MikroTik routerboard config
par poznamok k mikrotikom RB2011UiAS-2HnD 5x 1 Gbit LAN, 5x 100 Mbit LAN, USB, SFP
co je dobre vediet
- nikdy nepouzívat na konfig webove rozhranie. Totalne napicu.
- pri konfigu na začiatku je dobré pripojiť sa na základe MAC. IP Adresy sa budú konfigom meniť a tak to bude padať, pokiaľ cez IP. Až sa to nakonfigne, tak uložiť konfiguráciu a potom už kľudne cez IP. Default od výrobcu je 192.168.88.1/24
- Bezpečnosť predovšetkým. Zakáž všetky služby, okrem ssh a winboxu (pokiaľ ho používaš). Web rozhranie otázne, ale radšej zakázať – enablovať ho možeš rýchlo cez ssh. Loguj externe (614) a spočiatku loguj všetko, nech si diagnostikuješ problémy, potom to zníž.
- swiče. Je to routerswitch :), resp. má tam 2 swiče, ktoré zodpovedajú rozdeleniu portov. Eth1 je port von (aka WAN); eth2-5 je jeden swič a eth6-10 je druhý swič. Prestup medzi nimi NENÍ, leda že by sa nakonfignul bridž. Kazdy switch ma jeden master (eth2 a eth6 by default).
- Je nutne ujasnit si postup: a) konfig LAN (switche, IP portov, DHCP); firewall (iptables); WAN; wireless; VLANs (optional); vyfikundace (monitoring, logovanie a pod.).
quick info
system routerboard print – základné info, SN a pod.
system routerboard settings print – základné hw info
ntp
Mikrotik nema zadne hodiny v ROM a po zapnuti ukazoval zaciatok UNIX timu 1970. Zahodno napojit na nejake verejne NTP servery, ja som sa oprel o servery Cesnetu {tik,tak}.cesnet.cz.
/system ntp client set enabled=yes mode=unicast primary-ntp=195.113.144.201 secondary-ntp=195.113.144.238Mikrotik zaroven moze fungovat aj ako lokalny NTP server pre LAN siet.
security
zmena default usera
/user print
/user set 0 name=myname
zmena passwd
/user set 0 password="new password"
vylistovat sietove sluzby
/ip service print
zakazat sietove sluzby
/ip service disable telnet,ftp,www,api,api-ssl
/tool mac-server set allowed-interface-list=none
/ip neighbor discovery-settings set discover-interface-list=none
/tool bandwidth-server set enabled=no
/ip upnp set enabled=no
zmena portov pre sluzby, ktore chcem, staci ssh
/ip service set ssh port=22222
/ip ssh set strong-crypto=yes
Dalsie nastavenie security sa tyka potom firewallu, vid nizsie kapitolku firewall.
switch alebo bridge?
Ako som pisal v obecnych poznamkach o switchoch, su tam 2. Su to hardwarove switche, t.j. vzdy lepsia varianta spajania portov, ako bridging, coz je softwareovy konstrukt. Swirch 1 ma teda 4 porty (ether1 je pre wan) a switch 2 ma 5 portov. Kazdy switch ma master port, ktory definuje IP adresovanie na switchi. T.j. konfig switchov:
/interface ethernetset ether3 master-port=ether2set ether4 master-port=ether2set ether5 master-port=ether2set ether7 master-port=ether6set ether8 master-port=ether6set ether9 master-port=ether6set ether10 master-port=ether6/ip address add address=192.168.1.11/24 interface=ether2 network=192.168.1.0firewall
firewall je linuxovy, su tam tabulky filter, nat a mangle (este aj nejake dalsie pokrocile na layer7, ale to je k nicomu). Retazce sa spracuvaju v poradi, ako na linuxe – odzhora dole, tak bacha na to. Ofiko docu na Mikrotiku (firewall/filter).
Mikrotik firewall ma funkciu address-list, kde je mozne pridavat adresy a rozsahy, na ktore sa ma uplatnit nejake pravidlo.
/ip firewall connection print – vylistovanie aktualnych pripojeni
/ip firewall export – vylistovanie nastavenych pravidiel
/ip firewall filter add/edit/remove – editacia nastavenych pravidiel pre tabulku filter
Najsimplemente konfig
Najsimplemente konfig je zalozeny na myslienke – chcem ist vonku, ale nechcem ziadne pokusy z vonku (okrem pingu), t.j. len “related, established”, s pouzitim funkcie fasttrack
ochrana pred brute force na FTP, SSH a TELNET. Funguje to tak, ze pri pokuse o prihlasenie je adresa zapisana na blacklist a potom je dalsi pokus dropovany
FTP
/ip firewall filter
add action=drop chain=input comment=”drop ftp brute forcers” dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=”530 Login incorrect” dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content=”530 Login incorrect” protocol=tcp
SSH (fejkove, pretoze stejne nacuvam na inom porte)
add action=drop chain=input comment=”drop ssh brute forcers” dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
SSH na real porte. Pokial sa neuspesne prihlasim 3x v prubehu minuty, tak lock na 1 den
add action=drop chain=input comment=”drop ssh brute forcers” dst-port=22222 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=input connection-state=new dst-port=22222 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22222 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22222 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22222 protocol=tcp
TELNET to same ako SSH
add action=drop chain=input comment=”drop telnet brute forcers” dst-port=23 protocol=tcp src-address-list=telnet_list
add action=add-src-to-address-list address-list=telnet_list address-list-timeout=1d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
dhcp
dhcp sa da nastavit na konkretny ethernetovy port, coz je dobre – LANka za tym bude na switchi a je klud.
najprv definovat DHCP pool
na nahodenie dhcp servra je tam pekny setup, ktory vedie formou dialogov k ziadanemu vysledku
/ip dhcp-server setup
vylistovanie konfigu dhcp
/ip dhcp-server print
/ip dhcp-server network print
/ip pool print
“Julia’s Garland” (fr. Guirlande de Julie)
Weaponobg
22 Aug 21 at 3:24
Western Europe also formed
Independentlvz
8 Sep 21 at 8:16
“Julia’s Garland” (fr. Guirlande de Julie)
Augustsxe
24 Sep 21 at 3:58
new texts were rewritten
Pouringrxk
22 Aug 22 at 12:48