How to Securing your MikroTik Router / Firewall

The first step in securing your network is to secure any appliance (managed switch router / firewall / VPN Concentrator) that is directly attached to your network)There are many approaches to securing devices, some are better than others. The Basic concepts of securing your MikroTik Router, or any router for that matter can be summarised as follows; Stop all Unnecessary Services on the MikroTik Router. Create Firewall Lists to Deny all un wanted inbound Traffic and only allow wanted /needed inbound trafic. If you need services on the router to be remotely accessible you should limit the addresses that can connect to the router. If there are services on the router that cannot be pratically limited to a small number of addresses, then you should try to protect the router by stricty firewalling these services so that the services can only operate strictly to standards suchas RFCs etc.  Each of the above approaches & their implementations will be outlined  in detail in this article: Stop all Unnecessary Services on the MikroTik Router. This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded;  Deny all un wanted inbound Traffic By restricting inbound traffic to the router, one can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router. Remotely Accessible Router Services should be limited to few addresses This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management netwokrs.  PubliclyAccessible Router Services should filtered to operate strictly to RFC standards If there is a service open to the world one should create firewall rules that limit access to the service within strict parameters.One should monitor the behavior of the service in normal operation and then create firewall rules that prevent the service being used outside its normal working parameters. A typical example of this type of firewalling is someone wants to be able to ssh into a router from anywhere, however if you leave TCP port 22 (SSH) open to the world you would find that there are alot of morons out there who are only two happy to run a bruteforce dictionary attack on your server. Fortunately SSH servers normally disconnect a user after a number of failed attempts. So we can use this fact to create a firewall rule to prevent someone trying to brute force hack our ssh server by carrying out the following algorithim Deny any one who is on the ssh_blacklist a new session on any protocol. Allow anyone who was on the "ssh_Dark grey list" to connect a new session on port 22 and add the address to the "ssh_Blacklist " with a time out of 1 hour Allow anyone who was on the "ssh_grey list" to connect a new session on port 22 and add the address to the "ssh_dark grey list" with a time out of 1 minute Allow anyone who was on the "light_grey_list" to connect a new session on port 22 and add the address to the "ssh_grey list" with a time out of 1 minute Allow anyone who creates a first session on port 22 and add the address to the "ssh_lightgreylist " with a time out of 1 minute /ip firewall filter add chain=input src-address-list=sshblacklist action=drop \ comment="drop all traffic brute force attack sources" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=sshdarkgreylist action=add-src-to-address-list \ address-list=sshblacklist address-list-timeout=1h \ comment="add new failed sshdarkgreylist to sshblacklist" \ disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=sshgreylist action=add-src-to-address-list \ address-list=sshdarkgreylist address-list-timeout=1m \ comment="add new failed sshgreylist to sshdarkgreylist" \ disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=sshlightgreylist action=add-src-to-address-list \ address-list=sshgreylist address-list-timeout=1m \ comment="add new failed sshlightgreylist to sshgreylist" \ disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ action=add-src-to-address-list \ address-list=sshlightgreylist address-list-timeout=1m \ comment="new connections to sshlightgreylist" \ disabled=no  References The SSH brute force mitigation Script is based on some legend's script at the following location;

Read more »

Posted in: Mikrotik

Setting up a MikroTik Router as a HotSpot

This document outlines how to configure a MikroTik RouterBoard to be used as a HIB with SIMPLer.

General information on the RouterBoard may be found in the MikroTik Wiki: http://wiki.mikrotik.com/wiki/Category:Manual

Basic Setup

• Do basic setup on the routerboard as per http://wiki.mikrotik.com/wiki/Manual:First_time_startup - basic requirement is to configure ether1 with the following:
• IP address and gateway

Once an IP address is assigned, use Winbox (download from the first time setup page) to do the remainder of the setup.

• Setup the hotspot as follows (this info is based on http://www.hotspotsystem.com/en/hotspot/install_guide_mikrotik.html
• Verify that the routerboard DNS settings are correct - click on IP -> DNS and then Settings - if the default values are not correct, update them to reflect the current network. 
• Add the hotspot service to ether2 (or any other ether port - just replace references to ether2 with whatever ethernet port you are using below) by going IP -> Hotspot and then clicking Hotspot Setup:

• Select ether2 from the drop down and click Next.
• Pick a suitable IP range to use (192.168.182.1/24 is the default used on HIBs, so use that)

 

• Click Next for the "Address Pool of Network"  

•  Click Next for the "Certificate" - leave at "none" 

• Ignore the SMTP server setting, and accept the default for the DNS server setting, and leave the DNS name blank.
• On the next dialog, create a password for the "admin" user - this will allow you to login to the hotspot with this username/password without having to use the RADIUS server - this is useful to verify basic operation before going any further.

• At this point the basic hotspot should be up and running. Connect a laptop to the ether2 port, and verify that you get an IP address from the range 192.168.182.2 - 192.168.182.254. Try to access the internet using a web browser, and you should get the default MikroTik splash page. You can enter the admin username / password you created above in order to get access to the internet. (if the status / logout dialog does not popup, you can logout using http://192.168.182.1/logout)

Adding RADIUS support to authenticate against SIMPLer

• Again using winbox, configure RADIUS support as follows:
• In the hotspot profiles (IP -> HotSpot -> Server Profiles), double click the hotspot you created (should probably be hsprof1)
• In the Login tab, deselect Cookie and select CHAP and PAP: 

• In the RADIUS tab, select "Use RADIUS", and click OK: 

 On the left colum, click Radius, and then the red + to add a new RADIUS server. On the dialog, click hotspot, and enter the IP address of the RADIUS server and the secret (the default, which you can get from the hotspot setup in SIMPLer is az0s3cr3t):

• If you want to allow access to certain sites without authentication (e.g. payment gateways, etc), you can add them to IP -> HotSpot -> Walled Garden. For basic setup this should not be necessary.
• Set the clock on the routerboard by going to System -> NTP Client, click "Enabled", set the Mode to unicast and the server to "pool.ntp.org": 

 Set the system identity to be the hotspot name as follows: Go to System -> Identity and enter the full hotspot name (for example demowisp_demowisp_hs5 is the one I am using):

• At this point you should be able to login using a token from the selected hotspot. You can verify which users are logged in using IP -> Hotspot -> Active in winbox

Updating the login splash page

The login (and logout) splash pages can be updated as wished. However in order to allow customers to purchase a token using the operator's payment gateway, a link to the SIMPLer captive portal purchase form must be added. The format of the link is as follows:

https://xyz.azotel.com/hotspot/register.pl?hs_name=hotspot_name

Where xyz and hotspot_name are replaced with the relevant equivalents for the operator.

To get the html code for the current login page, click on Files in winbox, and go to hotspot/login.html:

You can just drag'n'drop this file to your desktop, update it, and then drag it back into the Files dialog. Or, if you wish, you can copy the file to your PC using ssh/ftp. The ssh command to copy it is as follows:

    scp admin@<ip of mikrotik>:/hotspot/login.html login.html

To copy it back, use
   
    scp login.html admin@<ip of mikrotik>:/hotspot/login.html

You can also drag'n'drop graphics to the hotspot/img directory to be used on the login page.

Read more »

Posted in: Mikrotik

How to Setup Your Own Hotspot with MIKROTIK routers

Before starting, reset your router. If you see a message about "Default configuration" press Remove configuration.
You need to setup your Mikrotik router by using Winbox. Winbox is the graphical user interface for configuring the Mikrotik Router OS. You can get Winbox from Mikrotik's website.
1. First we need to define the first port for WAN connection so the router will connect to the internet via another router with DHCP.
In winbox click IP > DHCP Client and Add DHCP Client to port ether1

 2. Let's add the hotspot service to wlan Click IP > HotSpot and the hotspot Setup box, choose wlan1 as hotspot interface. You can accept default values but choose none for certificate. Leave the IP as it is (10.5.50.x). If you change this IP, the LOGIN and LOGOUT links will not work on your splash page.

3. The router should be placed in ap bridge mode.
Click interface, double click wlan1, click Mode: and select ap bridge
And make sure the frequency is set to 2.4 b/G.

4. You need to add our radius server as authentication and accounting server.
In the hotspot profiles (IP > HotSpot > Profiles) choose your hotspot profile and click the radius tab, check allow radius. Then click the login tab and de-select cookie, allow http pap and chap.

5. You need to define our radius server. Click Radius and the + sign to add our radius server.
Click Services > Hotspot, enter radius address: Radius.hotspotsystem.com, Secret: hotsys123
Check the box next to hotspot

6. You need to add the secondary radius server. Click Radius and the + sign.

Click Services > Hotspot, enter radius Address: radius2.hotspotsystem.com, Secret: hotsys123

Check the box next to hotspot 

7. We have to allow certain sites and servers for non authenticated users otherwise they can't buy access.

In the section IP > HotSpot > Walled Garden, click on + sign and add the following domains to Dst. Host one by one:

*.hotspotsystem.com
*.worldpay.com
*.paypal.com
*.paypalobjects.com
*.paypal-metrics.com
*.altfarm.mediaplex.com
*.akamaiedge.net
paypal.112.2O7.net
*.moneybookers.com
*.adyen.com *.directebanking.com
*.paysafecard.com
betalen.rabobank.nl
ideal.ing.nl
internetbankieren.frieslandbank.nl
ideal.abnamro.nl
ideal.snsreaal.nl
ideal.triodos-onlinebanking.nl

For Hotspot FREE SOCIAL locations: you must add 'www.apple.com' too!

Then in the section IP > HotSpot > Walled Garden > IP List add the following IPs to Dst. Address one by one (if your Mikrotik doesn't allow netmask values (.0/24) you can skip the netmask value):

194.149.46.0/24
198.241.128.0/17
66.211.128.0/17
216.113.128.0/17
70.42.128.0/17
128.242.125.0/24
216.52.17.0/24
62.249.232.74
155.136.68.77
66.4.128.0/17
66.211.128.0/17
66.235.128.0/17
88.221.136.146
195.228.254.149
195.228.254.152
203.211.140.157
203.211.150.204
82.199.90.136/29
82.199.90.160/27
91.212.42.0/24

8. You need to syncronize the router's time with our server.

Click on System > NTP Client. Enter primary and secondary NTP servers. To find NTP servers, go to http://www.pool.ntp.org/ and select the location's continent on the right side of the page. You'll find NTP servers there.

Be sure to leave TimeZoneName: manual, and TimeZone: 00:00 in System > Clock. (Don't set your own timezone, because the router has to show the GMT time!)

9. You need to change the router's NASID. The NASID setting in the Mikrotik is located under System > Identity. Default is 'MikroTik'.

Change this the following way: OPERATORUSERNAME_LOCATIONNUMBER

Example: Operator Username is 'globalhotspot', Location ID: '2', then NASID should be: 'globalhotspot_2'

NOTE: In case you are installing multiple routers in the same location, you should use different NAS IDs. For the second routers you need to add '_wds_1' to the NAS Id, for the third router '_wds_2', etc. So for example if you want to install the second router in location 3, the NASID should be set to 'globalhotspot_3_wds_1'.

10. You have to customize Mikrotik's built-in login page. On the side menu go to Files, and find the login.html file under the 'hotspot' directory. Double click on the file and choose Backup.

Open a simple text editor like notepad and copy and paste the following to the editor:

<html><head>
<title>HotSpot System Login</title>
</head>
<body>
<form name="redirect" action="https://customer.hotspotsystem.com/customer/hotspotlogin.php" method="GET">

<input type="hidden" name="res" value="notyet" />
<input type="hidden" name="mac" value="$(mac)" />
<input type="hidden" name="user" value="$(username)" />
<input type="hidden" name="uamport" value="mikrotik" />
<input type="hidden" name="userurl" value="$(link-orig)" />
<input type="hidden" name="nasid" value="$(identity)" />
<input type="hidden" name="uamip" value="$(server-address)" />
<input type="hidden" name="error" value="$(error)" />
<input type="hidden" name="chap-id" value="$(chap-id)" />
<input type="hidden" name="chap-challenge" value="$(chap-challenge)" />

</form>

<script language="JavaScript">

<!--

 document.redirect.submit();

 //-->

</script>
</body>

</html>

ave it as login.html to your Desktop.
Drag and drop this login.html to your "hotspot" directory in the Winbox program.
If you wish to use FTP you can FTP to your mikrotik router with the admin userid and password and replace the file there under the 'hotspot' directory.

If you don't wish to redirect users to our nice splash page you can continue to use the router's built-in login page but in this case it is important to add a link to the internal page where your users can buy access or activate their prepaid cards. Click here for more information.

10/b. In case you are using Hotspot FREE SOCIAL service, you also need to edit logout.html template. You need to use the same content as for the login.html (code above).

11. You have to set the Login/Logout URL IP addresses in the Control Center. Log in to the Control Center with your Operator Username and password and go to Manage > Locations. Click on the location, then click on Modify Hotspot Data & Settings. In Splash Page Settings modify the Internal Login/Logout URL Set to Mikrotik. Make sure that 'Display Login Box on Main Splash Page' option is CHECKED.

12. Extend the shared-users limit in your hotspot profile.
Sub-menu: /ip hotspot user profile
or go to IP > Hotspot > User Profiles > default > Shared-Users
Change shared-users to 5.

13. As the last step you have to add hourly checking for up status for the Router Alert feature.

Go to System > Scheduler and add a new task by pressing the plus sign.
Name: up
Interval: 01:00:00
On Event:

/tool fetch keep-result=no mode=http address=tech.hotspotsystem.com src-path=("up.php?mac=".[/interface ethernet get 0 mac-address]."&nasid=".[/system identity get name]."&os_date=Mikrotik&uptime=".[/system clock get time]."%20up%20".[/system resource get uptime].",%20load%20average:%20".[/system resource get cpu-load]."%")

Policy: enable all
Press Apply and OK.

That's all. You can setup hotspot service even on a wired connection. In this case you have to choose an ethernet port instead of wlan or you can setup hotspot on both ports.

If you have successfully setup your mikrotik router you have to see a login window when connecting via wireless. You can log in with username admin, blank password.

Read more »

Posted in: Mikrotik

How to Change DNS to google public DNS

In this tutorial , i will show you how to change DNS from Mikrotik router OS to google public DNS. If you have a special configuration DNS from your ISP, make sure the internet stil can running up if you change it to another DNS service. In another case, Sometimes we need to change the DNS server from our ISP to another DNS service provider. If DNS service from ISP is down , we should to do something to resolve this problems to make the internet service still running well.

I wrote this tutorials because some friends ask to me how to change their DNS service to google public DNS and another DNS service provider. Ok follow this instruction.

Make sure you have been backed up the Mikrotik Router OS configuration. To doing this, see the Picture bellow and follow the instruction:

1. Open your Winbox
2. Go to "File" and clik Backup

Ok, if you have finished the first steps, change your DNS service with this steps :

1. Go to "IP > DNS > SETTING > change the DNS with Public DNS. The Google public DNS is 8.8.8.8 as primary servers and 8.8.4.4 as secondary servers. see the pic bellow :

Read more »

Posted in: Mikrotik