Just so people don’t get too worried. I’ve had hundreds of MT routers in the wild for almost 20 years and never had an issue. So it IS possible to secure a router.
It's the kind of "vulnerability" that is not really an issue. Like, when there is a Windows/Microsoft shaming post on a new "ultimate crazy windows vulnerability hack", that requires an administrator and physical access to the server to begin with. At that point, are you really need to be a hacker to do damage? Pure clickbait.
I disagree, if there are people that still use admin/blank as the default login credentials with old firmware then this "Vulnerability" isn't a null issue, the points in the video is aimed at helping people implement some pretty basic yet recommended configurations on their routers to prevent bad actors not only to abuse this CVE but many others.
@user-zm7qz5fq2d pretty much, which is why there is this video and similar ones like it to tell people to stop using default creds and to help them follow some basic but useful configs to help secure their network so that when security researchers check the scope of a vulnerability that it shouldn't be a staggering number like "nearly a million vulnerable devices"
It really should be standard practice to create another admin account with unique weird username and disable (don't delete) the original account. I do this on all devices and Linux servers. The reason I disable the original admin account is sometimes patches / updates may freak out if it can't find it or it may automatically re-create it. Better to disable it.
Never had an issue you knew about? :) would you mind sharing some of the security config that you use please ? I've had a national ISP categorically tell me the Mikrotik they configured is secure, yet in the logs there was evidence that a 3rd party was logging into the router and the ISP didn't know who the 3rd party was. Yes it's a sample of.1, but my rule of thumb is "don't assume it's secure, ever".
Just one small remark on vulnerabilities and patches. Yes, I agree the typical CVEs usually are addressed in the patches and most of the time you could forget about it with applied patch. Nevertheless, there are security patches, which are more like a small feature upgrade and to properly address a vulnerability sometimes additional tasks have to be applied. Of course, usually such things are communicated by the vendor, but as most of us don't have too much time to waste on security, this could sometimes get easily forgotten.
Pinned comment with some reference material and additional tips: Protect your MikroTik from Hackers: th-cam.com/video/d39IvN70Eb4/w-d-xo.html MikroTik Firewall Rules: th-cam.com/video/NXvHdZbAuTI/w-d-xo.html MikroTik's guide to stop Brute Force attacks: th-cam.com/video/UXGVQmFUfL4/w-d-xo.html MikroTik Securing your Router Docs: help.mikrotik.com/docs/display/ROS/Securing+your+router Vulncheck Article: vulncheck.com/blog/mikrotik-foisted-revisited
Good video in terms of basic good practices, change default winbox port and limit subnet access, only allow access to router on input chain from trusted users, and finally tools --> mac-server, winbox-mac server, and ensure all three different control elements are in sync!.
Definitely, as basic administration and patch management goes a long way in keeping your network secure. I looked at FortiNet's CVE list and that was something I was actually surprised at, a massive list for a vendor whose business model is mostly security.
@@TheNetworkBerg Yep. I use pfsense for firewall and MikroTik switches for home lab. We use Fortinet firewalls at work and branches which I am admin of. I've also deployed few pfsense appliances at the branches without issues. I am too very annoyed and surprised to see so many CVEs lately on the Fortigates that I am temping to stop buying them and get the pfsense appliances instead. Seems lately I have to run the firmware updates several times in short period of time on so many of our Fortigates. It's crazy. I even shut down the ssl-vpn back in Dec as Fortinet's infinite wisdom to expose the ssl-vpn web to the internet for hackers to pick at. Crazy.
Hey Berg I just bought an hAP ax Lite and i cant put my wireless working so can you explain how to configure the wifi Wave 2, step by step Nice work btw
If you already have a malicious user with admin access this CVE is the least of your problems right now. The thumbnail is a bit sensationalist. I was expecting something like a RCE.
I do talk a bit regarding the subject, suggest watching the video. If you want to see an RCE you are welcome to check out Vulncheck's channel. They have a video of it there showcasing how the exploit works, my video is aimed more at stopping exploits like this from occurring by just some basic but best practice rules when bringing a router online. The big problem is that there are just many routers in the wild that still use the default admin/blank credentials running old firmware making them extremely easy to exploit even without things like Brute Force tools. And yes, the thumbnail is supposed to be sensationalist, I want to get people's attention if it can make at least a few people aware of the risks and get them to just implement a few configuration changes and apply patch management to their system then I am very happy if a thumbnail like this got their attention.
The problem is that A Lot of Mikrotik devices are running with “admin” without any password in the wild, because of this weird design choice they made early on. People are buying these because they are cheap, connecting to the internet and using them like that
Hi. I rerouted access to a subnet to another router (due to PoE and DAC). Local subnet has one node to hop (gateway) , remote subnet has 2 nodes to hop (gateway). When the firewall rule [chain forward drop invalid] is on local router, responds come only selectively. The router seems to favor only my laptop to access the other subnet (validating its connection states?). Wired nor cellphone can access the other subnet. When I turn off that firewall rule, all clients can access the other subnet like intended. Question is how important is the rule? How much of a security concern is not dropping [forward] [ivalid]? How can I compensate for disabling this rule?
One question, that you probably get quite frequently, but I haven't seen answered so far: Can you use names for IP addresses, ranges and also for ports, instead of always remembering the specific numbers? Thanks.
Appreciate your videos man. How do you suggest I go about getting out of my NOC role and moving up. I have my ccna, but no promotion opportunities at work. I just want to get my hands on some configurations, I feel myself losing my skills. Is a net engineer too much of a jump? Would a CCNP help? Sorry for the question overload lol
I think these are good questions, I think the first thing that you can do is have an honest conversation with your current employer and making them aware that you no longer feel challenged in your current role and that you are looking at moving into something else, such as configurations. This will let them know that you will either need a different role that will challenge and grow you which they can help with or that you will potentially move on to new opportunities with another company. I think many people are afraid to be direct with their employers because it feels like you are potentially impacting your job security, but in reality employers value this honesty and is many times the reason why someone "moves up" As for getting a CCNP, it can definitely help getting an interview with some companies, but from personal experience I think most companies are looking for people with experience already and having the cert itself won't be the biggest reason why you get into an engineering role. You could also check different departments the ISP I first worked for had various divisions and there was an installations team that would primarily drive to a site and install equipment, but they were a part of the config process with core engineers giving them valuable insight and experience until they could move into those roles themselves as they got that hands-on experience.
I am very much fine ^^, busy moving to a new country and it is taking all my focus so TH-cam has taken a slowdown for a bit. Thank you for your concern :)
Just so people don’t get too worried. I’ve had hundreds of MT routers in the wild for almost 20 years and never had an issue. So it IS possible to secure a router.
It's the kind of "vulnerability" that is not really an issue. Like, when there is a Windows/Microsoft shaming post on a new "ultimate crazy windows vulnerability hack", that requires an administrator and physical access to the server to begin with. At that point, are you really need to be a hacker to do damage? Pure clickbait.
I disagree, if there are people that still use admin/blank as the default login credentials with old firmware then this "Vulnerability" isn't a null issue, the points in the video is aimed at helping people implement some pretty basic yet recommended configurations on their routers to prevent bad actors not only to abuse this CVE but many others.
@user-zm7qz5fq2d pretty much, which is why there is this video and similar ones like it to tell people to stop using default creds and to help them follow some basic but useful configs to help secure their network so that when security researchers check the scope of a vulnerability that it shouldn't be a staggering number like "nearly a million vulnerable devices"
It really should be standard practice to create another admin account with unique weird username and disable (don't delete) the original account. I do this on all devices and Linux servers. The reason I disable the original admin account is sometimes patches / updates may freak out if it can't find it or it may automatically re-create it. Better to disable it.
Never had an issue you knew about? :) would you mind sharing some of the security config that you use please ?
I've had a national ISP categorically tell me the Mikrotik they configured is secure, yet in the logs there was evidence that a 3rd party was logging into the router and the ISP didn't know who the 3rd party was. Yes it's a sample of.1, but my rule of thumb is "don't assume it's secure, ever".
I’ve been waiting for you to upload a new Video!! Glad to see you’re back in action🥳
Just one small remark on vulnerabilities and patches. Yes, I agree the typical CVEs usually are addressed in the patches and most of the time you could forget about it with applied patch. Nevertheless, there are security patches, which are more like a small feature upgrade and to properly address a vulnerability sometimes additional tasks have to be applied. Of course, usually such things are communicated by the vendor, but as most of us don't have too much time to waste on security, this could sometimes get easily forgotten.
Great vidéo as usual
Pinned comment with some reference material and additional tips:
Protect your MikroTik from Hackers:
th-cam.com/video/d39IvN70Eb4/w-d-xo.html
MikroTik Firewall Rules:
th-cam.com/video/NXvHdZbAuTI/w-d-xo.html
MikroTik's guide to stop Brute Force attacks:
th-cam.com/video/UXGVQmFUfL4/w-d-xo.html
MikroTik Securing your Router Docs:
help.mikrotik.com/docs/display/ROS/Securing+your+router
Vulncheck Article:
vulncheck.com/blog/mikrotik-foisted-revisited
Noted sir, Thanks your video is good secure firewall more
Good video in terms of basic good practices, change default winbox port and limit subnet access, only allow access to router on input chain from trusted users, and finally tools --> mac-server, winbox-mac server, and ensure all three different control elements are in sync!.
Most vendors have many CVEs, not unique to MT. Most hacks can only occur if your firewall is not setup properly using basic security practices.
Definitely, as basic administration and patch management goes a long way in keeping your network secure.
I looked at FortiNet's CVE list and that was something I was actually surprised at, a massive list for a vendor whose business model is mostly security.
@@TheNetworkBerg Yep. I use pfsense for firewall and MikroTik switches for home lab. We use Fortinet firewalls at work and branches which I am admin of. I've also deployed few pfsense appliances at the branches without issues. I am too very annoyed and surprised to see so many CVEs lately on the Fortigates that I am temping to stop buying them and get the pfsense appliances instead.
Seems lately I have to run the firmware updates several times in short period of time on so many of our Fortigates. It's crazy. I even shut down the ssl-vpn back in Dec as Fortinet's infinite wisdom to expose the ssl-vpn web to the internet for hackers to pick at. Crazy.
Hey Berg
I just bought an hAP ax Lite and i cant put my wireless working so can you explain how to configure the wifi Wave 2, step by step
Nice work btw
I often find mikrotiks in the wild running pre RoS 7, with FTP server enabled etc etc...grab nmap and do some.cve scans ;)
So, i can see you are testing new bth option ? Are you planning to do some video about it ?
Maybe :D, (Definitely)
Nice presentation. Thanks
WOW! A great video that helped me imensly. Thank You!
Duplicate mac address "phones" for mikrotik active What is the solution, please?
I usually tend to bind my own routers to be only winbox/ssh accessible from within zerotier network, with the restricted NAT as failover
Yeah that sounds like a pretty solid way to manage your devices.
@@TheNetworkBerg those newer hAPs rock a lot when you know what to do with them
If you already have a malicious user with admin access this CVE is the least of your problems right now. The thumbnail is a bit sensationalist.
I was expecting something like a RCE.
I do talk a bit regarding the subject, suggest watching the video. If you want to see an RCE you are welcome to check out Vulncheck's channel. They have a video of it there showcasing how the exploit works, my video is aimed more at stopping exploits like this from occurring by just some basic but best practice rules when bringing a router online.
The big problem is that there are just many routers in the wild that still use the default admin/blank credentials running old firmware making them extremely easy to exploit even without things like Brute Force tools. And yes, the thumbnail is supposed to be sensationalist, I want to get people's attention if it can make at least a few people aware of the risks and get them to just implement a few configuration changes and apply patch management to their system then I am very happy if a thumbnail like this got their attention.
The problem is that A Lot of Mikrotik devices are running with “admin” without any password in the wild, because of this weird design choice they made early on.
People are buying these because they are cheap, connecting to the internet and using them like that
Thanks
Hi. I rerouted access to a subnet to another router (due to PoE and DAC). Local subnet has one node to hop (gateway) , remote subnet has 2 nodes to hop (gateway). When the firewall rule [chain forward drop invalid] is on local router, responds come only selectively. The router seems to favor only my laptop to access the other subnet (validating its connection states?). Wired nor cellphone can access the other subnet. When I turn off that firewall rule, all clients can access the other subnet like intended. Question is how important is the rule? How much of a security concern is not dropping [forward] [ivalid]? How can I compensate for disabling this rule?
Great advice!
One question, that you probably get quite frequently, but I haven't seen answered so far: Can you use names for IP addresses, ranges and also for ports, instead of always remembering the specific numbers? Thanks.
Appreciate your videos man. How do you suggest I go about getting out of my NOC role and moving up. I have my ccna, but no promotion opportunities at work. I just want to get my hands on some configurations, I feel myself losing my skills. Is a net engineer too much of a jump? Would a CCNP help? Sorry for the question overload lol
I think these are good questions, I think the first thing that you can do is have an honest conversation with your current employer and making them aware that you no longer feel challenged in your current role and that you are looking at moving into something else, such as configurations. This will let them know that you will either need a different role that will challenge and grow you which they can help with or that you will potentially move on to new opportunities with another company.
I think many people are afraid to be direct with their employers because it feels like you are potentially impacting your job security, but in reality employers value this honesty and is many times the reason why someone "moves up"
As for getting a CCNP, it can definitely help getting an interview with some companies, but from personal experience I think most companies are looking for people with experience already and having the cert itself won't be the biggest reason why you get into an engineering role. You could also check different departments the ISP I first worked for had various divisions and there was an installations team that would primarily drive to a site and install equipment, but they were a part of the config process with core engineers giving them valuable insight and experience until they could move into those roles themselves as they got that hands-on experience.
Thank you
Pro tips:
Disable services you don't use or need.
Change default ports (for example, SSH, or HTTPS)
Changing ports, does nothing for an targeted attack.
@@WanderTrekker PSD and FTB does something though
It being a while. Hope u are fine
I am very much fine ^^, busy moving to a new country and it is taking all my focus so TH-cam has taken a slowdown for a bit. Thank you for your concern :)
@@TheNetworkBerghappy to hear from you ,you are fine .
+1
Manufactured a few miles from russia..
The US is also a few miles away from Russia :P