MikroTik RouterOS has services which are enabled always by default. Those services have ports assigned to them and they can be a way for the hackers to attack our router through them. For this reason, it is always recommended to disable the non-important ones, and to change the port numbers of the ones that we want to use.
What are those services, where we can find them and how to manipulate them? All of those questions will be answered in the upcoming LAB.
We are still in the same LAB scenario. Let’s check directly what are the services that I was talking about:
[mepr-show rules=”319″ unauth=”message”]
Those are the services that I am referring to. You can see, all of them are enabled (except www-ssl) using their well-known ports. That way, if my MikroTik router is connected the internet, it can be hacked easily specially if it has a public IP address set on its WAN interface. Also, it can be hacked from internal users from my LAN as well.
For this reason, it is highly advisable to disable those that we never use them and change the ports for those that we want them.
I will proceed by disabling api, api-ssl and Telnet:
Those have been successfully disabled.
At this moment, the port on www is the default one which is port number 80. If you want to use Webfig, it is highly recommended to change the port number to something else. I will change the port to 1222 as the following:
Now to go to Webfig, I need to add the port 1222 after the IP of the router on the browser URL, otherwise the Webfig doesn’t open:
Webfig is working only when adding the port number 1222 after the router IP address on the browser URL.
Another thing that you can do to make it even more secure, is to say which subnet or IP is allowed to access to the Webfig. This can be done here:
I have mentioned now that only IPs from the subnet 192.168.88.0/24 (which is my LAN) can access to the Webfig.
Now, the best is not to use www because it is clear text, but www-ssl which is encrypted. However, www-ssl does not work right away because it needs a certificate, that’s why MikroTik made it disabled by default.
Now I need to make www-ssl to work so I can login to Webfig via https which is much secure compared the http.
First, we need to create a certificate. It is possible to create a local certificate on the MikroTik RouterOS with just few steps. Let’s do that right away:
Now the certificate has been created. We need to sign it. We just go inside of it, and we click to sign (be sure that tls server is checked inside the Key usage tab)
Once you click on Start and the progress is done, you will get a checkbox with Trusted. That means that your certificate is signed as per below:
Now we go back to the services and let’s enabled www-ssl and disable www.
Now I need to go inside www-ssl and add the certificate that I have already created to it:
This is done now.
Let’s try to open Webfig using https now. Do you think it will work? Let’s try:
I got a warning when going to https on my router IP. That’s normal because the certificate that I am using is created locally by MikroTik router. Please click on Advanced for now and then click on Accept the Risk to Continue:
Here we go!!! Webfig is open now on https as I wanted ????
The last thing that I want to show you in this LAB is how import is to disable FTP. If you keep FTP enabled and someone could login to your router via FTP, then he can just put a small script and change/adjust all configuration of your router. For this reason, I left FTP open just to show you how this can happen.
I will write a script on notepad to add an IP address on interface Ether 4 of the router (at the moment, my router doesn’t have an IP on the interface Ether4)
I will save the notepad file to test.auto.rsc
The file has been saved now inside my documents.
I will do FTP from my PC to the MikroTik router. You can use any FTP client software that you want, in my case I am using FileZilla. Before I login, let me show you that I do not have any IP address on Ether4 for now:
Now will login to the router via FTP and upload the .rsc file that I have created:
The file has been copied from my PC to the router via FTP. Let’s check if the router has now an IP on its Ether4 interface:
Look at that. The IP has been shown on Ether4 ☹
That’s why it is always recommended to disable FTP or at least change its port.
That’s all what I wanted to show you in this LAB, hope you enjoyed it.