db.dobo.sk

MikroTik routerboard config

bez komentára

par poznamok k mikrotikom RB2011UiAS-2HnD 5x 1 Gbit LAN, 5x 100 Mbit LAN, USB, SFP

co je dobre vediet

  1. nikdy nepouzívat na konfig webove rozhranie. Totalne napicu.
  2. pri konfigu na začiatku je dobré pripojiť sa na základe MAC. IP Adresy sa budú konfigom meniť a tak to bude padať, pokiaľ cez IP. Až sa to nakonfigne, tak uložiť konfiguráciu a potom už kľudne cez IP. Default od výrobcu je 192.168.88.1/24
  3. Bezpečnosť predovšetkým. Zakáž všetky služby, okrem ssh a winboxu (pokiaľ ho používaš). Web rozhranie otázne, ale radšej zakázať – enablovať ho možeš rýchlo cez ssh. Loguj externe (614) a spočiatku loguj všetko, nech si diagnostikuješ problémy,potom to zníž.
  4. swiče. Je to routerswitch :), resp. má tam 2 swiče, ktoré zodpovedajú rozdeleniu portov. Eth1 je port von (aka WAN); eth2-5 je jeden swič a eth6-10 je druhý swič. Prestup medzi nimi NENÍ, leda že by sa nakonfignul bridž. Kazdy switch ma jeden master (eth2 a eth6 by default).
  5. Je nutne ujasnit si postup: a) konfig LAN (switche, IP portov, DHCP); firewall (iptables); WAN; wireless; VLANs (optional); vyfikundace (monitoring, logovanie a pod.).

quick info

system routerboard print – základné info, SN a pod.

system routerboard settings print – základné hw info

ntp

Mikrotik nema zadne hodiny v ROM a po zapnuti ukazoal zaciatok UNIX timu 1970. Zahodno napojit na nejake verejne NTP servery, ja som sa oprel o servery Cesnetu {tik,tak}.cesnet.cz.

/system ntp client set enabled=yes mode=unicast primary-ntp=195.113.144.201 secondary-ntp=195.113.144.238

Mikrotik zaroven moze fungovat aj ako lokalny NTP server pre LAN siet.

security

zmena default usera

/user print
/user set 0 name=myname

zmena passwd

/user set 0 password="new password"

vylistovat sietove sluzby

/ip service print

zakazat sietove sluzby

/ip service disable telnet,ftp,www,api,api-ssl
/tool mac-server set allowed-interface-list=none
/ip neighbor discovery-settings set discover-interface-list=none
/tool bandwidth-server set enabled=no 
/ip upnp set enabled=no

zmena portov pre sluzby, ktore chcem, staci ssh

/ip service set ssh port=22222
/ip ssh set strong-crypto=yes

Dalsie nastavenie security sa tyka potom firewallu, vid nizsie kapitolku firewall.

switch alebo bridge?

Ako som pisal v obecnych poznamkach o switchoch, su tam 2. Su to hardwarove switche, t.j. vzdy lepsia varianta spajania portov, ako bridging, coz je softwareovy konstrukt. Swirch 1 ma teda 4 porty (ether1 je pre wan) a switch 2 ma 5 portov. Kazdy switch ma master port, ktory definuje IP adresovanie na switchi. T.j. konfig switchov:

/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2
set ether7 master-port=ether6
set ether8 master-port=ether6
set ether9 master-port=ether6
set ether10 master-port=ether6
Nastavenie IPs. Vseobecne plati fakt, ze IPny sa deleguju per port. Pokial su tam nastavene master porty, tak staci nadelegovat na master port a tie ostatne sa s nim zvezu (tie, ktore su na stejnom switchi).
/ip address
add address=192.168.1.11/24 interface=ether2 network=192.168.1.0

firewall

firewall je linuxovy, su tam tabulky filter, nat a mangle (este aj nejake dalsie pokrocile na layer7, ale to je k nicomu). Retazce sa spracuvaju v poradi, ako na linuxe – odzhora dole, tak bacha na to. Ofiko docu na Mikrotiku (firewall/filter).

Mikrotik firewall ma funkciu address-list, kde je mozne pridavat adresy a rozsahy, na ktore sa ma uplatnit nejake pravidlo.

/ip firewall connection print – vylistovanie aktualnych pripojeni

/ip firewall export  – vylistovanie nastavenych pravidiel

/ip firewall filter add/edit/remove – editacia nastavenych pravidiel pre tabulku filter

 

Najsimplemente konfig

Najsimplemente konfig je zalozeny na myslienke – chcem ist vonku, ale nechcem ziadne pokusy z vonku (okrem pingu), t.j. len “related, established”, s pouzitim funkcie fasttrack

/ip firewall filter
add chain=input action=accept protocol=icmp
add chain=input action=accept connection-state=established,related
add chain=input action=drop in-interface=ether1
/ip firewall filter
add chain=forward action=accept connection-state=established,related
add chain=forward action=drop connection-state=invalid
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1

 

ochrana pred brute force na FTP, SSH a TELNET. Funguje to tak, ze pri pokuse o prihlasenie je adresa zapisana na blacklist a potom je dalsi pokus dropovany

FTP

/ip firewall filter
add action=drop chain=input comment=”drop ftp brute forcers” dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content=”530 Login incorrect” protocol=tcp

SSH (fejkove, pretoze stejne nacuvam na inom porte)

add action=drop chain=input comment=”drop ssh brute forcers” dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp

SSH na real porte. Pokial sa neuspesne prihlasim  3x v prubehu minuty, tak lock na 1 den

add action=drop chain=input comment=”drop ssh brute forcers” dst-port=22222 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=22222 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22222 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22222 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22222 protocol=tcp

TELNET to same ako SSH

add action=drop chain=input comment=”drop telnet brute forcers” dst-port=23 protocol=tcp src-address-list=telnet_list
add action=add-src-to-address-list address-list=telnet_list address-list-timeout=1d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp

 

dhcp

dhcp sa da nastavit na konkretny ethernetovy port, coz je dobre – LANka za tym bude na switchi a je klud.

najprv definovat DHCP pool

 

na nahodenie dhcp servra je tam pekny setup, ktory vedie formou dialogov k ziadanemu vysledku
/ip dhcp-server setup

vylistovanie konfigu dhcp

/ip dhcp-server print

/ip dhcp-server network print

/ip pool print

píše: ďobo

Máj 13th, 2018 o 1:30 am

chlievik: networking

okomentuj