Upload File

secure remote access to mikrotik routers... you knock router-ports in the correct order, e.g.: 1. 1...

  • Home
  • Documents
  • Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet
23
Secure remote access to MikroTik routers Gyenese László MikroTik Trainer, Academy Trainer MUM Budapest 2019.05.31. 1

Upload: others

Post on 09-Apr-2020

8 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Secure remote access to MikroTik routers

Gyenese László

MikroTik Trainer, Academy Trainer

MUM Budapest

2019.05.31.

1

Page 2: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Users

• Default password:

admin / <blank>

Change it!

• User groups with unique Policies

Protection against unauthorized access

2

Page 3: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Login only from allowed addresses

Protection against unauthorized access

3

Page 4: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Don’t publish your settings

Protection against unauthorized access

4

Page 5: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Limiting services

Protection against unauthorized access

5

Page 6: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Secure access via VPN tunnel

Protection against unauthorized access

6

Page 7: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Access of services with „security code”:

1. You have to knock some ports on the router

2. In a short time you can access the router

Protection against unauthorized access

7

Port Knocking

Page 8: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

You knock Router-ports in the correct order, e.g.:

1. 1 packet to UDP/10130 port

2. 2 packets to UDP/21516 port within 2 seconds

3. 1 packet to UDP/ 51123 port within 2 seconds

You have to create proper filter rules on the router!

If you knock in the proper code:

4. Winbox login will enabled for 10 seconds

Port Knocking

8

Page 9: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Functions:

• Winbox login with unique pre-saved parameters

• Centralized secure Router-database – even in the Cloud

You will see same router-list on your desktop PC, on your Laptop, etc. without manual

synchronization of Winbox managed lists

• Unique Port Knocking configuration for all routers (if needed)

Port Knocking – my own application

9

Page 10: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

MikroTik router filter rules for port knocking example: /ip firewall filter

add action=add-src-to-address-list address-list="Már tiltólistán vagy!" address-list-timeout=5s chain=input \

dst-port=10000-10002 protocol=udp src-address-list=WinboxDenied

add action=add-src-to-address-list address-list=Knock1 address-list-timeout=10s chain=input dst-port=10000 \

protocol=udp src-address-list=!WinboxDenied

add action=add-src-to-address-list address-list=Knock2 address-list-timeout=10s chain=input dst-port=10001 \

protocol=udp src-address-list=Knock1

add action=add-src-to-address-list address-list=WinboxDenied address-list-timeout=20s chain=input dst-port=10001 \

protocol=udp src-address-list=!Knock1

add action=add-src-to-address-list address-list=KnockOK address-list-timeout=10s chain=input dst-port=10002 \

protocol=udp src-address-list=Knock2

add action=add-src-to-address-list address-list=WinboxDenied address-list-timeout=20s chain=input dst-port=10002 \

protocol=udp src-address-list=!Knock2

add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=KnockOK

Port Knocking – my own application

10

Page 11: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Let’s see in practice...

Port Knocking – my own application

11

Page 12: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Including but not limited to:

• MNDP (CDP) attack

• DHCP attacks – Discovery, Rogue, ...

• TCP SYN attack

• UDP Flood

• Password Brute Force

• Port Scanner

Most common router attacks

12

Page 13: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

MNDP (CDP) attack

13

Page 14: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

DHCP Starvation attacks

14

Page 15: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

TCP SYN attacks

15

Page 16: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

UDP Flood attacks

16

Page 17: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Password Brute Force attacks

17

Page 18: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Port Scanner

18

Page 19: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

• Sophisticated Firewall system of RouterOS

• Unique protection for all forms of attack

Preventing attacks

19

Page 20: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

• Rate-limiting for each new TCP connection

• Rate-limiting for each new UDP connection

• Disable DNS proxy on MikroTik if not reuired

• Limiting the number of times a user can unsuccessfully attemp to

log in

• Users have to create and periodically change complex passwords

• Disabling unused services

• Port scanner limitations

Preventing attacks

20

Page 21: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

How can you learn MikroTik security?

MikroTik Certified Security Engineer

a brand new MikroTik course since march 2019

Protect your routers!

21

Page 22: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

First MikroTik Certified Security Engineers in Hungary

Győr

Budapest

Protect your routers!

22

Page 23: Secure remote access to MikroTik routers... You knock Router-ports in the correct order, e.g.: 1. 1 packet to UDP/10130 port 2. 2 packets to UDP/21516 port within 2 seconds 3. 1 packet

www.mikrotikgyor.hu

Thank You!

23


Collection and Characterization of BCNET BGP Trafficljilja/papers/PACRIM_2011_submitted.pdf · analyzed using the Wireshark open-source packet ... User Datagram Protocol (UDP) connections

Transport Layer (TCP/UDP) · •TCP is full-featured, UDP is a glorified packet CSE 461 University of Washington 6 TCP (Streams) UDP (Datagrams) Connections Datagrams Bytes are delivered

CSC358 AW3 Solution - cs.toronto.eduahchinaei/teaching/2016jan/csc358/Assignment3... · CSC358 Wireshark Assignment 1 Solution Part I. UDP 1. Select one UDP packet from your trace

Introducingan almost reliable UDP protocol: TheKeyed UDP · Introducingan almost reliable UDP protocol: TheKeyed UDP Nuno M. Garcia, PhD Coordinator of Assisted Living Computing and

Lecture 4. Naming System in the Internet · cerbero.elet.polimi.it BROWSER Must know NUMERIC addresses!!! Primary: 131.175.15.8 Secondary: 131.175.15.15 DNS Query via UDP packet,

356961: Internet Protocols - ECSE Protocols Mobile & Wireless ... (TCP, UDP), IP, Routing, Addressing/Naming ... Advanced topics: Multicasting ... Packet forwarding is a control-plane

User datagram protocol (UDP) Packet checksums Reliability: … · 2010. 9. 28. · TCP LastByteAcked LastByteSent Receiving application LastByteRead TCP NextByteExpected LastByteRcvd

Network using socket programming OSI more on TCP UDP and ... · TCP/IP suite, their protocols, header formats and at the end we will try to construct our own packet using RAW packet

UDP Sockets

31. Performance Comparison of transport protocols, UDP and UDP

Si7013EVB-UDP/Si7013EVB-UDP-F960 User’s Guide · Si7013EVB-UDP Si7013EVB-UDP-F960 Rev. 0.2 3 2.1. Si7013EB—UDP Schematics and BOM Figure 3 shows the schematics of the Si7013EB-UDP

Wireshark UDP v7 - rkent.myweb.cs.uwindsor.carkent.myweb.cs.uwindsor.ca/cs367/Wireshark_UDP_v7.0.pdf · After stopping packet capture, set your packet filter so that Wireshark only

Chapter 12 End-to-End Networking. FIGURE 12.0.F01: UDP packet fields

Packet Analysis with Wireshark ARP, IP, TCP, UDP, ICMP Kyu Hyun Choi

User datagram protocol (UDP) Packet checksums Reliability

User Datagram Protocol (UDP) · 11/14/2005  · UDP (cont.) • UDP does ensure correctness of packet using checksum. – Optional in current UDP, required in IPv6 – Checksum computed

Network Security - Firewallsweb.cecs.pdx.edu/~jrb/netsec/lectures/pdfs/firewalls2.pdf · UDP packet to empty port gets ICMP unreachable

Touchscreen UDP

UDP Programme

UDP Packet Offload Example - Intel · Each of the four UDP hardware channels have a payload extraction component which will receive the Ethernet packet from the demultiplexor and

Arcserve UDP 8100 and UDP

FPGA UDP Memcached Server Design · 2014. 5. 15. · computers. Memcached System is primary in used for TCP packet and the information regarding to UDP Memcached System is very limited

Implementation of Efficient Architecture for Vulnarability ....pdf · and UDP traffic, the port number). ... Implementation of Efficient Architecture for Vulnarability Packet Detection

z/OS Communication Server IPSec and IP Packet Filtering · z/OS Communication Server IPSec and IP Packet Filtering August 4, 2010 z/OS Communications Server Page 1. ... TCP and UDP

Arcserve UDP 8100 and UDP · Arcserve UDP 8100 and UDP 8200 Appliance Hardware Installation Guide 4 3. Electrical and General Safety Guidelines CAUTION This appliance is intended

Iranian Journal of Electrical and Electronic …ijeee.iust.ac.ir/.../refan-A-10-222-4-725e34d.docx · Web viewThe NTP packet is a UDP datagram [25]. The NTP packet header shown in

User datagram protocol (UDP) Packet checksums Reliability: stop

Listifyed (UDP) GROvger.kernel.org/netconf2019_files/udp_gro.pdf · Listifyed (UDP) GRO Generic Receive O oad (GRO) Generic Receive O oad (GRO) I Software packet aggregation on Layer

User Datagram Protocol (UDP) UDP [RFC 768] UDP Socket

RDMA over Commodity Ethernet at Scale - … over Commodity Ethernet at Scale ... packet drops due to congestion, while rare, are not entirely absent ... packet within an Ethernet/IPv4/UDP

Arcserve UDP 8100 and UDP 8200documentation.arcserve.com/.../PDF/app_hw_ig_8100_8200.pdfArcserve UDP 8100 and UDP 8200 Appliance Hardware Installation Guide 2 1. Safety Notice and

UDP Server

The Transport Layer - Colin Perkins · • Role of the transport layer • Transport layer functions • Transport protocols in the Internet • TCP, UDP, DCCP, and SCTP ... UDP Packet

Registro Competencias Genericas 209 21516

User Datagram Protocol. Introduction UDP is a connectionless transport protocol, i.e. it doesn't guarantee either packet delivery or that packets arrive