Disable unnecessary protocols and protect SSH on the MikroTik RouterOS v7

Поділитися
Вставка
  • Опубліковано 18 гру 2024

КОМЕНТАРІ • 15

  • @Anavllama
    @Anavllama 2 роки тому +2

    Excellent focused practical video. Besides the user list (not always in your face) I always use the input filter for security access. Every firewall input chain should migrate too:
    add chain=input action=accept in-interface-list=trusted dst-port=winboxport src-address-list=authorized
    [ where one has added a trusted interface list and have a firewall address list - an admin approved/authorized list of devices (the admin pC, laptop, ipad, smartphone from wireguard etc..) ]
    Note for mac address --> ensure TOOLS mac server mac winbox interface list = "trusted"
    In terms of the input chain, ensure other router services are available to LAN users (in-interface-list=LAN) as applicable dst-ports= (DNS, NTP etc...)
    Then Drop all else.
    (note - ensure change winbox port from default)
    (note - did you ever explain the open cisco port, i missed it if you did)

  • @muhammadimranbashir5212
    @muhammadimranbashir5212 2 роки тому

    The video you made is very good to understand for knowledge

  • @ali2672011
    @ali2672011 2 роки тому

    Thank you very much, good luck

  • @md.mijanurrahman8344
    @md.mijanurrahman8344 2 роки тому

    Mr. Maher
    I was commented on your vrrp configuration video. Be patient,
    Mr. Maher plz explain ...
    if R1 or R2 router uplink down what happens ???
    how redundant this issue ?

    • @MAICT
      @MAICT  2 роки тому

      For this you need a script. I explained it and did a LAB about it on this course: mynetworktraining.com/p/vrrp-on-mikrotik-with-load-balancing-failover

  • @zlotvorx
    @zlotvorx 2 роки тому +1

    Changing standard port to something else won't help you with security. It will only make it harder to yourself.
    Close all but necessary ports, use port knocking, use complex passwords...

  • @Martin-ot7xj
    @Martin-ot7xj 2 роки тому

    Hi there, please make a tutorial video about how to disable or block unnecessary port on Mikrotik firewall for more sequrity, ??!! how do we can have mikrotik with a minimum port on it, and in future if we need a special port we open it manually . thnx

    • @Anavllama
      @Anavllama 2 роки тому +2

      There is no need to block ports. None are open unless you enable them to be open, by the Services Menu which Maher showed how to limit and if you require some ports for VPN, not an issue normally and further any ports you open for dst-nat (port forwarding). The first two are not an issue but the latter one can be problematic, especially because any such ports are visible on scans, they appear CLOSED but VISIBLE! Your best bet is for users to VPN to your router to gain access to services/devices. Barring that, limit access to known public IPs or dyndns names that your users can get for free, and thus dst-nat is limited by source-address list. A key unknown fact is that with source address in the dst-nat rule, ports are NOT visible on scans. Any port forwarding access should only be done encrypted by some means (https ftps) to protect username and password and preferably a layer on top of that by some means of 2F authentication (could be radius server). Even better if the server software can handle successive incorrect logins, and if not I think this is one area where the MT may be able to assist but beyond my scope.

  • @عبدالرحمنصالحناصرباجراد

    سلام عليكم اخي انا عندي 12 خط اشتي ادمج نعو برديج

  • @jeytis72
    @jeytis72 2 роки тому

    What about port 53 for DNS? Thanks

    • @MAICT
      @MAICT  2 роки тому

      if your router needs to connect to the internet and provide DNS to internal users, you need to keep the DNS port open.

  • @adiljahangir
    @adiljahangir 2 роки тому

    Hello Sir, how can we disable dude access to mikrotik?

    • @nokipa
      @nokipa 2 роки тому +1

      You mean the dude accessing the router? Limit access to port 8291

  • @xQsM
    @xQsM 2 роки тому +1

    سلام عليكم
    اخوك من السعوديه ممكن رقمك
    عندي مشكله في سيرفر 1036 و topology

    • @MAICT
      @MAICT  2 роки тому

      info@mynetworktraining.com