Hi there,
I have blocked the ports on my RB1100AH and... I cannot access my router now. I know, it does sound stupid. I was sure that it will stop access to the router from WAN (I had many attacks),
but now I cannot access it locally by myself... what to say, I`m stuck with it.
I have closed those ports:
Ftp (21),
ssh (22),
telnet (23),
(25),
http (80),
snmp (161),
https (8729),
winbox (8291)
with this command
ip firewall filter
add chain=input protocol=tcp dst-port=25 action=drop
Is there a chance to access router without the need to reset it and doing the restore from backup in this situation?
I will be glad for any help.
Regards,
Fleishmachine
Re: RB1100AH - Blocked ports
Try connecting with WinBox using MAC-address instead of IP. And if that does not work then the only option is serial console, I guess.
Re: RB1100AH - Blocked ports [SOLVED]
MAC winbox and MAC telnet work on UDP 20561, if you do not have locked that port, use winbox or another mikrotik devices
If the routerboard do not appear on winbox neigbours, try to open the 1st mac address on product label, placing the cable of pc on ether1
What model of RB1100AH?
If really is that version,
use serial console on front panel
If the routerboard do not appear on winbox neigbours, try to open the 1st mac address on product label, placing the cable of pc on ether1
What model of RB1100AH?
If really is that version,
use serial console on front panel
-
-
Fleishmachine
newbie
- Posts: 25
- Joined:
Re: RB1100AH - Blocked ports
Hi guys,
You are correct - logging via MAC instead IP helped. Thank a lot for your suggestion!
I will need to find another solution to protect Mikrotik from WAN.
BTW, it is this version - I have never used Serial port as it was not necessary, but I can see that just in case I should get a cable just in case.
Take care,
Fleishmachine
You are correct - logging via MAC instead IP helped. Thank a lot for your suggestion!
I will need to find another solution to protect Mikrotik from WAN.
BTW, it is this version - I have never used Serial port as it was not necessary, but I can see that just in case I should get a cable just in case.
Take care,
Fleishmachine
Re: RB1100AH - Blocked ports
Better security can be afforded by a better understanding.
(1) Therefore, via winbox, go to IP Menu Item and select IP SERVICES.
Here you can disable all the services the router provides users or access to the router for
api, api-ssi, ftp,ssh,telnet,www, www-ssl. THE ONLY ONE YOU SHOULD KEEP ACTIVE is winbox
Its default port is usually 8291 I believe, and that should be changed once you have a stable setup.
(2) Then go to IP Firewall selection and choose SEVICE PORTS on the top bar of the firewall popup.
Here to one should disable all services, not required (from dccp to udplite).
Therefore you have closed most if not all the services and ports that do not need to be accessible.
(3) Go to Firewall Rules and make sure
that
a. the only access to the INPUT CHAIN is the trusted network/interface the admin uses and even better, an additional firewall address list on that rule, identifying which IPs are allowed to access the router (admin laptop, desktop; ipad, smartphone etc......)
b. Ensure other access required by LAN users is allowed aka DNS port 53, NTP etc.................
c. Then add a drop rule at the end of the input chain.
b. Access to the Forward chain is adequately handled by default rules but it is incomplete when one starts making changes to the config. It only blocks wan to lan traffic.
one should do the following conceptually block all unwanted lan to lan, lan to wan, and wan to lan traffic.
This is accomplished by a simple drop; all rule at the end of the forward chain.
This means that you will need to do the following before the last drop all rule.
add a lan users to WAN rule for those permitted internet traffic,
add a single generic port forwarding rule if you plan on having accessible servers (actual server rules are done in the IP NAT subsection).
- one may need to add shared devices between different subnets etc.......
4a. Ensure the trusted interface list that you identify in input chain for access to the router is noted in the TOOLS MAC WINMAC SERVER entry for allowed interface!
b.. Disable the more generic TOOLS MAC MAC SERVER... set interface allowed to NONE.
5.On System USers, Change default admin ID and password to something unique.
6. On both the passwords setting and IP Service list for winbox one can identify the trusted network (as per the input chain rule)
So now you have layered defense.
unique user password and access limited based upon login ---> User settings
limited access based upon winbox settings. -----> Tools MAC settings and IP service Settings
limited access based upon input chain rules -----> Firewall Rules
All other access avenues (ports, services) are cut off.
WAN to ROUTER, LAN to ROUTER traffic is controlled by the admin
WAN to LAN, LAN to WAN, LAN to LAN traffic is limited to what is allowed by the OP.
(1) Therefore, via winbox, go to IP Menu Item and select IP SERVICES.
Here you can disable all the services the router provides users or access to the router for
api, api-ssi, ftp,ssh,telnet,www, www-ssl. THE ONLY ONE YOU SHOULD KEEP ACTIVE is winbox
Its default port is usually 8291 I believe, and that should be changed once you have a stable setup.
(2) Then go to IP Firewall selection and choose SEVICE PORTS on the top bar of the firewall popup.
Here to one should disable all services, not required (from dccp to udplite).
Therefore you have closed most if not all the services and ports that do not need to be accessible.
(3) Go to Firewall Rules and make sure
that
a. the only access to the INPUT CHAIN is the trusted network/interface the admin uses and even better, an additional firewall address list on that rule, identifying which IPs are allowed to access the router (admin laptop, desktop; ipad, smartphone etc......)
b. Ensure other access required by LAN users is allowed aka DNS port 53, NTP etc.................
c. Then add a drop rule at the end of the input chain.
b. Access to the Forward chain is adequately handled by default rules but it is incomplete when one starts making changes to the config. It only blocks wan to lan traffic.
one should do the following conceptually block all unwanted lan to lan, lan to wan, and wan to lan traffic.
This is accomplished by a simple drop; all rule at the end of the forward chain.
This means that you will need to do the following before the last drop all rule.
add a lan users to WAN rule for those permitted internet traffic,
add a single generic port forwarding rule if you plan on having accessible servers (actual server rules are done in the IP NAT subsection).
- one may need to add shared devices between different subnets etc.......
4a. Ensure the trusted interface list that you identify in input chain for access to the router is noted in the TOOLS MAC WINMAC SERVER entry for allowed interface!
b.. Disable the more generic TOOLS MAC MAC SERVER... set interface allowed to NONE.
5.On System USers, Change default admin ID and password to something unique.
6. On both the passwords setting and IP Service list for winbox one can identify the trusted network (as per the input chain rule)
So now you have layered defense.
unique user password and access limited based upon login ---> User settings
limited access based upon winbox settings. -----> Tools MAC settings and IP service Settings
limited access based upon input chain rules -----> Firewall Rules
All other access avenues (ports, services) are cut off.
WAN to ROUTER, LAN to ROUTER traffic is controlled by the admin
WAN to LAN, LAN to WAN, LAN to LAN traffic is limited to what is allowed by the OP.
-
-
Fleishmachine
newbie
- Posts: 25
- Joined:
Re: RB1100AH - Blocked ports
I will need to look carefully at the points 3-6 very soon, some bits I have got done. I`m really glad for your detailed advice.Better security can be afforded by a better understanding.
(1) Therefore, via winbox, go to IP Menu Item and select IP SERVICES.
Here you can disable all the services the router provides users or access to the router for
api, api-ssi, ftp,ssh,telnet,www, www-ssl. THE ONLY ONE YOU SHOULD KEEP ACTIVE is winbox
That's correct - I had it done before with winbox available from my local networks only. However it was still annoying to see warnings in the logs
Its default port is usually 8291 I believe, and that should be changed once you have a stable setup.
I got this one done now - so far I have no more warnings in the logs - I will see how it will look after next few hours
(2) Then go to IP Firewall selection and choose SEVICE PORTS on the top bar of the firewall popup.
Here to one should disable all services, not required (from dccp to udplite).
Therefore you have closed most if not all the services and ports that do not need to be accessible.
OK
All the best!
Fleishmachine
Who is online
Users browsing this forum: No registered users and 10 guests