ADVANCED MIKROTIK ROUTER-OS PROTECTIONS
DISCLAIMER
We are not responsible for any error, failure, damage or your router being locked due to intentional or accidental factors. Our Tool works independently, not under the auspices of the MikroTik Company, all problems that occur on your router are your own responsibility and you must be prepared to accept all the risks. If you "Agree", please continue.
| Mikrotik Port Service | Description |
|---|---|
Application Programmable Interface (API), a service that allows users to create custom software or applications that communicate with the router, for example to retrieve information on the router, or even configure the router. Using port 8728. This API port is often attacked using BRUTE FORCE, you can change the port or disable it when not in use.
# API Port Enable
|
|
It has the same function as the API, only for the SSL API it is more secure because it is equipped with an ssl certificate. This SSL API runs on port 8729. you can change the port or disable it when not in use.
# API-SSL Port Enable
|
|
Mikrotik provides a standard FTP service that uses ports 20 and 21. FTP is usually used to upload or download router data, such as backup files. FTP authorization using router account user & password. This FTP port is often attacked using BRUTE FORCE, you can change the port or disable it when not in use.
# FTP Port Enable
|
|
Is one way to remote router in a console with secure. Almost the same as telnet, only it is more secure because the data transmitted by SSH is encrypted. MikroTik SSH by default uses port 22. This SSH port is often attacked using BRUTE FORCE, you can change the port or disable it when not in use.
# SSH Port Enable
|
|
It has almost the same function as ssh, but it has some limitations and a low level of security. Usually used for remote routers in the console. MikroTik telnet service uses port 23. This TELNET port is often attacked using BRUTE FORCE, you can change the port or disable it when not in use.
# TELNET Port Enable
|
|
The service that allows the Winbox application to connect to the router. Of course we are already familiar with the Winbox application which is used to graphically remotely router. Winbox connection using port 8291. Some versions of routeros can be hacked using an exploit, You can change the Port for more Secure!
# WINBOX Port Enable
|
|
In addition to the remote console and winbox, Mikrotik also provides a way to access the router via a web-base using a browser. The port used is the standard HTTP port, which is port 80, You can change the port or disable it when not in use.
# WWW (webfig) Port Enable
|
|
Just like the WWW service that allows router access using a web-base, however, www-ssl is more secure because it uses SSL certificates to establish a connection between the router and the remote client. By default use port 443, you can change the port or disable it when not in use.
# WWW-SSL (webfig) Port Enable
|
|
| Advanced Router Security | Description |
Mikrotik has a protocol that can broadcast domains through layer 2 so that Mikrotik devices can find each other if they are on the same layer 2 network, the name is Mikrotik Neighbor Discovery Protocol (MNDP). Devices that support MNDP and CDP can find or know other router information such as Router identity information, MAC-Address, and IP-Address. The easiest example when we are going to do winbox in the Neighbors tab, we will see some router information that is connected to layer 2 with our Network Info.
# Hide Discover Interface Broadcast
|
|
By disabling the discovery interface, it doesn't mean that the router can't be remote using the MAC-Address. If you have previously saved or know the MAC-Address of the Router, you can still remotely use the MAC-Address. If you want the router to be unable to be remotely using MAC-address either through Winbox or via telnet, turn off the MAC-Server feature on the router.
# Protect login from Mac Address
|
|
|
In Mikrotik there is a feature that serves to protect access to the router system, especially with regard to the use of the reset button. The feature is "Protected RouterBOOT". When this feature is activated, some functions cannot be performed as by default, namely the reset button and pin-hole reset. And router access from the console will also be disabled.
Note: in ROS New version, after paste script to enable, don't forget press button within 60 seconds to confirm protected routerboot enable
# Enable Bootloader Protector
|
|
The Mikrotik router also has a Btest Server feature, which can be used to test connections that have been formed. But if this feature is suddenly used by outsiders, our router is forced to generate traffic or receive bandwidth test traffic, it could be that our bandwidth runs out or suddenly our CPU load becomes 100%. Of course as network admins don't want that, it's better to turn this feature off.
# Btest Server Enable
|
|
RoMON is the 'MikroTik Proprietary Protocol' or a protocol that is only supported by MikroTik devices. RoMON communication is based on the RoMON ID parameter taken from the router's MAC address. RoMON enabled devices will make a discovery of MAC Address Peer and also data forwarding protocol independently. if you don't want your mac address to be spread to all networks you can disable RoMON
# Enable RoMON
|
|
| Optional Router Security | Description |
Securing the Default Service Port used by Mikrotik such as telnet, ssh, ftp, winbox, www and api. or if not in use can be turned off / disabled. if using a custom port, please add your own
# Protect Port Service from Internet
|
|
|
The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file. Versions affected: Affected all bugfix releases from 6.30.1 to 6.40.7, from 6.29 to 6.42 and from 6.29rc1 to 6.43rc3
# Anti Hack from EXPLOIT
|
|
This DDoS is known as Memcrashed, where the attacker exploits the UDP port 11211 protocol used by the Memcached service from the webserver. Memchaced is a technology used for data storage and distribution systems in server memory. The more dynamic the application and the web, the more problems and slowing down the system itself when it comes to retrieving (load) data from the database directly because of the frequent reading and writing processes in storage.
# Memcrashed - Amplification Attacks UDP 11211
|
|
Modem or ISP router generally has a default configuration. Whether it's the IP address to the username and password. If there are people who understand this, of course it will be dangerous for your internet network especially for those of you who have managed public networks such as hotspots, because it could be that later you will be disturb by that person such as changing the configuration, changing the wifi name, wifi password.
# Block ACCESS MODEM
|
|
To hide through several routers or via which ISP so that the client cannot read our network path, we can hide or drop it for the traceroute except for the purpose, here's the script to hide our Mikrotik network traffic
# Drop TRACEROUTE
|
|
Anti Netcut, Netcut broadcasts ARP and attacks on Layer2, but at least with the script below we are able to answer who is naughty who wants to cut our network.
# ANTI NETCUT
Open System Scheduler and enter this script into "AutoBlockNetcut"
local a [/ip firewall address-list get [find list="NetcutUser"] address]
|
|
Have you ever felt that internet access suddenly feels slow? it could be that someone is naughty who uses our public router IP as a DNS server,
usually this is indicated by the high upload speed to the internet, to avoid this we simply use the script below.
# Block Open Recursive DNS
|
|
Prevent the Open proxy from being misused by outsiders. if using a custom port, please add your own.
# Block Open PROXY
|
|
Anticipate DDoS attacks, namely by limiting the number of connections in firewall rules.
When there is a DDoS attack, the system detects the number of connection requests exceeding the specified limit.
# Anti DDoS Attacks
|
|
To reduce all kinds of risks and losses resulting from irresponsible parties, we as Network Administrators or Network Support / Engineers are also required to always actively maintain and prevent security threats, especially from the network side.
Various kinds of actions that can be taken to prevent from the networking side. One way is to do drop traffic from the Port Scanner application.
# Anti PORT SCAN
|
|
BRUTE FORCE is an attack carried out to break into passwords by trying each password at random from a combination of letters, numbers and symbols, until finally finding the right password. Usually BRUTE FORCEs are carried out by robots or programs, because to get a combination of letters, numbers and symbols, certain programs/algorithms can quickly create them.
# Anti Hack from BruteForce FTP + SSH
|
|
|
In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed
Unique Packet Size For Key Knocking: 72 and 172 Example Manually Open Key Ping in CMD Windows: First Key Knock = ping -l 72 (IP Adrress) Second Key Knock = ping -l 172 (IP Adrress) Example Manually Open Key Ping in Terminal Linux or MacOS: First Key Knock = ping -s 72 (IP Adrress) Second Key Knock = ping -s 172 (IP Adrress)
# Port Knocking Use Icmp + Packet Size
|
© Copyright 2020-2022 buananetpbun.github.io is proudly powered by GitHub Pages
Project by Agus Ramadhani site o-om.com P.Bun 74112, INDONESIA
