Security on CTWUG

Network Network Notices
1

In the last week we had another security incident on the WUG. To this end the committee has decided to implement the following:

  1. Automatic blackhole for repeated login attemps on any router running radius. Most likely this will be something similar to 6 failed logins within 10 min from the same IP to any radius router. This is likely to lead to 24h blackhole and later a permanent blackhole with investigation if repeated :arrow_right: implemented here.
  2. Removing all accounts admin where no password exists from OSPF routers. Perferably all routers. To this end you are unlikely to see login attempts from @dizzle for this on your routers. Please ignore this.
  3. I will also make it easier to keep wug routers up to date in terms of firmware.
  4. Update minimum RouterOS versions :arrow_right: implemented here.

Please please please run proper firewalls on your internet routers. Keep them up to date.

6 Likes
2

Few things come to mind:

  1. Minimum RouterOS version should be upped to the latest current or stable releases, yes, lots of work, but some things is better to upgrade. Remember, there are known issues on older RouterOS versions like the Winbox issue where anyone can get the usernames and passwords for a router. Then there is the VPNFilter issue.
  2. Force the removal of the admin user, realistically the whole idea is that the admin user should be replaced once the router is being set up, so if the username of the main account is “admin” force people to change it, makes it more difficult to log in if the username is unknown
  3. Block ports that isn’t needed like FTP and Telnet.
  4. https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
2 Likes
3

Thanks @DHE

We don’t want people implementing their own firewalls on OSPF rotuers. But his comments apply to internet routers and non-OSPF non-WMS routers. Also moved your post to this topic which is more appropriate.

4

I would also like to propose upgrading minimum ROS version to 6.40.8 (bugfix). Enforced by WMS / Housekeeping in the usual way.

1 Like
5

Any idea as to where in CTWUG the breach originated?

7

Very good idea. We are investigating and following up. Will update everyone once we are done.

8

A suggestion: Wipe any .backup in the Files section, as unencrypted ones are easily exploited, not sure if they have gone as far as to exploit the encrypted ones yet…