Code: Select all
[admin@MikroTik] /user> set admin name=comunicaciones
failure: user name can't be changed
Thanks! Have a good day!
[admin@MikroTik] /user> set admin name=comunicaciones
failure: user name can't be changed
Make a new user, then re-login. There are big security changes in last versions, rename is no longer possible.
I think it's safe to assume that changing the admin password to something "uncrackable" like a 20-character long string with special characters, and then creating a new admin user with your desired password, will achieve the same effective level of security as changing the admin username to your desired new username and then setting that to your desired password. I mean there's not a remote chance in hell that anyone is going to crack a 20-character long password string with special characters via brute force over telnet/ssh - they can forget it. So yeah, technically changing the username IS "theoretically" stronger, but in a case like this that advantage is almost totally negligible/non-existent.Also a bit strange for me.
So in order to secure an access to the admin panel we may only change the password?
Am i wrong thinking that changing of user name and password is much stronger protection then just a password?
+1@man: You can always create completely new user and disable/delete original "admin".
I like your choice of word, "resistant". You look like someone who understands that nothing is ever "proof".Thanks guys!
I want to create a HotSpot and need to be sure that system will be "Hacker resistant" ( sure i know that if some one really want to hack a system it will be done...)
I have already blocked all pings from Hotspot network at firewall filter and so on ...
And for those of us who have already been doing that for years with an initialization script, MikroTik has just made that even more difficult.+1@man: You can always create completely new user and disable/delete original "admin".
I agree. Deleting "admin", even if it has a pwd from hell is that much more secure.
Not really. I implemented my init script this way before it was enforced:And for those of us who have already been doing that for years with an initialization script, MikroTik has just made that even more difficult.
/user group
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default
/user
:do {
add address="" disabled=no group=full name=myadmin
} on-error={};
set myadmin address="" disabled=no group=full password=NobodyWillGuessThis
remove [find (name="myadmin" = false)]
Which means you have to be careful to chase every new permission that MikroTik adds to the system. As I said, more work.set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default
it does not depend on what user(s) exist. It just make sure that "full" group is really full, create new "full" user and delete every single user except this one. I would say pretty failproof...
/user group add name=temppolicy
:local defpolicy [:tostr [/user group get temppolicy value-name=policy]]
:local fullpolicy
:for i from=0 to=([:len $defpolicy] - 1) do={
:local char [:pick $defpolicy $i]
:if ($char = "!") do={:set char ""}
:if ($char = ";") do={:set char ","}
:set fullpolicy ($fullpolicy . $char)
}
/user group remove temppolicy
/user group set full policy=$fullpolicy
Any time you use :local outside a set of curly brackets, the results will be indeterminate depending on under what environment you execute the script.Figured out that, for whatever reason, on RouterOS 6.43.7 on an RB4011, it will fail that way if run in verbose mode. If I don't run in verbose mode it works fine.
If anyone has an explanation that would be great. I've seen weird things happen in verbose mode that didn't happen when not in verbose mode before, but I'd forgotten about that until tonight.
Ohh! now it makes way more sense! thanks heaps for this clarification! you really deserve cookies (or internetz or kudos or whatever currency you like)!I think maybe I didn't state this entirely clearly.