Ports open and allowing "Internet" access to Webfig. Shodan.io report.

SecCon · Wed Feb 09, 2022 9:55 am

I see on shodan.io that the following ports are open externally
80, 2000, 8291, 8728.

More info states that

80 / TCP
HTTP/1.1 200 OK
Cache-Control: max-age=31536000
Connection: Keep-Alive
Content-Length: 7063
Content-Type: text/html
Date: Tue, 08 Feb 2022 16:38:33 GMT
Expires: Wed, 08 Feb 2023 16:38:33 GMT
X-Frame-Options: sameorigin

MikroTik RouterOS:
Version: 7.1.1
-1538260461 | 2022-01-11T20:50:45.045237
2000 / TCP
MikroTik bandwidth-test server
\x01\x00\x00\x00
528309196 | 2022-02-04T02:41:25.385111
8291 / TCP
\x13\x02index\x00\x00\x00\x00\x00\x00\x02\x00\x80\x00\x00\x00\x00\x02
2142810711 | 2022-02-05T23:36:31.700023
8728 / TCP
MikroTik RouterOS API Service
\x05!done%=ret=8d93364563e0cf666d18be64b508d168\x00

This is my export config

# feb/09/2022 08:58:18 by RouterOS 7.1.1
# software id = Y7E5-SEZ7
#
# model = RB1100x4
# serial number = D8580E4D7A72
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add limit-at=5M/5M max-limit=100M/100M name=queuebw5 target=192.168.1.0/24
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip arp
add address=192.168.1.234 interface=bridge1 mac-address=2C:76:8A:AD:27:86
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
add address=192.168.1.16 interface=bridge1 mac-address=00:15:5D:01:EA:01
add address=192.168.1.33 interface=bridge1 mac-address=00:15:5D:01:EA:08
add address=192.168.1.35 interface=bridge1 mac-address=00:15:5D:01:EA:09
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.5 client-id=1:8:55:31:c1:67:57 mac-address=08:55:31:C1:67:57 server=dhcp1
add address=192.168.1.30 mac-address=58:9E:C6:19:81:1D server=dhcp1
add address=192.168.1.100 mac-address=10:BF:48:89:F3:3C server=dhcp1
add address=192.168.1.10 client-id=1:0:25:90:4b:6b:4b mac-address=00:25:90:4B:6B:4B server=dhcp1
add address=192.168.1.40 mac-address=18:16:C9:D0:8B:B2 server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes log=yes log-prefix="fast-track for established,related"
add action=accept chain=forward comment="accept established,related" connection-state=established,related log=yes
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix="drop access to clients behind NAT form WAN"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.22
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=mt-ro-homered
/tool graphing interface
add allow-address=192.168.1.0/24 interface=bridge1
add allow-address=192.168.1.0/24
/tool graphing resource
add allow-address=192.168.1.0/24

Also I see logon attempts in my logs, but I missed to copy them and not sure how to restore those log entries.

I am seriously concerned about this and do not want it. Never had it before using Mikrotik. It was blank.

Advice?

erlinden · Wed Feb 09, 2022 10:11 am

Your firewall is not complete, herewith the default firewall rules:

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

This has to be your starting point!

Next step can be making improvements, make sure to read this guide carefully:
https://help.mikrotik.com/docs/display/ ... t+Firewall

SecCon · Wed Feb 09, 2022 10:24 am

OK, haven't done that. Did read it though.

I thought the default config had basic protection.

Jeez, so many manual things to do.

The reason I did not look in to this more is that I plan to set up a PFSense or something like that but the hardware for it is not ready.

erlinden · Wed Feb 09, 2022 10:25 am

OK, haven't done that. I thought the default config had basic protection.

Once again, your firewall rules are not complete (someone did this...). If you add the on mentioned above and remove the current, your config will be safe.
Unless your device is compromised, then netinstall and reconfigure is the only option.

infabo · Wed Feb 09, 2022 10:35 am

I thought the default config had basic protection.

The default config has a basic protection. Someone or you either removed default config or just messed it up

SecCon · Wed Feb 09, 2022 10:38 am

no the device is not compromised...

eh, well, it works, I see no other logged in sessions... nor any abnormal activity or bw hogs...

Should I expect a a message telling me the device is compromised? How do I know for sure?

THIS IS A FRIENDLY MESSAGE FROM YOUR ROUTER
I HAVE BEEN HACKED / TAKEN OVER / CRACKED / ABUSED

PLEASE RESET ME

Jotne · Wed Feb 09, 2022 11:20 am

When you get a Mikrotik Router, it has a default configuration that is an OK starting point.
I this case some has either removed default config and add own config, or reset the router with opt out default configuration to start to make the config from scratch.
It does not go away by it self. So if you have not done it, some else has done it.
I can not see any strange in the config, so it does not look like its hacked.

Edit:

It was blank.

Do you mean that you get it without any configuration?
If so, you can use Quick Set in winbox/web and set a default configuration that you can add custom stuff to it.

SecCon · Wed Feb 09, 2022 11:34 am

I have added

/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input

As a start to protect the router. Will review more as posted by @Erlinden

I do not know what I may have done to remove the basic protection some of you refer to, but I did reset the router and followed the startup instructions before implementing everything posted here and above.

@Jotne: The "blank" part was my shodan.io lookup before The Age of Mikrotik, when my Asus Router handled this.

bpwl · Wed Feb 09, 2022 11:34 am

How do I know for sure?

You actually never know for sure, if the device has been exposed unprotected to the internet or a malicious network.

Read about "rootkit". A well known malware kind that is able to stay hidden, even for the strongest debug tools. (And RouterOS tools give no access to the Linux layer). That's why NetInstall is the only safe option after suspicion of beeing compromised

SecCon · Wed Feb 09, 2022 11:37 am

How do I know for sure?
You actually never know for sure, if the device has been exposed unprotected to the internet or a malicious network.

I know, I may be a noob when it come to Mikrotik, but I have dealt with these kinda things before and at work.

sindy · Wed Feb 09, 2022 11:46 am

Should I expect a a message telling me the device is compromised? How do I know for sure?

THIS IS A FRIENDLY MESSAGE FROM YOUR ROUTER
I HAVE BEEN HACKED / TAKEN OVER / CRACKED / ABUSED

PLEASE RESET ME

If this was even possible, no malware would ever exist. Because if the router was able to detect that it has been compromised, it could also self-repair - it's the detection part that is complicated.

Default firewall rules of SoHo models of Mikrotik form up a pretty good firewall against malware attacking your network directly from outside. If you start tampering with it before understanding what that actually means, the only thing the Mikrotik folks could do about that is to make the router scream as soon as you change anything in the firewall configuration.

The default firewall rules are totally useless against threats coming from inside your LAN. Mikrotik does not do deep packet inspection and TLS man-in-the-middle sniffing, so it cannot prevent you from downloading malware from an infected web site or downloading en e-mail message with a malware attachment. And such malware running on one of your LAN hosts can then spread across your LAN, and/or try to log in to the Mikrotik itself and modify its configuration or even software.

SecCon · Wed Feb 09, 2022 12:03 pm

ok,

got rid of the external port 80 access, not sure exactly which rule did that, but I guess a combo of 2-3 diff.

then set up the rest, one at a time in the webfig interface

/ip firewall address-list
add address=192.168.1.2-192.168.1.245 list=allowed_to_router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes log=yes log-prefix="fast-track for established,related"
add action=accept chain=forward comment="accept forward established,related, untracked" connection-state=established,related,untracked log=yes
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix="drop access to clients behind NAT form WAN"
add action=accept chain=input comment="default configuration, input accept established,related,untracked" connection-state=established,related,untracked src-address-list=""
add action=accept chain=input comment="allowed to router" log=yes src-address-list=allowed_to_router
add action=accept chain=input comment="icmp allowed" log=yes protocol=icmp
add action=drop chain=input comment="drop access"
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.22

will test some more later

hum, seems I am missing something here

add action=accept chain=input comment="default configuration, input accept established,related,untracked" connection-state=established,related,untracked src-address-list=""

SecCon · Wed Feb 09, 2022 1:12 pm

Should I expect a a message telling me the device is compromised? How do I know for sure?

THIS IS A FRIENDLY MESSAGE FROM YOUR ROUTER
I HAVE BEEN HACKED / TAKEN OVER / CRACKED / ABUSED

PLEASE RESET ME
If this was even possible, no malware would ever exist. Because if the router was able to detect that it has been compromised, it could also self-repair - it's the detection part that is complicated.

I thought @Anav might have a bit of a laugh...

anav · Wed Feb 09, 2022 1:26 pm

Well I did laugh reading the firewall config

Check it out, specifically LINK B. - viewtopic.php?t=182373

SecCon · Wed Feb 09, 2022 3:48 pm

Something is blocking the webfig terminal.
Configuration as posted above. Any ideas?

Never mind, works

Wed Feb 09, 2022 4:53 pm

I do not know what I may have done to remove the basic protection some of you refer to, but I did reset the router and followed the startup instructions before implementing everything posted here and above.

@Jotne: The "blank" part was my shodan.io lookup before The Age of Mikrotik, when my Asus Router handled this.

From the export
# model = RB1100x4

Default firewall is added only to home routers. RB1100 is not considered a home router. You can see the list of config types and applied devices here:
https://help.mikrotik.com/docs/display/ ... igurations

Jotne · Wed Feb 09, 2022 10:04 pm

Interesting. Learned some new to day. So with this type of routers, you have to take even more care and maybe ask some professional to set it up.

SecCon · Wed Feb 09, 2022 11:48 pm

Interesting. Learned some new to day. So with this type of routers, you have to take even more care and maybe ask some professional to set it up.

I am happy to help, sort of. I prefer learning by doing, even if I will admit some of my posts may be confusing to the knowledgeable.

Those ports I mentioned up top are still marked as open as shodan.io reports, but the Router interface do no longer pop up. 80 is blocked. I would really like to close that a bit more, but seems less urgent for now.

SecCon · Wed Feb 09, 2022 11:52 pm

I do not know what I may have done to remove the basic protection some of you refer to, but I did reset the router and followed the startup instructions before implementing everything posted here and above.

@Jotne: The "blank" part was my shodan.io lookup before The Age of Mikrotik, when my Asus Router handled this.
From the export
# model = RB1100x4

Default firewall is added only to home routers. RB1100 is not considered a home router. You can see the list of config types and applied devices here:
https://help.mikrotik.com/docs/display/ ... igurations

Well I started here: https://help.mikrotik.com/docs/display/ROS/Firewall according to Anav's advice earlier... way earlier, weeks ago. So did not look a lot at those default configs for different models.

anav · Thu Feb 10, 2022 9:27 pm

The link I noted in this thread is this one.............
viewtopic.php?t=180838

It has reasonable starting points for firewall config.
Also curious as to what this shows on your device, entered into the command line via Terminal....
/system default-configuration print

SecCon · Fri Feb 11, 2022 9:39 am

/system default-configuration print

#| Welcome to RouterOS!
                    #|    1) Set a strong router password in the System > Users menu
                    #|    2) Upgrade the software in the System > Packages menu
                    #|    3) Enable firewall on untrusted networks
                    #| -----------------------------------------------------------------------------
                    #| LAN:
                    #|     IP on ether1:    192.168.88.1/24;
                    
                    :global defconfMode;
                    :log info "Starting defconf script";
                    #-------------------------------------------------------------------------------
                    # Apply configuration.
                    # these commands are executed after installation or configuration reset
                    #-------------------------------------------------------------------------------
                    :if ($action = "apply") do={
                      # wait for interfaces
                      :local count 0;
                      :while ([/interface ethernet find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find ethernet interfaces";
                          /quit;
                        }
                        :delay 1s; :set count ($count +1); 
                      };
                      :local count 0;
                      :while ([/interface wireless print count-only] < 0) do={ 
                        :set count ($count +1);
                        :if ($count = 40) do={
                          :log warning "DefConf: Unable to find wireless interface(s)"; 
                          /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
                          /quit
                        }
                        :delay 1s;
                      };
                    /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
                    }
                    #-------------------------------------------------------------------------------
                    # Revert configuration.
                    # these commands are executed if user requests to remove default configuration
                    #-------------------------------------------------------------------------------
                    :if ($action = "revert") do={
                    /user set admin password=""
                     /system routerboard mode-button set enabled=no
                     /system routerboard mode-button set on-event=""
                     /system script remove [find comment~"defconf"]
                     /ip firewall filter remove [find comment~"defconf"]
                     /ipv6 firewall filter remove [find comment~"defconf"]
                     /ipv6 firewall address-list remove [find comment~"defconf"]
                     /ip firewall nat remove [find comment~"defconf"]
                     /interface list member remove [find comment~"defconf"]
                     /interface detect-internet set detect-interface-list=none
                     /interface detect-internet set lan-interface-list=none
                     /interface detect-internet set wan-interface-list=none
                     /interface detect-internet set internet-interface-list=none
                     /interface list remove [find comment~"defconf"]
                     /tool mac-server set allowed-interface-list=all
                     /tool mac-server mac-winbox set allowed-interface-list=all
                     /ip neighbor discovery-settings set discover-interface-list=!dynamic
                       :local o [/ip dhcp-server network find comment="defconf"]
                       :if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
                       :local o [/ip dhcp-server find name="defconf" !disabled]
                       :if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
                       /ip pool {
                         :local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
                         :if ([:len $o] != 0) do={ remove $o }
                       }
                       :local o [/ip dhcp-client find comment="defconf"]
                       :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
                     /ip dns {
                       set allow-remote-requests=no
                       :local o [static find comment="defconf"]
                       :if ([:len $o] != 0) do={ static remove $o }
                     }
                     /ip address {
                       :local o [find comment="defconf"]
                       :if ([:len $o] != 0) do={ remove $o }
                     }
                     :foreach iface in=[/interface ethernet find] do={
                       /interface ethernet set $iface name=[get $iface default-name]
                     }
                     /interface bridge port remove [find comment="defconf"]
                     /interface bridge remove [find comment="defconf"]
                     /interface bonding remove [find comment="defconf"]
                     /interface wireless cap set enabled=no interfaces="" caps-man-addresses=""
                      /caps-man manager set enabled=no
                      /caps-man manager interface remove [find comment="defconf"]
                      /caps-man manager interface set [ find default=yes ] forbid=no
                      /caps-man provisioning remove [find comment="defconf"]
                      /caps-man configuration remove [find comment="defconf"]
                    }
                    :log info Defconf_script_finished;
                    :set defconfMode;
                    
  caps-mode-script: #-------------------------------------------------------------------------------
                    # Note: script will not execute at all (will throw a syntax error) if
                    #       dhcp or wireless-fp packages are not installed
                    #-------------------------------------------------------------------------------
                    
                    #| CAP configuration
                    #|
                    #|   Wireless interfaces are set to be managed by CAPsMAN.
                    #|   All ethernet interfaces and CAPsMAN managed interfaces are bridged.
                    #|   DHCP client is set on bridge interface.
                    
                    # bridge port name
                    :global brName  "bridgeLocal";
                    :global logPref "defconf:";
                    
                    
                    :global action;
                    
                    :log info $action
                    
                    :if ($action = "apply") do={
                    
                      # wait for ethernet interfaces
                      :local count 0;
                      :while ([/interface ethernet find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find ethernet interfaces";
                          /quit;
       }
                        :delay 1s; :set count ($count + 1);
                      }
                    
                      :local macSet 0;
                      :local tmpMac "";
                    
                      :foreach k in=[/interface ethernet find] do={
                        # first ethernet is found; add bridge and set mac address of the ethernet port
                        :if ($macSet = 0) do={
                          :set tmpMac [/interface ethernet get $k mac-address];
                          /interface bridge add name=$brName auto-mac=no admin-mac=$tmpMac comment="defconf";
                          :set macSet 1;
                        }
                        # add bridge ports
                        /interface bridge port add bridge=$brName interface=$k comment="defconf"
                      }
                    
                      # try to add dhcp client on bridge interface (may fail if already exist)
                      :do {
                        /ip dhcp-client add interface=$brName disabled=no comment="defconf"
                      } on-error={ :log warning "$logPref unable to add dhcp client";}
                    
                    
                      # try to configure caps (may fail if for example specified interfaces are missing)
                      :local interfacesList "";
                      :local bFirst 1;
                    
                      # wait for wireless interfaces
                      :while ([/interface wireless find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find wireless interfaces";
                          /quit;
                        }
                        :delay 1s; :set count ($count + 1);
                      }
                    
                      # delay just to make sure that all wireless interfaces are loaded
                      :delay 5s;
                      :foreach i in=[/interface wireless find] do={
                        if ($bFirst = 1) do={
                          :set interfacesList [/interface wireless get $i name];
                          :set bFirst 0;
                        } else={
                          :set interfacesList "$interfacesList,$[/interface wireless get $i name]";
                        }
                      }
                      :do {
                        /interface wireless cap
                          set enabled=yes interfaces=$interfacesList discovery-interfaces=$brName bridge=$brName
                      } on-error={ :log warning "$logPref unable to configure caps";}
                    
                    }
                    
                    :if ($action = "revert") do={
                      :do {
                        /interface wireless cap
                          set enabled=no interfaces="" discovery-interfaces="" bridge=none
                      } on-error={ :log warning "$logPref unable to unset caps";}
                    
                      :local o [/ip dhcp-client find comment="defconf"]
                      :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
                    
                      /interface bridge port remove [find comment="defconf"]
                      /interface bridge remove [find comment="defconf"]
                    
                    }

I think I got it all....

sindy · Fri Feb 11, 2022 11:34 am

I think I got it all....

In what sense? This confirms (not that it was necessary) what @mrz said - the default configuration of your device doesn't contain any firewall rules. So for an inspiration, on how it looks on the SOHO devices, you need the output of the same command on one of these. I'm running 6.47.10 everywhere so the defaults are not the most up to date ones, but maybe someone else can provide a 6.49.2 one?

SecCon · Fri Feb 11, 2022 11:48 am

I think I got it all....
In what sense?

Only referring to the print, nothing else.... was a bit tricky (for me) to copy-paste from terminal since it involve additional scrolling.

sindy · Fri Feb 11, 2022 11:55 am

was a bit tricky (for me) to copy-paste from terminal since it involve additional scrolling.

Luckily, you can avoid that:
/system default-configuration print file=somenicename
And then you just download somenicename.txt, open it in a text editor, and press Ctrl-A Ctrl-C.

SecCon · Fri Feb 11, 2022 12:02 pm

was a bit tricky (for me) to copy-paste from terminal since it involve additional scrolling.
Luckily, you can avoid that:
/system default-configuration print file=somenicename
And then you just download somenicename.txt, open it in a text editor, and press Ctrl-A Ctrl-C.

While I admittedly have shortcomings in regards to knowledge level of Mikrotik and its terminal, that last part about copy-pasting from txt editor was just rude.

sindy · Fri Feb 11, 2022 12:15 pm

Sorry for trying to be helpful. You wouldn't believe how long it took me to learn about Ctrl-A myself.

CZFan · Fri Feb 11, 2022 1:29 pm

...that last part about copy-pasting from txt editor was just rude.

Seriously?????

SecCon · Fri Feb 11, 2022 1:53 pm

anav · Fri Feb 11, 2022 4:12 pm

Control A, control C?? Never heard of it before and wrong order, one copies then pastes.... it would be control C and then Control A.
I use control C and then Control V, however. Not sure what control A does I will play......

Ahh control A highlights entire contents, the control C makes sense now, but ya still need that control V.

Seriously? Yes I just learned something new..........

SecCon · Fri Feb 11, 2022 4:21 pm

So I posted the default-configuration you asked for. What now?

infabo · Fri Feb 11, 2022 4:27 pm

Now you need to add some firewall filter rules.

I can help one with the default rules from v7

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

bpwl · Fri Feb 11, 2022 4:32 pm

I think I got it all....
In what sense? This confirms (not that it was necessary) what @mrz said - the default configuration of your device doesn't contain any firewall rules. So for an inspiration, on how it looks on the SOHO devices, you need the output of the same command on one of these. I'm running 6.47.10 everywhere so the defaults are not the most up to date ones, but maybe someone else can provide a 6.49.2 one?

I believe this FW is untouched on an Omnitik ac with 6.49.2

fw6492_omnitik.rsc is the "/ip firewall export print file="
default_omnitik.rsc is the "/system default-configuration print file=" output. Firewall part is the default here, for extraction.

anav · Fri Feb 11, 2022 4:36 pm

Dunno, find someone that has the same version of firmware you have on a device that provides the default config.
All mine of such ilk are on 7.11 and my CCR1009 is still at long term 6.48 and it also has no default config....

Config from scratch is also a fun exercise, where one learns lots!!

SecCon · Fri Feb 11, 2022 4:56 pm

duplicate removed

SecCon · Fri Feb 11, 2022 4:57 pm

Now you need to add some firewall filter rules.

I can help one with the default rules from v7

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

Thanks I will review this, but I need to compare them to what I already have implemented.

/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes log=yes log-prefix="fast-track for established,related"
add action=accept chain=forward comment="accept forward established,related, untracked" connection-state=established,related,untracked log=yes
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix="drop access to clients behind NAT form WAN"
add action=accept chain=input comment="default configuration, input accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allowed to router" log=yes src-address-list=allowed_to_router
add action=accept chain=input comment="icmp allowed" log=yes protocol=icmp
add action=drop chain=input comment="drop access"
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

it seems that some type the rows like
add chain=input action=drop...

and others like
add action drop chain=input...

I guess it will end up doing the same but it is also VERY

confusing, especially when my system writes the export as "add action..."

sindy · Fri Feb 11, 2022 5:15 pm

The most logical order of items would be "chain, match conditions, action, action parameters, comment", but the export shows all that just in a plain alphabetical order. And the default script attempts to be logical but only halfway - first the chain, then the action, then match conditions mixed with action parameters in alphabetical order, and finally the comment.

faizanmazhar00 · Sun Feb 13, 2022 12:06 pm

I see on shodan.io that the following ports are open externally
80, 2000, 8291, 8728..

More info states that

80 / TCP
HTTP/1.1 200 OK
Cache-Control: max-age=31536000
Connection: Keep-Alive
Content-Length: 7063
Content-Type: text/html
Date: Tue, 08 Feb 2022 16:38:33 GMT
Expires: Wed, 08 Feb 2023 16:38:33 GMT
X-Frame-Options: sameorigin

MikroTik RouterOS:
Version: 7.1.1
-1538260461 | 2022-01-11T20:50:45.045237
2000 / TCP
MikroTik bandwidth-test server
\x01\x00\x00\x00
528309196 | 2022-02-04T02:41:25.385111
8291 / TCP
\x13\x02index\x00\x00\x00\x00\x00\x00\x02\x00\x80\x00\x00\x00\x00\x02
2142810711 | 2022-02-05T23:36:31.700023
8728 / TCP
MikroTik RouterOS API Service
\x05!done%=ret=8d93364563e0cf666d18be64b508d168\x00

This is my export config

# feb/09/2022 08:58:18 by RouterOS 7.1.1
# software id = Y7E5-SEZ7
#
# model = RB1100x4
# serial number = D8580E4D7A72
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add limit-at=5M/5M max-limit=100M/100M name=queuebw5 target=192.168.1.0/24
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip arp
add address=192.168.1.234 interface=bridge1 mac-address=2C:76:8A:AD:27:86
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
add address=192.168.1.16 interface=bridge1 mac-address=00:15:5D:01:EA:01
add address=192.168.1.33 interface=bridge1 mac-address=00:15:5D:01:EA:08
add address=192.168.1.35 interface=bridge1 mac-address=00:15:5D:01:EA:09
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.5 client-id=1:8:55:31:c1:67:57 mac-address=08:55:31:C1:67:57 server=dhcp1
add address=192.168.1.30 mac-address=58:9E:C6:19:81:1D server=dhcp1
add address=192.168.1.100 mac-address=10:BF:48:89:F3:3C server=dhcp1
add address=192.168.1.10 client-id=1:0:25:90:4b:6b:4b mac-address=00:25:90:4B:6B:4B server=dhcp1
add address=192.168.1.40 mac-address=18:16:C9:D0:8B:B2 server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes log=yes log-prefix="fast-track for established,related"
add action=accept chain=forward comment="accept established,related" connection-state=established,related log=yes
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop access to clients behind NAT form WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix="drop access to clients behind NAT form WAN"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.22
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=mt-ro-homered
/tool graphing interface
add allow-address=192.168.1.0/24 interface=bridge1
add allow-address=192.168.1.0/24
/tool graphing resource
add allow-address=192.168.1.0/24

Also I see logon attempts in my logs, but I missed to copy them and not sure how to restore those log entries.

I am seriously concerned about this and do not want it. Never had it before using Mikrotik. It was blank.

Advice?

sindy · Mon Feb 14, 2022 2:38 pm

...
Also I see logon attempts in my logs, but I missed to copy them and not sure how to restore those log entries.

I am seriously concerned about this and do not want it. Never had it before using Mikrotik. It was blank.

Advice?

There are no rules whatsoever in chain input of /ip firewall filter, so the router itself indeed accepts incoming connections from anywhere.

@bpwl has posted above the default configuration of a model whose default configuration does contain firewall rules, so copy the /ip firewall filter rules referring to chain=input verbatim from there, preserving the same mutual order. You will see that the router will not respond to incoming requests from the internet any more. It may take time until Shodan updates its data, though.

After that, the best thing would be to export the configuration into a file, download it to a PC, disconnect the router from the internet uplink, netinstall it, and restore the configuration manually from the export before connecting the router back to the internet. The thing is that since its management interfaces were exposed to the internet for a while, it may be infected by now, and there is no way to find out.

Regarding the log messages, by default only the newest 1000 log messages are stored, so you have to change that or send the log to an external storage using syslog if you want a deeper history.

SecCon · Mon Feb 14, 2022 4:27 pm

I just noticed that 1 on my posts above occurs twice. Not intended and I have edited it blank...

I still want more info on the Mikrotik services that are keeping theses ports open 2000, 8291, 8728..

2000 / TCP
MikroTik bandwidth-test server
\x01\x00\x00\x00
528309196 | 2022-02-04T02:41:25.385111
8291 / TCP
\x13\x02index\x00\x00\x00\x00\x00\x00\x02\x00\x80\x00\x00\x00\x00\x02
2142810711 | 2022-02-05T23:36:31.700023
8728 / TCP
MikroTik RouterOS API Service
\x05!done%=ret=8d93364563e0cf666d18be64b508d168\x00

Ah wait: https://help.mikrotik.com/docs/display/ROS/Services

And the 8291 is WinBox open externally? I have seen a filter blocking that somewhere.

sindy · Mon Feb 14, 2022 4:30 pm

8291 is Winbox, 8278 is API - see IP->Services. 2000 is bandwidth test server (not shown under IP->Services).

anav · Mon Feb 14, 2022 4:40 pm

Post your config please, otherwise this whackamole gane is unnecessarily tiring.

SecCon · Tue Feb 15, 2022 8:58 am

Post your config please, otherwise this whackamole gane is unnecessarily tiring.

I think I have posted it like three times in this thread already... have the damn llama raise its eyes and scroll a bit upwards.

Znevna · Tue Feb 15, 2022 9:08 am

Is this thread some shodan advertisement or?

SecCon · Tue Feb 15, 2022 11:04 am

Is this thread some shodan advertisement or?

No.
Shodan is an independent service than can be used to track IoT devices. In its most basic function it will report open ports and some info about them on any network IP specified in its search. It is one way to check what communication the "internet" has with your network and perhaps what you might or should do about it.

Doing this: https://www.shodan.io/search?query=www.microsoft.com shows you a lot of info on the different MS servers, admittedly I wouldn't know what to do with half of it, but just to show you an example.

sindy · Tue Feb 15, 2022 11:06 am

... or you could call it "cloud nmap", allowing you to audit your network from the outside.

Znevna · Tue Feb 15, 2022 11:40 am

@SecCon: you need to fix your firewall before you start looking at microsoft webservers.
So, do that, build your firewall.

anav · Tue Feb 15, 2022 1:50 pm

Post your config please, otherwise this whackamole gane is unnecessarily tiring.
I think I have posted it like three times in this thread already... have the damn llama raise its eyes and scroll a bit upwards.

Only valid if you have not made any changes since the last time and if you havent made any changes since the last time,,,,,,,,,,, then no point in looking at it since you seem to cling to old setups and avoiding advice to change.

SecCon · Tue Feb 15, 2022 2:40 pm

Don't see why I have to repeat myself. Latest post was this: viewtopic.php?t=183075#p912397 which also had some additional questions about command sequence lineup.

Znevna · Tue Feb 15, 2022 2:44 pm

You're not launching a space rocket.
You make a backup.
You try to fix your firewall.
If you done goofed you restore the backup and repeat.

Who is online