TOP 10 RouterOS Configuration Mistakes

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the money once again so today my presentation is on top 10 routers misconfigurations and before we begin I'd like to give two notes the first note don't get this wrong I have nothing against ladies configuring router and and actually just three last days I was running a micro tech internet working class we had a lady in class and she scored higher than all men in the class so it was the most advanced micro thinking training class do we have a mark in here yes she's I think she deserves a big applause from us can you stand up so everyone can see who is the marquee thank you the second note here in the slide this is my wife helping me with configuration so there's no need to ask her for a date we are married we have children and she's somewhere here well okay let's let's go to presentation my name is Casper Sadie's on this Orange I come from Latvia as you can hear I speak with Latvian accent also and here in America I am a micro micro tech consultant for Californian based company with dragon which trains and supports wireless Internet service providers and also my major is in Riga Latvia I'm working for rotary LV also has a micro tech consultant I'm also micro attic and Microsoft certified trainer a member of the board of Latvian internet Association and I'm with the one of my legs in commercial networking with the second leg in Academical networking I'm doing my PhD in future networking and also working for European Union as a review expert for few networking research projects there for future networking so if you liked also to reach me here is my email and a LinkedIn shortcut for connection well that's that's about me let's jump now to presentation as I said so today we speak about top 10 misconfigurations I've noticed and seen during the last more than actually 10 years and I've ordered them in a growing severity here for your networks these actually all of these things are with the such nature which could be in your networks and to some to some border actually you can still work with your network but these things are there and it's very good to think of them and if you have them then to solve them so top 10 in my list is a problem where you have the same ip on different subnet different interfaces where's the problem unless you have just one interface active here if you have configured it on to you can survive till the moment when the second interface becomes active then you start kind of a load balancing as you can see also in routing table you have two gateway interfaces for the same connected network so you try to balance between two interfaces how do you how do you think candid TCP survive in such situation unfortunately no so survival strategy in such situation if you have configured it or if you have it in your network it either to work with Mac telnet or to try to connect from a different subnet here so once again these IPS here could be even with the different IP values but still from the same subnet if they are on two different interfaces then the problem is still actual and usually I think that the people who do it actually wanted to have these two interfaces in bridge this is one one one case I think which which makes such problem and the second thing is they just forgot about one IP on interface and later added the second one if you have just two of them here in the address list that's fine it's quite easy to notice but if you have a large list of addresses then such problem can be there and it activates with the high severity when both of interfaces are active so this one goes for top ten in my list let's go to the next one for top nine I have listed the lack of monitoring for your routers and here we have three questions to answer for each of our router in our networks first of all about the health of your router second about its reach ability now in the previous presentation you heared about CHR cloud-hosted Rooter possibilities in different clouds also Microsoft Azure so actually that's a very good idea especially if you have maybe even some free or demo accounts there to run a dude server about that I'll show you in few slides but to run to run such monitoring server maybe even from different locations which is looking for the health and reach ability of your router so actually that's a nice solution to have if you do a monitoring just from your internal networks this is already a good step if you compare it with doing nothing but if you have some additional measurements from outside of your local network then you have much more matrix and also the information is with higher accuracy here and the third question to answer is about the load of our router so maybe it's overloaded or closed to be overloaded and soon it it might crash just because of not sufficient resources in internet working class we tried how's that to allow the full BGP table in the router which has only 128 or less megabytes so at what moment that's too much for the router because of the memory resources once again if you have a good monitoring you can see before the bottleneck is is full so first of all for the health there's even a system health menu in mikrotik router this one is a screenshot from CCR 1072 router depending on hardware you can have here more or less sensors and informational fields as you see for CCR we can see CPU temperatures fan speeds voltage for both power supply units it's a bit there in below you can see that the first one that currently is active one using two 12 volts 4.5 amps what makes around 54 watt load so this is the most powerful router that's why it also consumes slightly more power if you compare it with competitors it's much much less than others do and here you are interested actually in all the fields the hardware can give you starting from the temperature also about the fan statuses otherwise if the fan fails you don't know it the temperature grows router overheats and so on so that's about the physical environment here if you look on the right side there is also a console print with the same values and below is a bit more interesting part how to get these values out of the router it's not that easy to convince your router just to call on your mobile and tell that I'm out of the resources soon but what you can do with the scripting you actually could have some thresholds and send text messages to your cell phone if you want to have have high level triggering and also actions otherwise if you have a centralized monitoring system then SNMP about which I speak just in few slides so it's simple network monitoring protocol based solutions can read a lot of a lot of measurement fields here in mikrotik router is based on so called oh I devalue x' and wherever in a console you can type print with additional keyboard o ID there you will see exact numbers what are necessary to read exactly these values unfortunately not for all status measurements in every router iOS configuration menu or submenu you will have them but at the moment there are few workarounds if you just look from router OS perspective first thing is to create dummy bridges each bridge has its own set of all IDs then you can rename that region read readings from the bridge also if you create a dummy scripts which do nothing but just hold values for external monitoring I think these oh I D values are not even included in my critique mill file which is available publicly but if you scan it with MIPS canner you will see that each script also has a mid value which you can which you can read out and I heared that in near future at least it was one source from the mikrotik telling that possibly there will be an option to to define your own custom oh I'd eval use so you can put in that OID any system command and OID will will return that value on other hand while waiting for that from dude server you can do it already so you can configure any system command for the turbulent which returns at some values and you can read it over SN and beef from the dude server so that's about environments to enable SNMP you just need to go for s any SNMP settings if you click the check box for enabling it be careful it starts listening on all your IP addresses of your router so you need to think of firewall otherwise now anyone who can reach your router also can read your SNMP settings and I doubt if it's what you wanted SNMP has two major information distribution methods the first one is that there is an external server like dual server which is connecting to your router and is asking for specific IDs like we saw in the previous slide here on the right side in the bottom in the bottom you see these are oh I'd eval use like for active fun they start one three six and so on so just providing the value router returns back the last measurements for for these values the second approach is a trap thing where your router can send actually proactively out to monitoring servers some notifications in case something triggered or happened in your router so there is a command send trap which you can use of course you need to have a monitoring server at the other side for example here in the configuration you can see that trap will send out on each triggering of the interface but anyway from the scripts you can so do it combining with the shredder then I already mentioned dude server for those who don't use it there are good news since router 6 subversion 34 we can say that the dude actually is once again alive it was for standby for some time now it has resumed and already new features are arriving here and what you can what you can do here is not only to monitor but also centralized do a centralized management of your devices and also provide SNMP data for external systems the good news is you can now install it also on CA jar routers just as additional software package and it's free so if you had not you I suggest you to try one then there are some also quite simple tools which you can use for monitoring for example under the tools there is a net watch where you can just specify the remote host address give interval how often you want to ping it so it's based on ICMP messages and provided time out how long you are about to wait for the answer to come back then you can have now triggers for situations when it comes up and goes back down even if you do if you don't do any rules there anyway you have a status for exact host like here from from my lab 888 was down since April 28th so it since future so we're after 8 minutes possibly is down so once again here you can have multiple hosts for measurement you can react with your routing like if your primary eye speeds down you go to the second one or if your web server is down you send a trap or email or SMS to the administrators so that they found it out first from your monitoring but not from your customers if networks tool was quite well-known than the the traffic monitoring tool actually is used less if you if you have some some important links which shouldn't be overloaded here is a possibility to measure and put some triggers and thresholds if your traffic flow either exceeds or is below some threshold like like like we configure here so you specify it per interface and if the threshold is reached once again you can provide on event some action here for example lot of just beeps if the threshold on a 13-4 is above 100 megabits per second the documentation doesn't say how quickly it reacts but in my experimentation I can say within one to two seconds it already triggers and I think it's pretty good so once again if you have important links it's good to have such traffic monitoring in the past if you go if you would like to go more advanced and look also in a content of the traffic at least on the header level then you can enable IP traffic flow have some NetFlow compatible analyzers in European mom my colleague Lorenzo had a nice presentation so you can search you can search online for that how to do it here you could see here you could see also in analytics some deeper analyses about who is consuming your traffic and where do they go so not only if it's above some thresholds and possibly the pipe will be exhausted soon but also what actually is responsible for that now if we move a bit ahead and look on some designs from architecture for high availability solutions and if you want to build a network like with three or more nines it's something like 99.9% up and more for floor you need to avoid a single point of failure I've seen several situations where actually you have made such design everything is ok but you have no monitoring so you had a master router you had a slave router or the same can apply to the switches and after some years say the first router either because of PSU or some other reasons is not in service anymore no one noticed that the network continues to serve and after some time also there is some trouble with the second router so then what's about our high availability solution so once again and and with three nines as you see here so for one year it's a tower almost nine hours downtime per year if you if you don't if you cannot afford that or or need the higher service level availability then for sure you go with vrrp solution like like that here but also do monitoring on your systems to avoid such such problems sometimes it's a good question when you buy your router how long actually you should use it in exploitation and when it's time to exchange it even if it's still serving after eight years if you if you look on the warranty term of course it's of course it's not that long usually the here once again if you have high availability solutions and you do monitoring then you can afford to use the equipment longer otherwise if you do it over like more than five years I can I can warn you there is a risk that it's not anymore a new equipment and the risk Rises each year in the usage so once again it leads back to think about monitoring or if you have a high budget if the warranty is over you can place a new board upgrade and all the time use the latest technologies so I think you got my top nine here it was a lack of monitoring let's go to top eight DNS issues if you look now in the left side this is how we enable DNS service in mikrotik router just this one check box and rotor starts listening DNS port so if you have no firewall anyone can use your DNS service and maybe you have no problem with that they do it it's a light traffic if they do it properly but there's a problem if you look on the right side there might be situations I've recently also seen several where in one moment you receive a lot of DNS requests coming in and this is something like we had a thunderstorm here with a lot of lightnings in Dallas just just recently and these are not a real users with actually hackers playing games and what's happening there two main scenarios what they try to accomplish first thing is they send a request in the name of some victim let's assume the American Airlines very victim so it's a it's arriving from a a IP address and ID is that your rotor will respond there back now already with the router source address and it's exhausting American Airlines servers at downstream and also their DNS servers CPUs and memory and what they see is that the replay is arriving not from the attackers address but from your router so you are like kind of responsibility responsible here also for this action so be careful this is one miss usage the second and and here's an interesting nature also for traffic the requests are smaller from the traffic perspective than the answers which arrive back so actually hackers are also having some kind of a snowball effect they are growing the packets and you receive them back larger if they request them in a proper way the second thing is that those requests also can arrive from spoofed but now from multiple sources and they ask DNS questions for one specific domain so your router then goes to DNS server who is responsible for that domain and once again it makes a DDoS distributed denial of service attack as it's done not only via your router but a lot of routers so now what you can do is provide a filters below are two examples so one for UDP second for TCP protocol which won't allow such requests from external interfaces once again for your local LAN that's fine but now external hackers cannot do it anymore the second thing I wanted to note it's a bit different but also stands for DNS issues is DNS provisioning in networks where you have Microsoft Active Directory and you use mikrotik router as a DNS server it's a quite typical mistake when you send out two DNS servers where one of them is actually a part of the active directories so belonging to it and the second one like here those Google AIDS is an external DNS server so you provide them like for redundancy but the problem is that the clients use DNS servers from choosing by round-robin algorithm sometimes they heat the local ones sometimes external one and if they heat external one then external one doesn't know anything about local SRV ants and etc records so it's not providing an answer and those users experience delays they experience the experience and once again they heat the right one and everything just works quickly so because of the external DNS here it's a problem if you do active directory's be careful if you don't have them they're good let next we go to firewall inefficiencies there are a lot of scenarios here but I have picked out the most popular ones let's assume you have a web server in your network and if you look below on rules from 1 to 8 you can have a multiple rules which try actually to protect your web server like there are seven rules for whitelist and also everyone can go to port 80 and 443 if you don't have the first one which says that also your web server can go everywhere then the packets which now come back from the web server and go back to Internet like these are all upload and these are more packets actually than the request these packets now travel through the whole rule set they check do I have a match here here and so on LI the till nine oh no okay and now after that as it's a implicit allow in the end it means okay we are free to go so each your packet from web server to internet run through all those rules here I have only eight such externals if you have 100 each rule takes time and your web server responds slower there are analytical tools also provided by Google and other vendors where you can check what is the response time of your web server and you can even with the script generates and thousand rules and just view and compare what's the difference how quickly then the web server can react back so here the solution is first of all if you want to allow your web server to go anywhere actually this is the same as even if you didn't have this rule but only after it checks all those rules from 1 to 9 then you provide here just a simple rule but place it above all others this has a match for all upload traffic coming from the web server going to internet and these packets are not checked anymore for following rules so this is how you can have higher efficiency good next we go to net issues so it's top 5 in my list first of all why do we need not at all if you look now on the left side I have drawn a small just a popular land network and there on the right side approximately 160 milliseconds from here we have a micro tech web server from which you do download your software updates and when we send now a packet from our land so the micro tech come here on our routers if it's a private address we need to do not what is not doing actually not is replacing here your source address the original source address with external address which you have an output interface on your router so it's types of the original puts inside this one and then sends it over cloud to lat wait if you didn't then even if the packet reached Latvia possibly it would be killed already in the past but if it reached it's unsolvable problem now for mikrotik router how to figure out with the replay to Network 1000 but it's a private network so now ideas where to send it if you change then it arrives with your external address which is reachable over the global routing so this is what the nut is doing and the problem here is that quite often people don't pay attention so much for the net details and they have just such rule which says I don't care about the matches just masquerade so actually it also masquerades your packets from the land to the mikrotik server but where is the problem if you have first of all multiple subnets in your network then you do masquerade also your local traffic from one network to another one and the packet now arrives in a different network not anymore with the real source address but it arrives with the address which was on the Reuters interface we are which the packet left the router so in the log files now in the network 10110 slash 24 you don't see anymore the real centers but we see our router as the client is sending packets okay if this one is just some limitations for applications and log files then here is also a bit more severe problem now let's look from from external interface perspective let's assume this one a then a3 is your external and here is the external subnet as a connected route so now anyone also who is in this external subnet can send in to your router the packet where destination IP address is one of your networks and destination MAC Reuter and your router after receiving such packet with the default settings we'll send it to the local networks and as you have a masquerade it will delete the external IP replace it with IP which is on the router and your LAN users and servers will receive it from the local network and by default firewalls accept packets from local networks so you are now happy to talk with external hackers because of such natural possible solutions first of all to be more specific in the netting this one still doesn't prevent that external packet can arrive into your land be careful NAT is not providing any protection so if the external packets still arrive the routing will deliver it unless the firewall drops it so the additional thing what you can consider is to have a firewall rule in forward chain which matches packets where they come in from the output interface in my slide it would be a tenet 3 and where the destination is either anything or your local networks and you are interested in new state packets so if you have them I strongly advise you to drop them unless you have some real web servers which has to be publicly available and also have some monitoring if you have counters here someone is attacking you so be careful this one is the red threshold which means someone is trying to attack your LAN from just connected route of external connection the second NAT issue which is quite usually observed is related with IPSec tunnels in mikrotik router IPSec is processed after the net so if you do nothing these packets and not anymore match IPSec policies so if you have an IPSec policy before the net rule you need actually is a source not accept rule like here in console you don't see any action it means it's accept which prevents those IPSec packets from masquerading if you don't have it IPSec phase two won't come up so with phase one it still can connect phase two know if you have something like that think of not issue all right that's for not to in top five we go now to allow the IP spoofing through your networks I saw that also in this man we have another more detailed presentation about this topic so I'll just briefly emphasize it as it's also in my top ten list so you have you can ask yourself a question if you had such a network and someone is sending a packet from spoofed IP address like all 13s going to my critique on will you will your router allow such packet to to get through your network and actually go to micro tech comm so there are two things which are influencing this thing first of all routing decision by default if you have no additional settings the router will look only on destination IP address and compare it with the routing table if it's a small network possibly you have a default route which looks like all four zeros slash zero and is a default gateway and we send it out without caring what was the source address of the packet otherwise if you didn't do anything on the routing level but had a firewall rule which says that from the local network it's allowed to go out via output interface but from any other network which is not origin I think from my local it's disallowed then you would solve this problem on firewall level I've seen I would say from from all configurations I've seen there are less than 5% who do it here on the firewall level less than 1% who do it on routing level so more than 90 of those who just don't care about these packets who go through your router if you wanted to do some experiments mikrotik has a very powerful tool maybe that's good it's not that much advertised otherwise you can start misusing it it's called tooth traffic generator and here you can construct your own packets like here with your own source addresses for for well-known reason I didn't put here IP address of a micro tech home if someone is just doing copy paste you can fill protocols ports and even inject pcap files which you captured by the sniffer so if you want just to record some VoIP telephone call and later to inject it here if the SIP invites and and other packets are properly configured you can actually teach your router to call someone over sip and and and also tell something so there is a possibility but here the emphasis at the moment is on constructing a fake packets for sure for experimentation not for bad purposes and sending them via your router I have also one publication where I do experimentation in Latvian networks about spoofing if you are also in rich research and you are interested it's listed the under I Triple E and it will be here in presentation and if you also do papers I'm very happy if you if you like it you do citations due to my publication it helps me in university but otherwise also there's a well-known tool maybe there exists others like here spoofer Qaeda org where you can download their application and what they say it does is it's sending now via your router this is like your PC to a lot of their sensors in different geographical locations the packet with a fake source IP addresses then after that you can have a report to what destinations actually and to what extent you were able to spoof either you can put any address and it will arrive somewhere or you are limited just to some scope of spoofing here and on major Latvian internet providers it was slash 8 so to in a power of 24 something like 16 million addresses on each of them in between which you can actually do spoofing you can test also your networks if you are if you like it but so this is the top top one of top issues if you want to close it the easiest way is in a system IP settings to queue reverse pass filter by default it's in no mode and if you want to go really strict here is strict mode which when the packets arrive compares the source address of the packet with the routing table routing table of your router and looks if there is a backwards road for example at the packet arrived in a port one if there is a backwards route to that destination which is the source IP of your packet to the same interface where it arrived if it's not it drops it on the routing decision level if it is then it passes it to the firewall if you have something in firewall you can check additionally the routing checks work much faster than firewall lookups so this this would be your 4 choice for spoofing prevention that's fine now we go to breach issue stop for first of all for those who are new with the router OS I'll try to draw a simple picture what is region where you use it so you can think when you create a bridge here are command lines to do that you have created a switch without any ports it's powered it's running even LCD display here can show some messages but no ports in the switch so actually not a big value of that then when you start adding ports to the bridge like this the second step starts here then you now take the port for example Ethernet 2 as an example and add it to the bridge in this moment we have one port switch mikrotik actually has now this map light latest unit which comes with just one Ethernet port so something like that next if you have add a second interface to the bridge now you have two ports which four switches the routing decisions are quite easy reachable so what they do is they look in switching table if they don't know where to send packet they send out it all ports except the one they received so it's just a simple approach what they do here and the major problem now with the bridging what I see as an issue is when you start bridging together broadcast domains which shouldn't be together for example external line with the land lines if you take just a new mikrotik router from the box then there is a default configuration which says that ports Ethernet to to the either 5 or how much you have are in one bridge so in land they also do switch cheap switching or bridging which happens on the hardware level and is not consuming CPU resources but anyway you can consider from the logical perspective that they are in the bridge so now when someone bridges together Ethernet one here also in the same bridge we have created this red line and now anyone who is on external network within this broadcast domain can communicate also on layer 2 level with your internal LAN so basically use IP addresses of your network provide DHCP services for your network may be receive the HTTP addresses from your servers and so on so this is the first bridge problem and actually very popular I've seen in different implementations where you have reach together external and internal interfaces the second problem here I've seen also quite similar is that you plug in a van cable not in the van port but just in any of slave ports so here we have pc-1 pc2 and so on but also external connection is plugged into your local network once again you have in the bridge external and internal networks so if the provider is providing public IP your local PC can receive it by the way did you know there is a small delay by default on mikrotik DHCP servers if you don't change it other DHCP servers without delays can serve more quick so be careful you can change it under IP dhcp server process there there is a delay and also a small note related to bridge issues eased with DHCP server and similar processes like hotspot and so on so when you have a bridge you should put that service also on the bridge not like on Ethernet 3 like here and here in in the wind box you can see some help if you notice some outputs in red color it leads to think you that something is not ok so here with DHCP server the most popular problem is is with bridging once again then it should be on the bridge alright that's about bridging next we go to and this is already a top 3 problem more frequently observed and also with higher severity what it can make you that's a boy connection maybe you have seen such polyethers my critique has two of them one for gigabit networks in one four hundred make networks here on the left side you see just a regular our yacht forty five connector it has eight wires and the micro tech boy standard says that on the wires four and five we do DC plus and on seven eight DC - if it's a gigabit network then both data and and power is served over the same wires and for this converter it's supposed to provide data and power to the router but not to the user stations like here if we now connect laptop to the out of the data and power source of the adapter then actually this is something like hello from direct current to your laptop and if you can burn router ports with with such wrong approach I believe you can you can damage also laptops what I've seen too damaged in my life I believe there are much more but be careful also with voltage so micro tech supports wide range of input voltage starting from 8 and going to end depending on the model either 30 or 50 or even more volts so for the higher DC voltage there is a higher probability to burn your card there is a correlation here on another hand now it was a tornado and and lightning in Dallas if you need some reason for the big boss of your company to upgrade your routers with a such option you can also burn down existing parts of your device the warranty is not covering it for sure there is actually quite easy way to measure if there was a over voltage or no but at least you have some evidence for your company and can upgrade to higher technologies please take it as a joke but maybe it helps so the proper usage the proper usage of POI would be to connect just a boy jack to the laptop here we provide DC and actually there are not a lot of people who know that but you can simultaneously feed your router from two power sources so using the jack and simultaneously over the PIO e so the router will use that source where you have higher voltage but so you have actually redundant power supplies here if you have something like solar panels also they can go here as the voltage is not strictly limited so if it's like half AC latest version from a I think from 8 or 10 to 50 plus volts you can go a wide range and using such reserved power supply system I believe it can rise your service level of your router significantly so that's that's in my top 3 you can consider maybe you've tried it also and the laptops part is still working ok now in top top - I call it as waiting for hackers it looks something like that if you look in your log file remember the red color in VIN box is not the best to experience so by default this list of services is available for the management purposes of your router as you see a PFD psssh talent wing box and also web fake technologies if you install dude also dude is there on port 2 2 1 1 by default and so now it's a question of a firewall for you to protect your networks even if you do some protection here in the IP service list it helps but I live here also one best practice firewall which you can use here idea is first of all to drop invalid actually even if you didn't drop invalid connections they would be dropped in the end but you have some counters to see if someone is playing games with you then you would allow established then whitelisted resist whitelist services from exact addresses and then drop anything else so with such approach you are done with these but there is a more hidden black hole our backdoor you can how you like better it's called mock telnet and McQueen box I've seen a lot of cases wherein even in major networks where they use micro tech the Mac access is still available I recently was in New York and also in Empire State Building I saw some micro tech routers they were well protected but the Mac access was open so it allows attacker to do brute force against your usernames passwords in your router these routers will have those red entries in the log files and will show the attackers MAC address but if the attacker succeeds before someone notices that then the attacker is inside in the latest router aspersions if you look for default configuration now the Mac access is allowed and be careful there to services Mac down it and Mac wing box if you do it from the wind box application it goes we are Mac green box but if you download from micro tech room there is a micro tech neighbor viewer application for Microsoft Windows where you can see nearby routers from there you can do also Mac telnet so actually two back doors here so the best practice is to disable them on external interfaces otherwise even if you have a very strict firewall which blocks anything new from outside still you have two back doors here available all right that's it try to guess what is in my top one username admin no password here on the left side this is a Rooter which wasn't available just 30 minutes ago in the AAA Wi-Fi network this is the serial number of the router and so it looks username admin no password so anyone who is willing can't can come in and leave a greetings so the best practice is here in system users is I would recommend to rename admin to a different so a different username and for sure here's a password button to set a password so it it's in my top one if you have also noticed regarding the the same thing and if you go via web browser to a router which has ADD been no password then the web browser actually is doing an auto log on to the web interface without asking a hacker to try admin no password because anyway it would be the hackers first drive so the hint to help hacker save some time here and once again if you if you are responsible for security in your networks what you can do even if you have a large network you can scan your network first of all for routers where 8 to 9 1 which is a win box port is open and then you can have a small script which tries to also connect their to the web port so if the port 80 is open and you properly provide HTTP request the remote system will respond you with the exact code which actually is loading here you to the very vague access then even without breaking in in a router so you are not like approaching the thresholds of wall here you are just opening a website but the website says there is admin now password because you are loaded somewhere else well alright these were my top 10 miss configuration issues have observed in a long time experience I hope maybe you found something interesting and valuable what you can improve that's it from my side I still have few minutes if you have questions to ask thank you on this here is what first question yeah can I go back to the DNS slide this one or DNS DNS the body tour for the one where you specify the IP firewall where you see new connection I just wanted to ask a question you mean somewhere in the middle of presentation here in the presentation the DNS way you spoke about DNS for DNS issue you may need let's go yeah yeah there now why don't you just imply specify why do you have to specify the new connection that connection state new I'm specifying here a new connection as it's coming from outside of the internet and in some specific cases you can also ask a question from your router if you do masquerading to outside of the world from ports 53 and if the replay comes back from external DNS server also to the same port of 53 it's not very common but might happen then you can actually now distinguish which is the reply packet coming braaap back on the question your ruler ask and which is a new request coming in no this is the reason thank you any more questions okay now if now if they're not everyone yeah cubbies oh sorry sorry yeah you're talking about in the scan fluent Box logins is there a way to also do another script to change them all on the network if you if you know what the username password is and you want to take it to the update about the passwords right yeah well no change to take to change the admin login well well technically it is I won't show you how but in Europe now we are working on new law actually here is also interesting threshold in which moment you are guilty for a hacking of router in Europe now we are going to the state where if you have just guessed the password and can login into a system and you don't spoil anything then you are about you are supposed to inform the owner or administrator of this system and give them a warning and if they within 30 days are not solving that then you can publish your results wherever you want but you are not allowed you are not allowed actually to spoil anything there but you are allowed to come in so updating the password would be considered already as of a spoiling of configuration thank you any more questions yes I in DNS example where you had a Active Directory you you had a case where exactly so if it's a round robin so what if you have only one Active Directory server and that fails there is no there's no really solution for router to use the different DNS server provide redundancy you can provide several DNS service it's a good question but only such which belongs to Active Directory and can answer Active Directory related DNS questions for sure it's good practice to have several that's right thank you any more yes yeah I have several CPE that I have the admin as the username but I have it I thought a pretty secure password it's a bunch of letters and uppercase and lowercase don't mean it's not a word but they've been hacked and password change so the only thing is go out there at the customer site replace the CPE or if it happens to be a board that's got an Ethernet connection on it I can go back and reset it there but I mean I need to add a serial connection so if I've been on the website and ask questions on them and there doesn't seem to be anybody saying yeah there is a vulnerability or not it must be since I've had several CP that's been changed okay and thank you thank you for the question I understand the problem the admin password was changed and it was kind of secure one what I would say and where I would search the problem first of all it's much easier to sniff the password then to brute force it so if you are not using a secure connection this is this means wind box and also in wind box on the right corner you can see a yellow key if it's locked you do secure if it's not you to unsecure if you go over Mac there might be some problems if you do telnet or web without HTTPS there for sure our problems on the transport level peel your router so it's much easier first of all to catch it in either the wire or Wireless this is one thing the second thing you can check your PC if you don't have Troy and horses and key loggers another approach how hackers do it and much easier than to brute-force it and the last thing is you can check out that they have maybe some physical access and they can play games with the router directly otherwise if none of those three are here you can come up also here in this auditorium with the proposal with some honorarium to to someone who will find also a way how to hack your router and will show you so there is another approach like honeypot approach here which you can which you can use but still if you have admin and a strong password then for the hacker is just to guess or search for the password otherwise if it's username and password it multiplies the complexity here thank you any more questions thank you on this enjoy the mum thank you

Info

Channel: MikroTik

Views: 115,786

Rating: 4.8802395 out of 5

Keywords: mikrotik, routerboard, routeros, latvia

Id: BkZHRD6svQU

Channel Id: undefined

Length: 63min 45sec (3825 seconds)

Published: Thu May 05 2016