internet without proper configuration.

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this:

Code: Select all
# jan/02/1970 00:03:18 by RouterOS 6.44.2
# software id = 20C3-04CF
#
# model = RB1100Dx4
# serial number = 
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0

If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botnets by the hundreds of thousands...and a big reason there are so many Mikrotik worm infected devices is these kinds of stupid insecure default configurations.

#ImOut
Well, I'm not the one saying the router should be protected from myself. I'm not the one that bought a professional product and treated it like a consumer garbage. Own your mistake, learn from it and become a better professional. That's how it works.
Top
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: RB1100AHx4 Dude Edition insecure by default

Fri Apr 26, 2019 4:25 pm

No device calling itself a router should have this as it's fully patched, default configuration out of the box be this:
......
If you want to make excuses for having crappy default configurations that's fine. Mikrotik is the one that is making the reputation for making devices that are part of botnets by the hundreds of thousands...and a big reason there are so many Mikrotik worm infected devices is these kinds of stupid insecure default configurations.
Your statement is as valid as this:
Producers of Zonda, Ferrari and Lamborghini are car manufacturers making the "reputation" of low quality dangerous cars responsible for
so many accidents all around the world as default tires allow to travel too fast.
Top
Post Reply

Who is online

Users browsing this forum: burca, eider, jaclaz, Kuitz, Tad2410 and 26 guests
  4. RouterOS
  5. General