Community discussions

MikroTik App
 
AndersNordh
just joined
Topic Author
Posts: 5
Joined: Wed Oct 30, 2024 5:42 pm

Not enough permissions?

Wed Oct 30, 2024 5:52 pm

Hi, completely new to Mikrotik ...

I have a RB4011 router that works fine and a Mikrotik CSS326 connected by a 10GB SFP+ connection, as I said, all fine.

When logged in as "admin" I tried to run the software upgrade from within WInbox, got a brief message saying I did not have the permission to do that. Hmm, uploaded the file manually and after reboot I had the latest software in place ...

Tried to login using Telnet and SSH, none of them are working, cannot even start a terminal within Winbox, same message within Inbox, lacking permission. Tried to add Telnet and SSH to the Admin group, guess what? Lacking permission to do it ...

Tried Winbox on Mac and Windows, tried logging in from different browsers but still the same.

What on earth am I doing wrong?

Have a nice day,
//Anders
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Not enough permissions?

Wed Oct 30, 2024 7:10 pm

Probably your device is compromised, the only solution, without lost time is to full netinstall it.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Oct 03, 2023 4:21 pm

Re: Not enough permissions?  [SOLVED]

Wed Oct 30, 2024 7:25 pm

Check the users you have.
A normal Mikrotik (default) has only "admin" as user (and it is generally recommended to change the name to something else).

There are botnets that try to accesa Mikrotik devices and if they succeed, they remove permissions from "admin" and add a user "system" with all the perrmissions.

If you have a user "system" (and you didn't add it yourself) your router needs to be netinstalled.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Not enough permissions?

Wed Oct 30, 2024 7:28 pm

Have a copy of your config prior to being locked out??
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys)
 
AndersNordh
just joined
Topic Author
Posts: 5
Joined: Wed Oct 30, 2024 5:42 pm

Re: Not enough permissions?

Wed Oct 30, 2024 10:53 pm

Thanks a lot for all the input!

Yes, the router was compromised, the Netinstall worked through a virtual Win11 (I am running Mac ...) using a USB connected dock ethernet connection ... ;-) ... A little bit against all odds.

The router is up and running, this time with the admin user disabled, another user with full access created and a set of firewall rules protecting it ...

Once again, thanks a lot guys.

Have a good one.

//Anders
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Not enough permissions?

Thu Oct 31, 2024 12:43 am

Do NOT "only" disable admin, set to the admin one random long password, create one empty group with no privileges (policies) and assign it to admin....
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1579
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Not enough permissions?

Thu Oct 31, 2024 4:37 pm

Do NOT "only" disable admin, set to the admin one random long password, create one empty group with no privileges (policies) and assign it to admin....
Any particular reason for that as opposed to what I have done and completely delete the admin user ID? I have a completely different User ID that has all the privileges and once I know that works, I deleted the original admin User ID.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Not enough permissions?

Thu Oct 31, 2024 4:55 pm

If I wrote it here it would be public knowledge...
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Nov 12, 2020 12:07 pm

Re: Not enough permissions?

Sat Nov 02, 2024 2:33 pm

wtf?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: Not enough permissions?

Sat Nov 02, 2024 3:59 pm

If I wrote it here it would be public knowledge...
Yeah I'm confused too. Totally get not using "admin", and deleting the account once a new "full" user had been added seems like a better plan. What am I missing?

@rextended, if you think there some security issue here (i.e. where deleting admin is less "safe" than a "secured disabled" one)... I hope you reported it to Mikrotik, as cryptic forum posts alluding to security do nothing.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Oct 03, 2023 4:21 pm

Re: Not enough permissions?

Sat Nov 02, 2024 4:59 pm

What we don't know (or at least I don't know) is what changes the attackers make to the router configuration, it is possible that they do not make any besides changing the permissions to user "admin" and adding the "system" one (of which they set the password to a complex one).

If this is the case, then the plan could be to build a net of pwned routers to be used all together one day, for - say - DOS attack..

Let's try to make an hypothesis of what could happen:
1) there is user "admin" with blank password, the attackers proceed
2) there is user "admin" with a common (present in a specific cracking dictionary) password, the attackers will try them, and if it is found, they proceed
3) there is no user "admin", the attacker may decide that the router is not suitable and leave it alone
4) there is a user "admin" (which is a sort of dummy with no permissions) but with a long, complex, password. The attackers may spend quite a lot of time to attempt finding the password, and even if they succeed, they won't be able to create the user "system".

#4 would then be a clever way to slow down the attackers/having them use their resources in vain ? :?:
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: Not enough permissions?

Sat Nov 02, 2024 6:14 pm

The main attack vectors been admin and no password & creating DoS. And using "admin" as username opens up common dictionary attack.
But so would using same username/password combo that been compromised in some other attack be equally, or likely even worse.

I just worry about the attack vector of "config mistakes" like accidentally re-enabling "admin" here.
i.e. a scripting bug perhaps in a more complex version of:
/user/enable [find comment~".*"]

But the idea to be some honeypot for bots seems like a bad one unless you're actively monitoring it.
 
User avatar
patrikg
Member
Member
Posts: 362
Joined: Thu Feb 07, 2013 6:38 pm
Location: Stockholm, Sweden

Re: Not enough permissions?

Sat Nov 02, 2024 9:29 pm

Please don't only use username and password as credentials, please also use PKI.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: Not enough permissions?

Sat Nov 02, 2024 9:33 pm

Please don't only use username and password as credentials, please also use PKI.
I wish that were possible. The problem is Winbox, Webfig, native API, and REST API all only support username/password. So unless you know how to make winbox use a cert, you're kinda screwed on RouterOS for PKI auth.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Not enough permissions?

Mon Nov 04, 2024 10:21 am

4) there is a user "admin" (which is a sort of dummy with no permissions) but with a long, complex, password. The attackers may spend quite a lot of time to attempt finding the password, and even if they succeed, they won't be able to create the user "system".

#4 would then be a clever way to slow down the attackers/having them use their resources in vain ? :?:

Bravo...

I have dozens of "honeypot" virtual machines with scattered public IPs that help me collect BGP subnets to ban,
but not towards honeypots, which attract attention and divert resources towards other real machines...
(which in any case do not have winbox & Co. stupidly open to the internet...)


Please do not ask for details on the previous post.
MikroTik has already been informed about the problem by my distributor, some years ago, but it seems in vain.

It is simply better to disable it and make it useless rather than delete it...
 
jaclaz
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Oct 03, 2023 4:21 pm

Re: Not enough permissions?

Mon Nov 04, 2024 12:58 pm

Bravo...
Grazie. :)

Though I am not convinced that my hypothesis holds, I think that attackers won't spend much time on a "difficult" device (unless of course it is a targeted attack) it is far easer for them go looking for another one, I presume that they go for the low-hanging fruits (there are so many of them).

The more I try to understand the complexities of (internet facing) devices security, the more I believe that at the most we can try to avoid the most common errors and there is not a really "secure" way to do things :( .
 
Kanta
newbie
Posts: 36
Joined: Tue May 15, 2018 7:54 pm

Re: Not enough permissions?

Mon Nov 04, 2024 1:11 pm

Please do not ask for details on the previous post.
MikroTik has already been informed about the problem by my distributor, some years ago, but it seems in vain.

It is simply better to disable it and make it useless rather than delete it...
So not you, but your distributor...sure. Got it. Bravo... Are you going to make a ticket now for real or am I? Since you know the details you should report it to them so that it gets fixed, not your simple salesman who could care less.

You have also disappointed me I expected more from someone like you. Shame to your name for you have becometh that which you criticized the most.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Not enough permissions?

Mon Nov 04, 2024 9:39 pm

You have also disappointed me I expected more from someone like you. Shame to your name for you have becometh that which you criticized the most.

Good thing I'm not as stupid as you thought...

Who is online

Users browsing this forum: akakua, ismets and 12 guests