MikroTik

It has come to our attention, that somebody has created a script that logs into unprotected devices and sets a password, along with a new identity name. This affects devices that have public IP addresses.

Most MikroTik devices have a firewall on the public interface - please remember that disabling your public firewall is not a good idea. If you have a good reason to open your device to the outside world, make sure you create a new user with a strong password and then disable your default admin user.

We have created a great article about the steps you need to take to protect a device that has a public IP address:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

In short:
- don't use the default admin user
- use a strong password for your own user
- improve upon the default firewall rules, do not disable it
- turn off the services you don't use
- keep your device up to date

Thanks for this post. It is true, we have been receiving many inquiries during this past week regarding articles talking about a MikroTik security break, when it seems all of them have been related to insecure router setup. The steps suggested may seem obvious, but the truth is there are many, many devices out there without the minimum attention to security. Lets secure our routers and avoid bad reputation on MikroTik / RouterOS.

Set networks for ALL services even if they are disabled.
Set networks for ALL users, with strong passwords.
Disable Mac Servers for interfaces that do not need it.
Disable IP Neighbour for interfaces that do not need it.
IF Deploying Romon consider segment key usage and have different hops for different stuff in your net.

Disable Packages that you do not need.

This is basic security.

Another improvement would be when devices are not shipped with empty admin password, but initially would have
some password that cannot be so easily guessed from outside. Even using the ether1 MAC address as initial password
would be better than nothing (as normally the MAC address is not visible to an attacker on internet).
Of course it is not optimal (an attacker on WiFi can see the MAC address of the WiFi and quite easily guess the ether1 MAC)
but it would be a change that does not require manufacturing changes. The MAC is already on the label and available
to the software.
Other manufacturers are already a step ahead and have an initial password that is printed on the label, and apparently
stored in some flash memory at manufacturing.
It would also be advisable to have a default auto-upgrade or at least an initial upgrade when the device first gets internet
connectivity. That would also be the moment when changes like the above would get incorporated into already manufactured
devices.

I agree that Mikrotik should move toward unique default passwords, which many other manufacturers have done (usually some component of the MAC address). But at least so far, it seems like these defacements have been happening in instances where the router's administrative services were available from the Internet and no password was set. Admins who open the firewall need to understand the ramifications of what they're doing. To help keep your router secure from the Internet, here's what I recommend from most to least important:

1. Ensure that your administrative services aren't available on the WAN interface. By default the firewall will prevent this of course. But maybe people either disabled that to get something working and never turned it back on, or forgot to turn it back on, or didn't realize that Mikrotik devices have an implicit allow at the end of the firewall ruleset. Doing something like the following and moving it to the top of the ruleset would help, assuming you run SSH, HTTP, and Winbox on the default ports with your WAN interface in the WAN interface list:

/ip firewall filter add action=drop chain=input comment="no admin access to router from WAN" dst-port=22,80,8291 in-interface-list=!WAN protocol=tcp

2. Change the admin user name to something else, and set a strong password.

3. In IP > Services, disable unused services and minimally set custom ports for SSH and HTTP as in the following example:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=22222
set api disabled=yes
set www port=8888

Of course, when setting custom ports ensure that they aren't available from the Internet as in step 1.

4. Back to IP > Services: disable unencrypted services (telnet, HTTP, FTP, api) and use encrypted services like SSH and Winbox. If you need a web interface, set up a CA and issue yourself a cert that can be used for HTTPS (custom port for that too). For enabled admin services, I would also consider setting an appropriate network that is allowed as in the following example: /ip service set winbox address=192.168.88.0/24.

5. Disable the Btest server - it listens on the WAN interface: /tool bandwidth-server set enabled=no

6. In IP > Neighbors, ensure that discovery is not available on your WAN interface at a minimum.

/ip neighbor discovery-settings
set discover-interface-list=!WAN

7. In Tools > MAC Server, ensure that only your LAN interfaces are available. I'm less concerned about this from the Internet since it's layer 2.

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

8. Enable strong ciphers on the SSH server, which is command line only: /ip ssh set strong-crypto=yes
This should be the default, and there should instead be a command-line options to disable weak ciphers.

There's a lot more you can do (disable unused accounts, remove unused packages, etc.), but this list is basically the minimum I'd recommend to protect the router from the Internet. Right now, go to Shodan.io and search for your public IP (you don't even need a login to do this). You might be surprised what you find there...

mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?
really, the only thing that can be done is using good default settings. then some people might improve or customize them,
and those that do not know or do not care are not left vulnerable.

mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?
really, the only thing that can be done is using good default settings. then some people might improve or customize them,
and those that do not know or do not care are not left vulnerable.

What's wrong with it? Have you even read o'reilly's book on securing cisco routers? So why should we care less for MikroTik routers???

mt99 +1

Sent from Tapatalk

I will assure you that not everyone who buys a MikroTik device will buy and read an o'reilly book on securing cisco routers with it!

That is why manufacturers, especially of devices that are also used by home customers, need to sell things that are secure by default.
The firewall is now better than it was before, but of course that only applies to devices that have 6.40 or later firmware and are reset to defaults.
This week I bought a hAP AC, also a device that is sold to home customers, and it came with 6.39.2 so after I upgrade it to 6.41 I still
needed to do a reset to defaults to get the new firewall config.
AND, it still comes with admin-with-no-password and WiFi-with-no-security. These all have to be setup by the customer and there
is NO warning in the user interface that this should be done (I think it is in the leaflet but it has very small grey print that is hard to read).
Other manufacturers are way ahead in this aspect, with unique default admin passwords and unique WPA2 passwords on WiFi for
every device as it comes out of the box. Or prompting to set a password the moment the first logon is done.

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recomendations. Nice guide thanx

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recomendations.

yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.

Then there is logging...

Following the above steps is good, but having logging configurations in place that notify you when an event occurs (ie. Failed logon attempts/port scanning) AND *sending your logs off site* is invaluable; of someone gets in, they will probably delete the logs.

Sent from my Pixel 2 using Tapatalk

One step to improve RouterOS' security is to finally make IP > Services bind on specific IPs/Interfaces.

That way even if someone does not set up their firewall properly, those management services can be configured to not be available on the WAN.
It's much simpler for a novice user to set those services to bind only on LAN interfaces/IPs than set up a proper firewall.

Also it's helpful for core routers that do not (want to) use any firewall rules at all but still need to limit access to it.
Right now we can only limit the IP ranges that are allowed to connect to those services, but this doesn't reduce the attack surface much, and they can potentially give out information about the router.

Also, what's mikrotik's position on the Spectre and Meltdown CPU bugs that were announced recently?
Can we expect a kernel update for RouterOS for x86?

mt99, do you really expect that every owner of every MikroTik device would follow such a lengthy advise?

No, that's why you script it. I would never hand edit all that stuff, plus scripting eliminates the possibility of mistakes. I have a deployment script that I run on every router that has baseline security settings, plus other things like setting NTP and time zone, logging, and more. Here's a short example.

Is mikrotik affected by Spectre and meltdown bugs?

Sent from my C6833 using Tapatalk

Is mikrotik affected by Spectre and meltdown bugs?

To my understanding, RouterOS x86 and CHR are definitely affected, but since you cannot run your own binaries there they cannot be exploited (unless there are other vulnerabilities that allow one to execute arbitrary code on a router). ARM devices may also be affected, but the same "exploitability" considerations apply.

And taking into account the inevitable performance degradation, the necessity to apply Meltdown and Spectre patches to RouterOS is rather arguable.

- don't use the default admin user

But... why?

- don't use the default admin user

But... why?

if you know the username, it is very easy to brute-force simple passwords. if you don't know the username, brute-force is basically out of the question.

if you know the username, it is very easy to brute-force simple passwords. if you don't know the username, brute-force is basically out of the question.

https://en.wikipedia.org/wiki/Security_ ... _obscurity

Is that advice actual when you

use a strong password

?

Anyway, why not just rename 'admin' user? That was actually the point...

Renaming admin is the same as not using admin.

if you know the username, it is very easy to brute-force simple passwords. if you don't know the username, brute-force is basically out of the question.

It merely squares the search space.
Anyway, the point is that users are hit that did not take basic security measures. It is useless to post advises, because those users do not read advises.
The only thing that helps is setting up a default configuration that is secure. As of now, the default firewall is much better than before
(because addition of a PPPoE interface does not open the device for world access anymore), but unfortunately the default is determined during
first powerup so routers that are now in the stores often still get the old firewall even when they are upgraded immediately.
What is also still missing is a reasonable default password or security behaviour. I.e. an initial password that is more difficult to guess and/or
the obligation to change the password on the first login.

This post was mostly meant to clarify what happened. I realise that this forum is mostly used by security conscious people.
As far as default passwords go ... we will have to think about it. There are pros and cons. It's up for debate. You see there is already a default firewall, it got removed anyway.

Or even better: Upload ssh public keys to the device
and keep always-allow-password-login set to no:
Password login is no longer possibly and brute force attack can never succeed.

BTW, the RouterOS ssh server supports port forwarding. So if you want to manage a remote device via web interface you can open ssh service for WAN, but close http/https. Then connected to ssh with port forwarding to port 80/443 enabled and use web interface through the tunnel.

You see there is already a default firewall, it got removed anyway.

I think the typical scenario is:
- device is bought with pre-6.40 firmware and powered up
- it may or may not be updated to 6.40 or later, that does not matter anymore (when no reset to defaults is done afterward)
- firewall only drops everything new from ether1
- a PPPoE interface is added manually following some youtube video directions, instead of by using Quick Set.
- now the internet-facing interface is ppoe-in1 and it allows all input

This will not happen so easily anymore once devices are shipped with 6.40 or later. Or maybe when the update
procedure detects an all-defaults firewall and updates it to the current one when RouterOS is updated.

Another thing that could be considered is to auto-update to some reliable version (maybe a separate release channel is
to be created for that, which would not include new "risky" developments like 6.41 but could be more current than "bugfix")
where all devices are regularly updated by default (until the admin disables this behavior, when he doesn't desire it).

That will at least keep devices uptodate in the hands of inexperienced people.

Code: Select all

/ip firewall filter
# ensure this is at the top of the rule list
add action=accept chain=input comment="allow admin access to router from authorized clients" dst-port=22222,8888,8291 in-interface-list=!WAN protocol=tcp

Will be very nice if mikrotik add to the dst-address-type an other option like "local-network" which will refers to all locally connected networks, like the local parameter but instead of using only the local address use the netmask. This rule can be changed and only who is connected to the local networks connected to the router will have access .

Will be very nice if mikrotik add to the dst-address-type an other option like "local-network" which will refers to all locally connected networks, like the local parameter but instead of using only the local address use the netmask.

That is just a different approach to what is already there. The current firewall uses interface lists to group interfaces in categories like WAN and LAN, and filters according to that.
Sometimes it uses "not" operators to make it more failsafe: e.g. using "!LAN" for cases where you would want to write "WAN" makes sure that a new WAN interface is properly handled even when it is not placed in the WAN interface list (because the admin does not know or does not care).
Filtering on address is just a different approach for that. You can do it when you like, but by default it filters on interface.

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.

It would be a step forward if this was done at first boot. Clearly the chain of trust can't be validated (as with SSH), but it prevents a class of attacks.

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.

True, but that protection is absolutely zero. It only protects you against people sniffing the password, which is unlikely to be
the scenario of the attacks. The problem is keeping the default (empty) password or using an obvious password that can be
found by trying a small list of common passwords. The https is going to do absolutely nothing about that.

A better protection would be to use a certificate for SSH login instead of a password, but I don't think that is possible with
https right now.

One of the first steps I take when deploying Mikrotik kit, is generating a local certificate, signing it locally and enabling HTTPS with it, disabling HTTP. This gives the same level of protection that SSH affords.

True, but that protection is absolutely zero. It only protects you against people sniffing the password, which is unlikely to be
the scenario of the attacks. The problem is keeping the default (empty) password or using an obvious password that can be
found by trying a small list of common passwords. The https is going to do absolutely nothing about that.

A better protection would be to use a certificate for SSH login instead of a password, but I don't think that is possible with
https right now.

HTTPS per default rather than HTTP would be on the same basis SSH is used rather than eg telnet.

This is in orthogonal and in addition to the obvious of having a unique default password as already suggested.

PeIchl, I completely disagree with your logic.
I am a perfect example. I don't have any IT degrees or training.
I have used the basic consumer router many moons ago the netgear RT311 (made by zyxel) and then switched to zyxel every since.
I have programmed their routers at a basic level and through work had to once deal with a CrISCO router as well, simply from good advice and reading tons and asking questions.

No one, I know and I mean no one, goes to their local store and buys Mikrotik. It is not a consumer brand. I dont know a single person other than on the forums that owns one.
It is a niche market that attracts those running WISPS, or are comfortable in LINUX, software, and are in the ubiquiti, pfsense, sophos on a PC search for something cheaper than Fortigate or Juniper etc.....

Then there are home owners like me that like to dabble, may have some knowledge, and are willing to take the plunge. I read everything I can get my hands on.
Mt99s post was bang on for someone like me, it makes sense, and is really a compilation of bits and pieces one can find on the net but in one spot.
Maybe it is different in your neck of the woods, so I will cut you some slack.
In summary, instead of dissing mt99s comments, you should have said, its not applicable where I live and leave it at that because your statement is complete BS, where I live (in North America).


ref: Daniel, nice suggestion. Right now i turned off everything except WINBOX on the LAN. Changed my SSH port everything else off. I have always resisted getting a cert for my router mainly due to the expense. However I recently came across some certs for a decent price and you have reminded me to revisit and perhaps take the plunge if nothing else to become familiar with the process. [edit, found the link https://cheapsslsecurity.com/}

Normis, please tell Mikrotik to raise their prices, like about 5-10$ should do it. We all want to see you move out of your car and into an apartment. Oh, and, where do I send a razor, that beard is out of control.

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recomendations.

yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.

Those won't buy a MT device in the first place...

and keep always-allow-password-login set to no:

Code: Select all

[admin@mikrotik] > /ip ssh set always-allow-password-login=no

Password login is no longer possibly and brute force attack can never succeed.

Regarding this, that is not actualy the case.

Even with this option set to no (which is by the way already set by default), the SSH password will always work, unless you put the SSH public key, only then it will not work.
The only way to use SSH key and the password, is to set this option to yes.

Is it safe, to have SSH key and always-allow-password-login=yes?

and keep always-allow-password-login set to no:

Code: Select all

[admin@mikrotik] > /ip ssh set always-allow-password-login=no

Password login is no longer possibly and brute force attack can never succeed.

Regarding this, that is not actualy the case.

Even with this option set to no (which is by the way already set by default), the SSH password will always work, unless you put the SSH public key, only then it will not work.

That's true, but I did not state anything else. If you look at my post this should be clear. Please do not cite just half of important information.

The only way to use SSH key and the password, is to set this option to yes.

Is it safe, to have SSH key and always-allow-password-login=yes?

Well, it allows password login even if an SSH key is uploaded. It's up to you whether or not that meets your security requirements.

There seems to be a mistake in ipv6 section (wrong prefix length):
Should probably be:

"to have SSH key and always-allow-password-login=yes?"

Well, it allows password login even if an SSH key is uploaded. It's up to you whether or not that meets your security requirements.

So i need to set some random password for those ssh users that i want ONLY ssh key login so that won't get in other services (winbox,telnet,..) without password ?

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recommendations.

yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.

Hi,
maybe is better to disable default setting and to remove quick set. RouterOS and MikroTik HW should be configured by technical specialist and not by consumer people who does not understand security. This end user people want something that is "click" and "click" ..for this they could buy other products, but not MikroTik.
In current world more people then before know that security is important.
I personally hate that in MikroTik is quick set to set some default setting and is possible by clicking to set "something" that end user does not understand.
I always reset default configuration to have "no configuration" when I am preparing device for my customers.
When there will be no quick set and no default config - simply nothing - it will not do anything unless you know how to setup.
For this reason usually is good for that people who do not know how to setup to find somebody who could setup it.
I understand that MikroTik wants to sell to everybody, but do you really want to be some horrible technology like very cheap units from TP-link, Ubiquity or others ?
Better is to have some option that everybody who buy MikroTik device have to contact some specialist to set it for him - it will make business good for all of us who are technical specialists and know about it.
I thing there could be some list of specialist(not only certified) and customer could get some advantage with new purchased device which will motivate him or really press him to contact somebody.
There could be some form of discount on first setup from specialist or other promo - I thing it is good theme for MikroTik marketing department.
From my point of view I still see MikroTik devices as something more than cheap router from online shop and something that should be set by some technical specialist.
What do you think of this?

If you are familiar with mikrotik ros its a matter of 5-10 mins to secure your router with the above recommendations.

yes it is, but the problem is not the people who are familiar with RouterOS or security.
the problem is the users who buy a device, plug it in, look on youtube for a movie made by another beginner on how to setup PPPoE, and stop doing anything once they can surf the web.
THAT is the category of users who now got hacked. it is useless to write about how to secure a router for those people, they won't read it and probably won't understand it.
to keep those people safe, the only thing that works is security by default and mandatory security, like unique default password or mandatory password change on first logon.

Hi,
maybe is better to disable default setting and to remove quick set. RouterOS and MikroTik HW should be configured by technical specialist and not by consumer people who does not understand security. This end user people want something that is "click" and "click" ..for this they could buy other products, but not MikroTik.
In current world more people then before know that security is important.
I personally hate that in MikroTik is quick set to set some default setting and is possible by clicking to set "something" that end user does not understand.
I always reset default configuration to have "no configuration" when I am preparing device for my customers.
When there will be no quick set and no default config - simply nothing - it will not do anything unless you know how to setup.
For this reason usually is good for that people who do not know how to setup to find somebody who could setup it.
I understand that MikroTik wants to sell to everybody, but do you really want to be some horrible technology like very cheap units from TP-link, Ubiquity or others ?
Better is to have some option that everybody who buy MikroTik device have to contact some specialist to set it for him - it will make business good for all of us who are technical specialists and know about it.
I thing there could be some list of specialist(not only certified) and customer could get some advantage with new purchased device which will motivate him or really press him to contact somebody.
There could be some form of discount on first setup from specialist or other promo - I thing it is good theme for MikroTik marketing department.
From my point of view I still see MikroTik devices as something more than cheap router from online shop and something that should be set by some technical specialist.
What do you think of this?

What I think is, automate what MikroTik has said for a million time: https://help.mikrotik.com/docs/display/ ... our+router

@DarkNate ... why you quote whole previous post just to add one line sentence? Why you do not "post reply"?
Please read this viewtopic.php?p=864613#p864613 and link in my signature.

Why do you keep spamming every post with your quote spam. People will quote how they want to quote and if you dont like it remove the quote feature.
I am now going to report every single time you fill a thread with your quote spam.

Just to teach users to use forum properly ... it's easy ... just press another button.

Ahh okay,
Recommend that when users first join, that becomes part of the instruction set !

@DarkNate ... why you quote whole previous post just to add one line sentence? Why you do not "post reply"?
Please read this viewtopic.php?p=864613#p864613 and link in my signature.

Remove the feature if you don't want it to be used.

Does it cost you so much to use the forum correctly,
instead of replying in this stupid way?

It seems that someone has become victim of a hacker that locked down their router and made it impossible for him to reset it.
I think that in addition to requiring users to secure a device, it can also be expected from MikroTik to secure their system against such events.
In this case the /system routerboard settings like "reformat hold button", "reformat hold button max" and "protected routerboard" were changed by the attacker.
These settings are only for niche applications, like for a ISP giving out routers to customers. Normal users do not use this, yet it can be dangerous.
I hope MikroTik can consider either removing these features (I see they are not present in my RB4011 running v7.1rc6, maybe they already are in the process of removing them), or at least put them behind some considerable physical protection, e.g. to enable such settings you need to briefly press the button within a minute of applying them, or else they will be reverted.
This should restrict these features from being enabled remotely by an attacker.

I concur with pe1chl and the less restrictive press button within a minute is easier to accept to users than the my proposal to to press that button after in the just set time.
I would also suggest to not be able to set the timespan between start and end-time less than three seconds.

And I will repeat what I wrote earlier, that is disappionting that Mikrotik did not implement a this confirmation from the start.

Now there are out there a lot of routers that can be held hostage....for years to come if not upgraded to a fixed RouterOS.

I concur with writers above.
once someone has physical access to a router, it should always be resetable ...
limiting these "times" is the least that could be done

It a feature that is usefull when it protected against missuse.

When you able to reset the router in any case then the feature has become useless.

Better if it is, for example, to enable this functionality only with serial port or on netinstall event...
Never from winbox / ssh / web.

As an ISP I use netinstall to prepare the devices before putting them in the users' house or roof.

to enable such settings you need to briefly press the button

Press what button?

I concur with writers above.
once someone has physical access to a router, it should always be resetable ...

Well, the "protected routerboot" with these times is there exactly to prevent that. It is for routers that are not owned by you but are placed in a location where you have physical access.
I can understand the usefulness of this feature but I think it should not be possible to enable it from a remote logon.

to enable such settings you need to briefly press the button

Press what button?

"the button". also known as the "reset button". some routers have 2 buttons, but all of them have at least 1 I think.

For me, 99% MT is behind FW
If I need access to it from outsite - VPN
SSH by the keys. Password - random generated
User Admin changed to another one, just in case
Another user to use for daily usage
All services not need to access from outsite - disabled/blocked at FW
FW rules to slow down scaning/brutal force

So, from public point of view - usually VPN(openvpn) only