From 3f3e918530e4fe7d7efc059b3e86e2025e0322de Mon Sep 17 00:00:00 2001 From: "Alexander \"Arav\" Andreev" Date: Fri, 20 May 2022 21:59:04 +0400 Subject: [PATCH] Hardening Mikrotik article is almost done. :) --- .../views/articles/hardening_mikrotik.pug | 67 ++++++++++--------- 1 file changed, 35 insertions(+), 32 deletions(-) diff --git a/homepage/views/articles/hardening_mikrotik.pug b/homepage/views/articles/hardening_mikrotik.pug index f168f76..e700e54 100644 --- a/homepage/views/articles/hardening_mikrotik.pug +++ b/homepage/views/articles/hardening_mikrotik.pug @@ -20,56 +20,59 @@ block article li #[a(href='#art-3-2') SSH] li #[a(href='#art-3-3') Allowed Address list] li #[a(href='#art-4') Configuring service list] - li #[a(href='#art-5') Firewall] + li #[a(href='#art-5') Basic firewall] ol - li #[a(href='#art-5-1') Basic filter rules / Input] - li #[a(href='#art-5-2') Basic filter rules / Forward] + li #[a(href='#art-5-1') Input chain] + li #[a(href='#art-5-2') Forward chain] h3#art-1 #[a(href='#art-1') 1. Introduction] - p I always wandered, since I #[s joined a cult] got mine, why almost no one can properly secure them. Looks like people just don't bother to do that, and leave it as it is barely configured. But, holy shit, even through #[code Quick Set] you get a proper secure firewall rules, yet there are thousands of routers sticking out with a #[s naked ass] acessible web config interface (I bet alongside with webui winbox comes as well). Every time (pretty rarely, if I have really nothing to do) I scan my ISPs network my IP belongs to and there's always a bunch of Mikrotik routers. Never tried to login with default password tho, so can't say if they are at least have a password. - p In this article I'll show you how to harden your router's security. - p If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to completely reset a configuration. For that in Winbox go to #[code System->Reset Configuration] and check an option #[code No Default Configuration]. Or in SSH: #[code system/reset-configuration no-defaults=yes]. + p I always wandered, since I #[s joined a cult] got mine, why almost no one can properly secure them. Looks like people just don't bother to do that, and leave it as it is barely configured, and only whine when get hacked. But, holy shit, even through #[code Quick Set] you get a proper secure firewall, yet there are thousands of routers sticking out with a #[s naked ass] acessible WebFig (I bet alongside with it Winbox comes as well, didn't check). + p In this article I'll show you how to harden your router's security. There's nothing difficult and could be find just by learning available features. Considering the firewall, I will just copy-paste a default set of rules, yeah, that feels no good, but what can I do if many doesn't have even a basic one. + p If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to reset a configuration to clear a router. For that in Winbox go to #[code System->Reset Configuration] and check an option #[code No Default Configuration]. In teminal #[code > system/reset-configuration no-defaults=yes]. And then using #[code Quick Set] configure basic access to the Internet and a LAN. We need #[code No Default Configuration] because these defaults doesn't include a firewall (if I recall correctly of course, I did that last time in 2019). h3#art-2 #[a(href='#art-2') Ways to harden your router] - p First and foremost thing is to keep your firmware up to date. That's the main reason why routers becomes a part of a botnet — vulnerabilities. - p Second thing is setting a password for your admin account. Many other articles recommend to rename it, but I never do that, because there's no access from outside anyway. Also we restrict access to a user with a list of allowed addresses. - p Third thing to do is to restrict access to router's config interfaces by IP, and disable not used ones. - p And here comes a firewall, I'll share some parts of mine, that is mostly a default one. - p Okay, as for keeping a firmware up to date, just don't forget to go to #[code System->Packages] and click a #[code Check For Updates] button in Winbox. Or using SSH: #[code > system/package/update/check-for-updates]. + p Vital thing to do is to keep a firmware up to date. That's another major reason why routers becomes a part of a botnet — vulnerabilities. + p To do it in Winbox go to #[code System->Packages] and click a #[code Check For Updates] button. Or using teminal: #[code > system/package/update/check-for-updates]. + p First thing is setting a password for your admin account. Many other articles recommend to rename it, but I never do that, because there's no access from outside anyway. Also we restrict from what addresses we can login. + p inb4 muh remote access. Use VPN for it, dude. + p Second, restrict access to router's configuration by IP, and disable not used services. + p And here comes a firewall. + p And before we start I want to give you a vital tip that will save your time, and, maybe, money — use Safe Mode! To toggle it in Winbox click button #[code Safe Mode] that you can find at the top left corner. In teminal press #[code Ctrl-X]. And when you're done, don't forget to disable this mode to save all applied changes or they will revert. Winbox will warn you about activated Safe Mode, but teminal not. :) h3#art-3 #[a(href='#art-3') Password protection, SSH and address-based access restriction] - + h4#art-3-1 #[a(href='#art-3-1') Password] - p To change a password in Winbox go to #[code System->Users], choose your admin account and in a dialogue click #[code Password...] button. - p To do it using SSH: #[code > user/set admin password=password]. + p To change a password in Winbox go to #[code System->Users], double-click on your admin account and in an edit dialogue click #[code Password...] button. In teminal type in #[code > user/set admin password=new_password]. h4#art-3-2 #[a(href='#art-3-2') SSH] - p Alas, built-in SSH doesn't support modern ciphers and we cannot use keybased authentification. Hope it will change in the future. - p To configure SSH go to #[code IP->SSH]. We need there parameters #[code Always Allow Password Login] and #[code Strong Crypto] enabled. You may change #[code Host Key Size] to something more secure and click #[code Regenerate Host Key] button. Using SSH write #[code ip/ssh/set] and tap Tab key twice and you will see available parameters names. Type in #[code ip/ssh/regenerate-host-key] and hit enter and then confirm. + p Alas, built-in SSH doesn't support modern ciphers and we cannot use keybased authentification. Hope it will change in the future. But now we have only passwords. + p To configure SSH go to #[code IP->SSH]. We need there options #[code Always Allow Password Login] and #[code Strong Crypto] to be enabled. You may change #[code Host Key Size] to something more secure and click #[code Regenerate Host Key] button. Using teminal type in #[code > ip/ssh/set always-allow-password-login=yes strong-crypto=yes]. In a terminal works autocompletion, just tap Tab key twice. To regenerate a key type in #[code > ip/ssh/regenerate-host-key] and confirm. h4#art-3-3 #[a(href='#art-3-3') Allowed Address list] - p User can be restricted with a list of addresses he allowed to login from. You may noticed it already when was setting a password. So, to do this in Winbox go to #[code System->Users], choose your user and in a popped up dialogue you will see a field #[code Allowed Address], there could be multiple entries that can be added/removed using arrow buttons at the end of fields. You can type individual IP-addresses and whole subnets in CIDR (e.g. 0.0.0.0/0) notation. + p Every user can be restricted by what addresses he allowed to login from. You may have already noticed a field #[code Allowed Address] when was setting a password. So, again, in Winbox go to #[code System->Users], double-click your user and you will see a field #[code Allowed Address], there could be multiple entries that can be added/removed using arrow buttons at the end of fields. You can type in individual IP-addresses and whole subnets in CIDR (e.g. 192.168.88.0/24) notation. + p In teminal type in #[code > user/set admin address=] and type all addresses separated by a comma, e.g. #[code address=192.168.88.3,192.168.89.0/24]. h3#art-4 #[a(href='#art-4') Configuring service list] - p There are a bunch of different ways to access and configure your router: Winbox, SSH, Telnet, WebFig and API. And you can access filesystem with FTP or SSH. - p Good thing to do first will be disabling all not needed services. Go to #[code IP->Services] and then using a button with a red cross disable them. Or by double-clicking click #[code Disable] button in a popped up dialogue. + p There are a bunch of different ways to configure your router: Winbox, SSH, Telnet, WebFig and API. And you can access its filesystem with FTP or SFTP. + p Good thing to do first will be disabling all not needed services. Go to #[code IP->Services] in Winbox and then using a button with a red cross disable them, or a blue check mark to enable it. Or in an edit dialogue click #[code Disable] button. In teminal type in #[code > ip/service/set service disabled=yes]. p As for me, I leave only SSH and Winbox services. - p Okay, now let's restrict access to our services. In an edit dialogue there is an #[code Available From] field that is configured the same way as previous #[code Allowed Address] field. - p To do it from SSH just type #[code ip/service/set service_name disabled=yes] for each service to disable. To set available from addresses: #[code ip/service/set service_name address=192.168.88.2,192.168.89/24]. + p Okay, now let's restrict access to our services by IP. It is the same as for a user, just a field called #[code Available From]. In teminal: #[code > ip/service/set service address=192.168.88.2,192.168.89.0/24]. - h3#art-5 #[a(href='#art-5') Firewall] - p As I previously stated, default firewall we get using #[code Quick Set] is pretty much sufficient for home use. Of course I made some changes, like turned off rules for allowing ipsec traffic. So, here I will give you a main part of my firewall. - p For IPv4 go in a Winbox to #[code IP->Firewall] or #[code ip/firewall/filter] in SSH. For IPv6 in Winbox #[code IPv6->Firewall] or in SSH #[code ipv6/firewall/filter]. + h3#art-5 #[a(href='#art-5') Basic firewall] + p As I previously stated, default firewall we get using #[code Quick Set] is pretty much sufficient. + p Go to #[code IP->Firewall] in Winbox or #[code > ip/firewall/filter] in teminal. For IPv6 sections called #[code IPv6] for Winbox, and #[code ipv6] for teminal. + p In terminal you can switch to a needed section instead of typing it every time. To add a rule there is a command called #[code add], and #[code remove] to remove a rule by its number. To see all rules and theirs numbers type #[code print] command. + p Next I will give you set of rules for input and forward chains for IPv4 and IPv6. - h4#art-5-1 #[a(href='#art-5-1') Basic filter rules / Input] - p Here I will give you an Input chain rules with theirs description. First for IPv4, and then for IPv6. And since I don't have an IPv6 rules are purely from default configuration, but I will list them anyway. + h4#art-5-1 #[a(href='#art-5-1') Input chain] + p A basic input chain for IPv4: pre | 1 chain=input action=accept connection-state=established,related,untracked | 2 chain=input action=drop connection-state=invalid | 3 chain=input action=accept protocol=icmp | 4 chain=input action=drop in-interface-list=!LAN p Here the first rule let already allowed traffic to go in a router. The second one drops packets with invalid state. The third one allows pinging our router. And the fourth one drop all the packets that doesn't originate from interfaces listed in a LAN list. - p Here comes Input chain for IPv6 firewall: + p And for IPv6: pre | 1 chain=input action=accept connection-state=established,related,untracked | 2 chain=input action=drop connection-state=invalid @@ -79,16 +82,16 @@ block article | ;;; defconf: accept DHCPv6-Client prefix delegation. | 5 chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546 | 6 chain=input action=drop in-interface-list=!LAN - p As you can see pretty much the same as for IPv4 except for rules 4 and 5 that are copied with their's comments to describe what are they allowing. + p As you can see pretty much the same as for IPv4 except for rules 4 and 5 that are described by their's comments above them. - h4#art-5-2 #[a(href='#art-5-2') Basic filter rules / Forward] - p Okay, here comes Forward chain. For IPv4: + h4#art-5-2 #[a(href='#art-5-2') Forward chain] + p Here comes a basic forward chain for IPv4: pre | 1 chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related,untracked | 2 chain=forward action=accept connection-state=established,related,untracked | 3 chain=forward action=drop connection-state=invalid | 4 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN - p Exactly as for input chain, except for the first and last rules. Fasttrack sends all already allowed traffic via short path past the CPU. While it drastically reduce load on a CPU, we lose ability to work with such traffic, like mark packets, etc. But, since I don't do anything special with a traffic I offload everything. If you need to do something like mark packets then you can fasttrack only some traffic like the one going in and out the Internet. + p Exactly as for input chain, except for the first and last rules. This rule makes use of fasttrack mechanism that sends traffic via short path past the CPU. While it drastically reduce load on a CPU, we lose ability to work with traffic allowed in this rule, like mark packets, and other things in a mangle section. But, since I don't do anything special with traffic I offload everything. If you need to do something then you can fasttrack only some traffic like the one going in and out the Internet. p In the last rule we deny establishing connections from outside if there is no destination NAT rule specified. p So, here is a forward chain for IPv6: pre @@ -100,4 +103,4 @@ block article | ;;; defconf: rfc4890 drop hop-limit=1 | 6 chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 | 7 chain=forward action=drop in-interface-list=!LAN - p As for rules 3 and 4 bad_ipv6 address list contains all reserved and special ranges that I won't provide here. \ No newline at end of file + p As for rules 3 and 4 bad_ipv6 address list contains all reserved and special ranges that I won't provide here, these rules are here just to show off. And as you can see there is no #[code fasttrack-connection] rule since it is not implemented yet for IPv6.