MikroTik Training Center Blog

Your Dose of MikroTik Security: May 2021

Cybersecurity: Can't Ever Have Enough!

Online security is probably as old as the internet itself.

 

Given our never-ceasing online presence and the fact that all aspects life, from entertainment to social life to education to business, are virtually intertwined one way or another, we cannot stress enough the significance of up-to-date and robust security measures.

Botnet, that All-Too-Familiar Name...

While it would be a lot cooler to approach this topic in more of a James Bond-Jason Bourne-Jack Bauer style (three super spies with JB initials; coincidence?!), maintaining network security should be a much more patient and consistent process.

 

Botnets, named after their general structure of a Robot Network, have proven the continuous nature of online security. Since 2003 with MaXiTE as their pioneer, botnets have tested the security of millions of networks globally.

Hackers utilize botnets to cause a range of headaches, from direct malignant activities like data theft to using your computer's capacity in other destructive or even criminal activities. They may even sell their botnets to other hackers.

What can I do to secure a device or network?

With a few basic and simple preventative measures, you can remain on the safe side.

  • Ensure passwords are up-to-date, complex, and unique: You'd be surprised how predictable many passwords are. Use password generation utilities such as pwgen to help you with that.


  • Maintain all-around security: When setting up a network, you might deal with a number of users, devices, and subnetworks. Make sure nothing slips through the net and suitable passwords are set wherever needed.


  • Update your software: Software developers routinely check for threats and update the security of their products. Use the most recent and long-term version of RouterOS to enjoy better security. (Remember to read the changelogs of any update before installation.) Also, change your passwords after any upgrade.


  • Recheck configurations: Overlooked by many, periodically going over your configs to ensure everything is going smoothly is the habit of smart users and network managers. If you find a configuration that you don't recognize or one that seems unreasonably off, you might be looking at a compromised device.


  • Backup data and configurations: A no-brainer. Make sure you routinely backup your network data and configurations on a safe, isolated cloud or drive for successful restoration after a threat has been resolved.

Been There, Done That...

We did an article on a rogue botnet back in August 2018 that was exploiting a vulnerability in WinBox that was patched in RouterOS v6.42.1. Back then, all RouterOS versions 6.29 to 6.42 were threatened.

How to find if your router is compromised?

  • SOCKS Service:

Check your Router's SOCKS service first. If you have never used a SOCKS service on your router, make sure it is disabled. If not, this means your router has been compromised.

 

SOCKS is a proxy server that allows the relay of TCP-based application data across a firewall, even if the firewall is set to block packets. The SOCKS protocol is independent of application protocols and can be used for many services, e.g., WWW, FTP, TELNET, and others.

  • Scripts:

Remove all unwanted the scripts. Check all files and folders for mikrotik.php and delete it. The scripting host helps automate some router maintenance tasks through user-defined scripts bounded to event occurrences.

 

Scripts can be stored in the Script Repository or written directly to the console. Some events used to trigger script execution include, but are not limited to, the events generated by System Scheduler, Traffic Monitoring Tool, and Netwatch Tool.

  • Schedule:

Similar to scripts, scheduled events can also be a sign of possible breaches. Check to see if you have any schedules that you do not recognize, and remove them.

 

Hackers and malicious software can use the scheduler tools of RouterOS to relay unwanted traffic, accumulate data, or gather periodical information from your device in order to stay up to date concerning any changes in your configuration.

What to do if my device or network has been compromised?

In case you ever suspect a network breach, do as below:

  • Try to save your data on an isolated drive for future restoration. Make sure you disconnect the backup drive from the compromised network once its the backup is complete.


  • Assess the situation to the best of your ability. If the breach doesn't look serious and you have a backup data, you may perform a complete system reset or reinstall.




  • Once the threat has been neutralized, scan your backup data before restoration so that it contains no malware that can be carried back into your device or network.

For further information concerning the security of your device, you can refer to MikroTik's Wiki on how to secure your router.