Maintain Security Router First Step

Maintain Security Router First Step

When finished with the setting of the required features, network admins often ignore the security side of the router. It would be very risky attack against the router, especially when the router is directly connected to the internet and has a public ip. But make no mistake, the attack against the router does not always come from the Internet, could also originate from the local network. We will try to discuss the first steps that need to be done to keep the router from people who are not responsible.

Services

Mikrotik router running multiple services to facilitate the user in how to access the router, or use other features. The by-default service will be run by the router continuously. We can check the service is run by proxy at the IP menu -> Services

There are several services that run by default mikrotik router. The following information details the MikroTik router service and usefulness.

• API: Application Programmable Interface, a service that allows users to create custom software or applications that communicate with the router, for example to retrieve the information in the router, or even configure the router. Using port 8728.
• API-SSL: It has the same functionality as the API, it's just for the API SSL more secure because it comes with a ssl certificate. API is running SSL using port 8729.
• FTP: FTP Mikrotik provides a standard service that uses ports 20 and 21. Commonly used FTP to upload or download the data router, eg backup files. Authorisation to use the FTP user account and password of the router.
• SSH: remote is one way to secure the router console. Almost the same as telnet, only is more secure because the data is encrypted SSH ditrasmisikan by. MikroTik SSH uses port 22 by default.
• Telnet: It has functions similar to ssh only has a few limitations and a low level of security. Usually used as a router for remote console. MikroTik telnet service uses port 23.
• Winbox: Service that allows connection to the router Winbox application. Of course we are familiar with the Winbox application that is used to remotely graphically router. Winbox connection using port 8291.
• WWW: In addition to the remote console and Winbox, the proxy also provides a means of access via a web-base router using a browser. Ports used are standard HTTP port, which is port 80.
• WWW-SSL: Same as the WWW service that allows access to the router using the web-base, www-ssl but it is more secure because it uses SSL certificae to establish a connection between the router and client that will perform remote. By default it uses port 443.

Next is the question for the network administrator, whether then all of them will be used?. Sometimes network admins do not really care, service is still running when not needed, so that the service can be used by people who are not responsible at all times. Have you ever opened a terminal MikroTik router then appear notice "failure for user root from xx.xx.x.xxx via ssh"? The error informs that a user tries to access the router by guessing the username and password of the router.

Disable Service

To minimize user trying to access the router using a particular service, the network administrator can turn off services that are found to be used. Suppose we just need memngakses router via winbox and web-base, then we can turn off the service in addition to two earlier services.

Available From

The network administrator can restrict which network routers can be accessed on a particular service by specifying the parameter "Available From" in the service setting. to determine the "Available From", then the service can only be accessed from a specified network. When someone tries to access the router from outside the network-address allowed, will automatically be rejected by the router. Parameters "Available From" can be filled with the IP address or network address.

Change Port

In addition to determining the allowed addresses, network administrators can also change the port used by a particular service. A person working in the world of networking can easily guess the default port used by the service - limited service.

User Management

Some administrators sometimes think that by giving a password alone is enough. Then to share your username and password to some fellow technicians, even for technicians who only have access router monitoring also granted admin permissions. It would be very risky when the router is a router that is handled is important. Here are some tips wise user management.

Group Policies

Technicians who only have the responsibility of monitoring the network does not require full access rights to the router. Usually full access rights are owned only by the person most knowledgeable about the condition and configuration of the router. Network administrator can create a user in accordance with their job responsibilities - each with the group and determining policies on user settings. If using Winbox, go to System -> Users -> Tab Group.

There are several policy options that will be given to determine the user privilege. The following details the policy options and rights held:

• local: a policy that allows the user login via the local console (keyboard, monitor)
• telnet: use policies that allow remote login via telnet
• ssh: policies that allow the user to log in remotely via secure shell protocol
• ftp: Policies that allow login via FTP full rights, including the dar file transfer to / from the router. Users with this policy have the right read, write, and delete files.
• reboot: Policies that allow the user to restart the router.
• read: Policies that allow to see the router configuration. All console command that is not accessible configuration.
• write: Policies that allow to configure the router, except for user management. This policy does not allow the user to read the configuration of the router, the user is given wirte policy is also given policy is also recommended read.
• policy: The policy for the management of user rights meemberikan. Should be used together with write policy. Allows also to see the global variables created by other users (requires also 'test' policy).
• test: Policies that give the right to run ping, traceroute, bandwidth-test, wireless scan, sniffer, snooper and test other commands.
• Web: Policies that give the right to a remote router via WebBox
• Winbox: Policies that give the right to a remote router via WinBox
• password: Policies that give the right to change passwords
• sensitive: policy which entitles the router to see sensitive information, such as secret radius-key authentication, etc..
• Fire: Policies that give the right to a remote router via the API.
• Sniff: Policies that give the right to use a packet sniffer tool.

Allowed Address

"Allowed Address" is used to determine which network the user is allowed access to the router. Suppose the network admin has a policy that technicians may only mengankses router via a local network, should not be through the public network. in such cases, we can use the option "Allowed Address".

Allowed to address the ip address or network addresss. If we are content with the ip address, then the user can only login when using a particular IP address, if we fill the network address, the user can be used to segment a specific Ip address.

MikroTik Neighbor Discovery Protocol (MNDP)

Is a Layer 2 broadcast domain that allows devices that support MNDP or CDP for each "find". The simplest example when we scan Winbox to the router remotely. By performing a scan, will appear mac address information, identity, and the ip address of the router. So when this MNDP running, users in the network, the router can easily find the router, and the router knows some information. In Mikrotik routers, routers that are running can be seen in the menu MNDP IP -> Neighbors. It would seem that the router was connected and running MNDP.

So that the router does not display information when a user scans discovery protocols, network administrators are advised to disable discovery interface. If using Winbox, go to IP -> neighboor -> Tab Discovery Interfaces.

For example, we disable the setting ether2 discovery interfaces, the router can not be scanned or "found" on the network that is connected to ether2.

 

Dissecting Details MikroTik Router Default Configuration

Dissecting Details MikroTik Router Default Configuration

 At the moment we first MikroTik router settings that are new, we sometimes difficult to remote in ether1, or when we've managed remote router, in the router configuration seen already there are not so familiar. This is not because malfuction MiktoTik router, but because of the default configuration. For some people, it's easier than the initial configuration of a router when no configuration at all. But for those who are still learning MiktoTik settings, the default configuration will be very helpful. We will try to describe more details about the default configuration.

router has a default configuration will typically show that there is a default configuration information after login console or display a dialog box when the remote using Winbox. Examples of the dialog box when the remote with Winbox:

This dialog box displays 3 options. "Remove Configuration" will remove the default configuration so that the router will be clean, without any configuration at all. The option "Show Script" will display the default configuration script. And the option "OK" to install the default configuration into the router.

Each type of router has a different configuration defaults depending on the condition of the device hardware. Scripts default router configuration can be displayed with the command / system default-configuration print

Now we try to describe in general the default configuration.

Ethernet

Default configuration will give the name of the user interface that is intended to be easier to determine which interface cable will be installed.

• Ether 1 will be named ether1-gateway assuming the user will install the cable that connects to the Internet to ether1.
• Ether 2, will be named etherx-master-local.
• Ether until the ether last 3 will be named ether3-slave-local. At this interface, setting master-port will be redirected to ether2 that are in the same network segment with ether2 interface.

Users can connect to the local network ether2, ether3, and so on except ether1. Local network segment should also be in the same segment.

IP Address

The default configuration will put up the IP address for the interface connected to the local network with the IP address 192.168.88.1/24. So that would use the local network segment 192.168.88.0/24 network.

But these hi not apply to products that have 1 ethernet interface, series RB411, RB433 series, series RB435, RB800 series, CCR series and RB1000 series. Fixed IP address on ether1 interface installed.

DHCP

DHCP Server will diajalankan by default in the configuration interface connected to the local network. Client quite connect to the ethernet interface in addition to ether1, it will automatically get the ip address.

The default configuration is also running DHCP Client service on ether1 interface is assumed to be connected to the internet. ISP usually provides the IP address dynamically so that the client does not need kesulitasn setting the IP address, gateway, dns, etc.. If the ISP or modem automatically assigns ip address, then simply connect the cable from the Internet / ISP to ether1 MikroTik router, the router was able to get an IP address and connected to the internet.

Wireless

For devices that have embedded wireless interface, there is also the default configuration for multiple settings depending on the condition of the router hardware.

• Mode, which has a license for the device leve 4 and above, by default will use the mode "AP Bridge", while for a router that has a level 3 license using station mode.
• Band, if the router only support at 2GHz and support MIMO, it will use the band "2Ghz-b/g/n" and routers only support 5GHz band and MIMO will use "-5GHz a / n".
• Frequency, on the support Roiter 2GHz will use the 2412 frequency. And the router will use the 5GHz frequency support 5300.
• Chain, for which the router supports dual chain, will use the default settings enable the chain 0.1. and for routers that are still single chain, will only use the chain 0.
• Security Profile, the default config will create a security profile with the serial number of the router as WPA and WPA2 Key.
• SSID, will be determined based on the wireless interface mac-address. usually will set the SSID "MikroTik-[Six Digit Last MAC-address]"

In addition to providing some of the above settings, the wireless interface will be bridged with ethernet interface so that the local wireless networks are in the same segment of the cable network.

For devices with additional wireless interface installed in MiniPCI port will be disabled.

Firewall
There are some firewall rules to be made by the default security configuration for the router and the router to save resources by conducting drop packets that are not needed. Here's the default firewall rule configuration:

/ Ip firewall filter add chain = input action = accept protocol = icmp comment = "default configuration" filter add chain = input action = accept connection-state = established in-interface = ether1-gateway comment = "default configuration" filter add chain = input action = accept connection-state = related in-interface = ether1-gateway comment = "default configuration" filter add chain = input action = drop in-interface = ether1-gateway comment = "default configuration" nat add chain = srcnat out-interface = ether1-gateway action = masquerade comment = "default configuration"

The first rule in the firewall will menijinkan bound ICMP connection to the router. The second rule allows connections that already have established status heading into the router. The third rule allows connections that already have a status that is also related to the router. The fourth rule will do drop any incoming connection to the router through interface ether1-gateway. And the last rule is a NAT rule that allows a client to borrow under the ip router router to be connected to the Internet.

DNS

Static DNS configuration is created by default with the dns name "router" and the IP address 192.168.88.1. This means that the router is also running as a DNS server. If we open our browser and then type in the address bar with the address of the addressee http://router by the browser is 192.168.88.1 and the display will show a web-base MikroTik router.

Tips

The default configuration can be edited or removed as needed. If it turns out the default configuration makes it difficult or even confusion in setting up the features we need, we can eliminate a number of ways.

First, the remote router must necessarily first, ktika dialog box appears informing about the default configuration as the first picture in this article, select the option "Remove Configuration". Or if you find that the default configuration is installed, can be removed by a reset or netinstall.

So, from now on do not be confused or even panic when the remote router could not be the first time.

 

Monitoring & Graphing Tool in Mikrotik

Monitoring & Graphing Tool in Mikrotik

Routers that have completed our setting and already running, it does not mean we will abandon. The first router is a backbone router. In most ISPs will even monitor for 24 hours nonstop to ensure the good condition of the router - either alone. And if anything happens that makes the network router does not run properly, can be addressed properly.

Likewise network admins also need to record the bandwidth usage for the material in the report whether the bandwidth to get the appropriate information from the ISP bandwidth services, or simply recorded by the client bandwidth usage statistics. To keep records in graph format in MikroTik, network admins can use the "Graphing".

Tool Graphs

First, we will discuss the features of the first graph, this feature can be accessed via the menu Tools -> Graphing, or via the terminal with the command / tool graphing

With tools graph, we can do the monitoring of some parameters on the router and presenting it in graphical form. This graph can be seen by the access router via the web, the address format http:// [router ip] / graphs. For example 192.168.128.105/graphs

By default, the graph tool is not recording any data, when viewed via a web browser have not found any data. It takes any parameter settings to be recorded as well as additional policy if needed. We try to monitor the amount of traffic on one interface, eg for ether2 interface. First, set the settings on the first graphing / graphing tools. Setting this graph to determine how to record the data every minute. Then, add the interfaces to be monitored on the tab "interface rule". In this tab please add ether2 interface.

If it is, wait a moment, then returned Graphs access from a web browser. Will appear on the link in accordance with the interface name recorded in the graph. Click the link to view bandwidth graphs recorded by graphs.

In addition to a router interface, the graph can also record Resource hardware such as CPU, memory and RAM, or it could be to record Queue. If you are familiar with tools or other applications for network monitoring, display graph it can be said to be almost similar.

The Dude
Speaking of applications for network monitoring, Mikrotik has a tool that can display the network in the form of a folder. The tool is The Dude, and as usual MikroTik always provide a free application solutions as well as The Dude's palikasi. Can be downloaded for free directly from http://MikroTik.com

The Dude can be installed on RouterOS (the file format. Npk) or can be installed The Dude version of Windows on the PC executable format file (. Exe). Once we run the application Dude on a Windows PC, Dude we can use to scan and display the network topology in the form or folder. So that will facilitate the monitoring and network management.

Implementations are typically used, The Dude installed on the router, so the network folder will be stored in it, then to access the folder on the router, we need to install The Dude on the PC with the same version. In addition to monitoring the network, we can also do management / remote to the router directly by The Dude. For example, ping, traceroute, bandwidth test is performed directly from our remote router.

The Dude will give you a warning, usually a color change to red when the device is down. And one plus the value of The Dude, this application can not only be used for monitoring any Mikrotik device, as long as a device to enable SNMP, then The Dude can be used for monitoring and management.

SNMP

Then we try needs now reversed, can Mikrotik Router in the monitoring and management with a tool other than The Dude?. And it turns out Mikrotik can be monitored using other applications, for SNMP in Mikrotik active.

Simple Network Management Protocol (SNMP) is the Internet standard protocol for managing devices on a network. SNMP can be used for a variety of graph data. Examples of its use in applications like The Dude and Mikrotik order can be managed, then the SNMP must be enabled. Quite easy, enable SNMP pd Mikrotik, can with command: / snmp set enabled = yes

After setting the SNMP in Mikrotik, live sets in applications that will perform the monitoring and management of the router. If using The Dude, can be a way "Add Device". On the contents of the address with the IP address of the router. Do not forget to check the Secure Mode option.

If it is added, then double-click the device and make sure the status is up. If it is not up or does not show up status information, go to the Services tab, then click the "Discover".

For monitoring traffic running on the router, connect the device to the network by adding a link. Then double-click on the link.

Mastering Type please select SNMP. Then select the traffic on which interface is monitored. It will appear in real time bandwidth information. So, there are many ways to perform network monitoring and management. The Dude is a solution that is reliable and free.

 

Know the PoE function on RouterBoard

Know the PoE function on RouterBoard

Before making a purchase routerboard, it is advisable to look at the details of the product specifications. Have you seen the features PoE and PoE-In-Out on RouterBoard?, Or when we're looking at - see picture RouterBoard, there are several types of routerboard where there is yellow on one or more interfaces. Such information is an indication that the RouterBoard support PoE feature, a feature that is interesting enough to be implemented on our network.

PoE

Stands for Power Over Ethernet, in other words a method that utilizes twisted pair cable (UTP / STP) as the transmission medium power (power). PoE benefits will be felt when we did the installation of an outdoor wireless devices in the tower. With the PoE, we do not need to withdraw the power cord from the power supply to the tower above the existing router. Examples of installation topology that utilizes PoE devices.

PoE-In

Most of the users of MikroTik already quite familiar with the features PoE-In on RouterBoard. This means that if RouterBoard support PoE-In, then the routerboard can receive power from a PoE interface ether without power through the power jack. RouterBoard that support this feature RouterBoard mostly used for wireless needs.

With the PoE-In this feature, technicians no longer need to allocate power cable to provide power to the RouterBoard, just use PoE to pass power through UTP cable, UTP cable means will be used to pass data while skipping the power to RouterBoard. In outdoor wireless package usually includes passive PoE. Shape each passive PoE outdoor wireless packet sometimes differ depending on equipment specifications. Sample images Passive PoE.

On the outside there is usually some text information. For the passive POE port labeled LAN is connected to the local network, can be directly to a computer or to switching. LAN port in passive PoE only serves to pass data. Furthermore, passive PoE port labeled POE on RouterBoard connected to the information contained PoE port (usually ether1). Port is in addition to pass data, also sends power to be used by the RouterBoard. Jack and power port (DC), connect the adapter. RouterBoard will be lit by using a power supply via a UTP cable from PoE so they no longer require power from the power jack plugs.

PoE-Out

As we have seen before, some products MikroTik Support PoE output features. This feature serves to provide power supply to the devices connected to interfaces that support PoE-Out.

Examples of products that support PoE Out example RB750UP or Omnitik UPA. Routers that have this feature are usually equipped with different adaptop the usual adapter. Of course a power adapter that has a better capacity. Each - each device has a number of PoE-Put interface that is different - different. It is recommended to see the detailed specifications of each device if you need this feature.

Case suppose we'll plug in some wireless routers in a single tower. With regular router, then each - each wireless router will need an adapter and passive PoE, installation topology will be as follows:

Unlike when we are already use RouterBOARD with PoE feature out, eg Omnitik UPA. Then the power needs of other wireless routers can be supplied by the UPA Omnitik without having to add an adapter and PoE for each device. Topology installation will be as follows

PoE-Out can be configured via the command: / interface ethernet poe. Each port can be configured independently. In the fast ethernet cable, by default Blue and Brown wires will be used to pass power where the blue wire to the positive voltage while the brown wire going to miss the negative voltage. If using Winbox, PoE settings can be done by double-click interface, then click the PoE tab.

It would appear that some of the parameters can be determined according to the needs, the following details about pearameter that can be set:

• Auto-on - the router will attempt to detect whether power can be run / not on that port. The router will check using a low voltage, there are barriers ranged from 3kΩ to 26.5kΩ the PoE will be lit.
• Forced-on - Turns off and will make the detection function as PoE ports continuously for no overload and short circuit.
• Off - The function will be switched off and PoE detection will also be turned off. Ethernet port will function properly regular ethernet.

In RouterOS v.6.x if using a long cable to a power source on the router add the following command: / interface ethernet set ether1 poe-poe settings-in-long-cable = yes

PoE Priority

Used to determine the priority of PoE power per port. The highest priority is 0 and the lowest priority is 99. If there are two or more interfaces with the same priority then the ethernet port with the smallest number will automatically have higher priority. For example, ether2 and ether3 have the same priority, and if there is an overload ether3 the PoE will be turned off. The router will check every 6 seconds if ethernet is turned off because the priority could be given the power back.

Safety

To avoid hardware damage due to power, PoE feature equipped with several features.

• Port detection, auto-on mode can be said to be fairly safe mode where the router can malakukan checks whether the device is connected to the port requires and is capable of receiving power properly or not.
• Overload Protection, when Poe-Out run the router will check the occurrence oveload. In case of overload the PoE-Out will be turned off to avoid hardware damage caused by excessive power. PoE controller firmware version 2 allows the distribution of maximum 1 ampere at one port and a maximum of 2.2 amps for a total of all ports.
• Short Circuit Detection, checking is done at the time of the occurrence of short-out on the PoE-enabled. If the router detects the occurrence of short, then all PoE-Out port will be turned off.

Monitoring

For monitoring, simply double-click interface that runs as POE-Out, then the tab will display information PoE power is distributed on the port.

RouterBoard device that supports PoE-Out usually marked with the code "P" or "i" in the product name, eg Omnitik UPA, RB750UP, RB260GSP, RB2011UiAS, etc.. Code "P" means all ethernet besides ether1 on RouterbBoard support PoE-Out, while the product has the code "i" means having a support Ethernet PoE-Out.