Wednesday, 13 May 2015

Top Mikrotik Tips


Running Mikrotiks in the field? Here are my top tips for making the most of your Mikrotik Experience:

1. Secure
1.1 - Users and Passwords
1.2 - Access Ports
1.3 - Protect against brute force hacks
1.4 - Anonymize your connection
2. Manual Backups (and why a backup is not a backup)
3. Blocking Sites
5. Remote wake your computer
6. Remote access to your network

1. Securing your router.


I once installed a new router at the edge of my network connecting to a new provider. After installing I took a ten minute drive home, from where I planned to do my configuration. By the time I got home, the router had already been compromised. I cannot overstate the importance of securing your router, it is absolutely crucial in terms of maintaining a stable network.

1.1 Users and Passwords

The default Mikrotik Username is admin, and it has no password. My first step when setting up a new router is to remove the admin user and replacing it with something more secure:

Log in using WinBox
On the left hand menu, select System->Users:

Here you will see the highly offensive admin user:

Before removing it, let us add a new user, and make sure that the new user can login, to do this, click on the blue "+" icon to add a new user:

Fill in the desired username, having a secure username adds a lot of complexity to any brute force type attack.
Fill in a good secure password, and click OK.
Now, log out of the router and log back in using the new user and password. I once made the mistake of deleting the admin user while logged in as the admin user, and then I was unable to log back in due to a typo in the new username.

You can now proceed to remove the admin user by going to System->Users, selecting the admin user, and clicking on the red "-" icon:

1.2 Access Ports

As with any internet connected device, running the services on their default ports is an invitation to be hacked. The first, and safest option is to disable any services that you won't be using. Do you use FTP to upload or download files to your routerboard? If not, then turn it off. Same goes for telnet, ssh and the winbox API.

Disabling Ports:
Log in to the router using Winbox, then click on IP->Services


This will bring up the Services window, here you can select the services that you do not intend to use, and click on the red "-" to disable them:

Personally I disable the following services, unless I have a specific need for one of them on this specific router:
  • ftp
  • www
  • telnet
  • api
  • api-ssl
Changing ports:
On the same "IP Service List" window, double click on the service you want to change:
In this example, I will be changing ssh from port 22 to port 9522.
Change the port to a new port, I just use the existing port with two digits prepended.
Click "OK"

Make a note of the port number, otherwise you will not be able to use that service.

The ports that I change are the following:
  • ssh
  • www (where I need web access to the device)
1.3 Brute Force Protection
This comes straight from the Mikrotik Wiki, and is one of the best ways to ensure that your router cannot be hacked on the off chance that someone finds your SSH port after you have changed it. The code below will block both FTP and SSH brute force attacks. If you have changed the ports that these services run on, remember to change the dst-port below accordingly

Open up a terminal on Winbox:

Paste the following code in the terminal window:

/ip firewall filter

##This Section blocks FTP Brute Force
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

##This Section blocks SSH Brute Force
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

1.4 Anonymize your connection
These days it is impossible to know who is snooping in on your internet connection. An easy way to overcome this is to get a VPN provider. I cannot make any recommendations as to which service is the best for you, since it depends on your specific requirements. I would however recommend a provider that can supply a pptp or sstp connection.

Setting up a VPN tunnel on your Mikrotik:
Click on PPP in the Winbox left hand menu:

Click on the blue "+" and select "PPTP Client":

On the General screen, you only need to give the connection a name:

Click on the "Dial Out" tab, and enter the details provided by your VPN Service. I have selected "add default route" which means that all traffic should be routed out using this interface. (You may need to remove any other default routes and make just one specific route to your VPN provider that routes through your internet connection)

2. Manual Backups (and why a backup is not always a backup) 

Mikrotik provides a simple backup procedure, you simply open the Files window, and click backup. You now have a file that you can download, and when necessary, restore. Except not. The only time that the backup will restore 100% is when you restore the same config file on the same routerboard with the same exact wireless cards. Not similar cards, not exactly the same model cards, but the same exact wireless cards right down to the mac address level. Otherwise only some configuration will be restored, and it may be difficult to figure out what is working and what is not.

A better way to backup is by doing an export, this will give you a file that has the terminal commands necessary to duplicate the existing configuration. It also has the added flexibility of allowing you to only export a certain part of the configuration, for example, say the Firewall config.

To do an export, open up a terminal inside Winbox

In the terminal, type the following command, make sure to choose a sensible filename:

export file=binaryboard13052015

If you now open the Files window, you will find a .rsc file with the name you specified. Simply drag this file to your local computer for safekeeping:

3. Blocking Sites:

3.1. Open up Winbox and connect to your router.
3.1.1 On the left menu, select IP->Firewall


3.2. On the Firewall Windows, click on the "Layer 7 Protocols" tab


3.3. Click on the Add button
3.3.1 Under the "Name" field, type "Block"
3.3.2 Under the Regex field, put the text below. You can add more sites by typing in the Domain, and separating them with the pipe "|" symbol.
^.+(youtube.com|facebook.com).*$

3.4. Click on the "Filter Rules" tab in the "Firewall" window.
3.4.1 On the "General" tab, make sure that the "Forward" chain is selected.


3.5. On the "Advanced" tab, under "Layer 7 Protocol" select the "Block" item that we created earlier.

3.6. On the "Action" tab, select "Drop" as the action, and then click "OK" to finish.


An alternative way to set up the blocking, is by typing (or pasting) the following in a terminal window:
/ip firewall layer7-protocol
add name=Block regexp="^.+(youtube.com|facebook.com).*\$"
/ip firewall filter
add action=drop chain=forward layer7-protocol=Block

Make sure you test everything before putting it in production. Also note that there are ways to bypass this, if your users are clever or determined enough.

5. Remote wake your computer

If you, like me, don't like leaving your PC on all the time, you can use your Mikrotik router to send a WOL (Wake on Lan) magic packet to your computer.

To do this, you need to know the MAC address of your computer, depending on your setup, this can be found on your Mikrotik router by going to IP->DHCP->Leases and looking up your computer name.

Once you have your mac address, open System->Scripts
Click on the blue "+" icon:
On the "New Script" window, give the script a sensible name, and add the following code under source:
tool wol interface=ether1 mac=FF:FF:FF:FF:FF:FF

You can now log in to your Mikrotik router, and run the script to wake up your pc remotely, please refer to you PC documentation to enable WOL on the PC.

6. Remote Access

We have already looked at how we can use a VPN to hide out traffic, now we are going to look at how we can use a VPN to get remote access INTO our network. Again, we will be using PPTP as the VPN protocol, since it is already supported by most major operating systems. Please note that you will need to have a public ip on the router.

Open the PPP window on Winbox:
Click on the PPTP Server button:

Select the "Enabled" checkbox and click OK

On the PPP window, go to the Secrets tab, and click on the blue "+":

Configure your PPP user as follows:
  • Name: The username that you will use to connect
  • Password: The password that you will use to connect
  • Service: Select PPTP for security
  • Local Address: 10.10.0.1
  • Remote Address: 10.10.0.2
    (the addresses you use don't really matter, as long as they are not in use elsewhere on your network)

6.2 Connecting to the VPN

On Windows 7/8 you can connect directly to your network using the built in VPN tools:

Open up network and sharing center and click on "Set up a new connection"

Select "Connect to a workplace" and click "Next"

Select "No, create a new connection" and click "Next"
Select "Use my Internet Connection"


Enter your router Public IP and give to connection a name, finish by clicking "Create":
You will now find the VPN connection under your available connections:

When you connect to it, you will be asked for you username and password you created earlier:

7 comments:

  1. Basic, straight, simple help. Thanks.

    ReplyDelete
  2. shankyu very much....
    can you give aother article about mikrotik? (like whitelist website from mikrotik and drop everything, different user - different access, and any other)
    i like your writting style, i understand everything you write...
    like Abgar said, to the point...

    ReplyDelete
  3. Thank you so much
    I like your writting way.
    Please don't give up.

    ReplyDelete
  4. Mikrotik Router Hardening - http://www.manitonetworks.com/mikrotik/2016/5/24/mikrotik-router-hardening

    ReplyDelete