MikroTik Security

MikroTikNetwork Security By: Rofiq Fauzi

Jakarta, April 28, 2016

ID-NETWORKERS | WWW.IDN.ID

1

ROFIQ FAUZI


CONSULTANT

CERTIFIED TRAINER

http://www.mikrotik.com/consultants/asia/indonesia

• 2005, Network Engineer at WISP.• 2007, Network & Wireless Engineer at INDOSAT Central Java Area• 2008, IT Network & Telco Procurement at INDOSAT HQ• 2012-Now, MikroTik Consultant & Certified Trainer at ID-

Networkers (PT Integrasi Data Nusantara).• 2013-Now, Network Manager at WISP Indomedianet, Indonesia• 2013-Now, Network Consulting Engineer at Connexin Limited, Hull,

UK

http://www.mikrotik.com/training/partners/asia/indonesia

2

ID NETWORKERS


In the Most Prestigious Networking Certification

EXPERT LEVEL TRAINERS & CONSULTANS

OVERVIEW

We are young entrepreneurs, we are only one trainingpartner & consultant who has expert level trainers in themost prestigious networking certification, CCIE Guru ,JNCIE Guru and MTCINE guru, which very limitednumber in Indonesia even Asia. Proven that hundred ofour students pass the certification exam every year. Weare the biggest certification factory in Indonesia.

WEBSITE www.idn.id | www.trainingmikrotik.com

3

SECURITY?


SECURITY GUARDSource image http://akarpadinews.com/

4

INTERNET SECURITY THREATS


o Information gatheringo Sniffing and eavesdroppingo Spoofingo Session hijacking and man-in-

the-middle attacks 0 SQL injection

o ARP Poisoningo Password-based attackso Denial of service attacko Compromised-key attack

o Malware attacks

o Target Footprinting

o Password attacks

o Denial of service attacks

o Arbitrary code execution

o Unauthorized access Privilege

escalation

o Back door Attacks

o Physical security threats

o Data/Input validation

o Authentication and Authorization

attacks

o Configuration management

o Information disclosure

o Session management issues

o Cryptography attacks

o Parameter manipulation

o Improper error handling and

exception management

Host Threats Application ThreatsNetwork Threats

5

INTERNET CRIME


Cybercrime Gang Tied to 20 Million Stolen Cards

6

INTERNET CRIME REPORT


230,000 240,000 250,000 260,000 270,000 280,000 290,000 300,000 310,000 320,000

2010 2011 2012 2013 2014

Internet Crime Compliant

• Victims are encouraged by lawenforcement to file a complaintonline at www.ic3.gov

• Total Complaints Received in 2014is amount 269,422

• Complaints Reporting a Loss is123,684

• Total Losses Reported was$800,492,073

Overall Statistic

The following is the crime report data from IC3; the Internet Crime Complaint Center (IC3) is a partnership among the Federal Bureau of Investigation (FBI)

$800MLOSS

YEAR

REPORT

7

HACKING EFFECTS IN BUSINESS


8

HACKING EFFECTS IN BUSINESS


Every business must provide strong security for its customers. Attackers use hacking techniques to steal, pilfer, and redistribute intellectual property of businesses and in turn to make financial gain

Reputation

Business Loss

Revenue Loss

Compromise Information

According to the Symantec 2012 State of Information survey, information costs businesses worldwide $1.1 trillion annually.

Theft of customers' personal information may risk the business's reputation and invite lawsuits

Hacking can be used to steal, pilfer, and redistribute intellectual property leading to business loss

Botnets can be used to launch various types of DoS and other web-based attacks, which may lead to business down-time and significant loss of revenues

Attackers may steal corporate secrets and sell them to competitors, compromise critical financial I information, and leak information to rivals

9

KNOW THE ATTACK


If you know both of yourselfand your enemies, you will notbe lose in a hundred battles.

If you do not know yourselfnor your enemies, you will belose in every single battle.(The Art of War - Sun Tzu).

10

WHO IS HACKER?


Multitude of Reasons

• Intelligent individuals with excellent computer skills

• Hacking is a hobby to see how many computers or networks they can compromise

• Their intention can either be to gain knowledge or to poke around doing illegal things

• Some hack with malicious intent, such as stealing business data, credit card information, social security numbers, email passwords, etc.

A hacker is a person who illegally breaks into a system or network without any authorization to destroy, steal sensitive data, or perform malicious attacks.

11

HACKING PHASE


Reconnaissance

Scanning

Gaining Access

Maintaining Access

Clearing Tracks

12

GATHER INFORMATION

gathers as much information as possible about the target prior to launching the attack.


SOCIAL ENGINEERING ATTACKbecause there is no patch for human stupidity.

13

GOOGLE SCAM

How to bypass the two-factor google authentication systems using fake SMS


14

PORT SCANNING


Port scanners can be used to detect listening ports to find information about the nature of services running on the target machine

15

PORTS


The primary defense technique in this regard is to shut down services that are not required. Appropriate filtering may also be adopted as a defense mechanism. However, attackers can still use tools to determine the rules implemented for filtering.

• Port is an specific application or specific process on the computer / host running that running service.

• In a host, total number of port is 65535, with numbering classification as follows: 1. From 0 to 1023 (well-known ports), 2. From 1024 to 49151 (registered port), 3. From 49152 to 65535 (unregistered / dynamic, private or

ephemeral ports)

16

SERVICE PORT


2121 2222 5353 8080

17

GAINING ACCESS


Software applicationscome with large numberof functionalities andfeatures

Most administrators don'thave the necessary skillsto maintain or fix issues,which may lead toconfiguration errors

some scripts have various vulnerabilities, which can lead to shrink wrap code attacks

Attackers search for OSvulnerabilities and exploitthem to gain access to anetwork system

OPERATING SYSTEM APPLICATION LEVEL MISCONFIGURATION SRINK WRAP CODE

18

INTRUSION DETECTION SYSTEM


• Intrusion: activities that can detected asanomalies, incorrect, inappropriate occurring onthe network or host, usually done by hacker

• IDS (Intrusion Detecting System): system thatcan detect intrusion, it is like the alarm system

19

BACKGROUND


• Admin can not always monitor the servers directly oralways login in to check the servers for intruder.

• We need firewall not just to blocking intruder, but alsolog and report them to admin immediately.

• In wide network with many MikroTik router, we don’tknow which is under attack.

• We can report the to the IP owner of the intruders asabuse.

20

HOW IDS WORK


• Passive Systemü sensor detects a potential security breachü logs the informationü alert on the console

• Reactive Systemü Like Passive System, but plus:ü auto-responds (resetting the connection or drop the

traffic) from intrudersü Send the report to admin

21

ATTACK PROCESS


22

DROP BY FIREWALL


23

DROP BY FIREWALL


24

IDS WORK FLOW IN MIKROTIK


25

MALICIOUS CONNECTION


Kind of Malicious Connection• From outside:

ü Port Scanning, Brute Force, DDoS attack• From inside:

üVirus, spam, ilegal Tunneling (utrasurf), Anonymous Proxy, Internet Download manager, url filtered.

26

DEMO SECTION

27

TOOLS


We want simulation with the following tools:• MikroTik (I am using RB 751)

as IDS machine• Attacker (my laptop)

it will attack the MikroTik with different method• Email Account (gmail account)

there are 1 email for smtp relay and some mail as mailof administrator.

28

MIKROTIK CONFIGURATION


Router IdentityIn menu /system identity, set the router name, ex : customer identity

Why we must set the router id?– If we have many routers, which one is being attacked.– Because router identity will be informed in email as subject.

29



Configure Mikrotik to Send e-mailCreate mail account for the smtp relay, In this lab we using Gmail.In /tool e-mail , set the smtp server, your username & password of gmail/tool emailset address=74.125.141.108 user=yourgmailuserpassword=yourpassword port=587

Lets try to send some email to make sure its work

30

MIKROTIK FIREWALL


• To protect the router from unauthorized access,both originating from the WAN (Internet) or fromthe LAN (local).

• To protect the network that through the router.• In MikroTik, firewall has many features that are

all included in the IP Firewall menu.• Basic Firewall in MikroTik configure at

IP>Firewall>Filter Rule.

31

MIKROTIK FIREWALL


• Each firewall filter rules are organized in a chain and readsequentially.

• Each chain will be read by the router from top to bottom.• In Firewall Filter Rule there 3 default chain

• input – processes packets sent to the router• output – processes packets sent by the router• forward – processes packets sent through the router

• In addition to the 3 default chain, We can make chain by our self asneeded.

• Every user-defined chain should subordinate to at least one of thedefault chains

32

MIKROTIK FIREWALL


Rules can be placed in three default chains• input (to router)• output (from router)• forward (trough the router)

InputWinbox

ForwardWWW E-Mail

OutputPing from Router

33

MIKROTIK FIREWALL


• Rule IF….THEN….• IF packet match with our define criteria.• THEN what will we do for that packet?• In IP firewall IF condition define in tab General,

Advanced and Extra, and THEN condition definein Action tab

34

MIKROTIK FIREWALL


IP>Firewall>Filter Rules>General

35

MIKROTIK FIREWALL


IP>Firewall>Filter Rules>Extra

36

MIKROTIK FIREWALL


accept - accept the packet. Packet is not passed to next firewall rule.add-dst-to-address-list - add destination address to address listspecified by address-list parameteradd-src-to-address-list - add source address to address listspecified by address-list parameterdrop - silently drop the packetjump - jump to the user defined chain specified by the value of jump-target parameterlog - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port andlength of the packet. After packet is matched it is passed to next rulein the list, similar as passthroughpassthrough - ignore this rule and go to next one (useful forstatistics).reject - drop the packet and send an ICMP rejectmessagereturn - passes control back to the chain from where the jump tookplacetarpit - captures and holds TCP connections (replies with SYN/ACKto the inbound TCP SYN packet)

IP>Firewall>Filter Rules>Action

37

IP Firewall Filter Rule (Extra) - PSD


PSD (Port Scan Detection)Filter or and identify port scanning (TCP)low port : 0 – 1023high port : 1024 - 65535

38



Configure IP Firewall to detect Port Scan Detect/ip firewall filteradd action=add-src-to-address-list address-list=port_scaners

address-list-timeout=5m10s chain=input comment="QUICK SCANNING" psd=21,3s,3,1

Add chain=input protocol=icmp reject-with=icmp-host-unreachable src-address-list=port_scaners action=reject

39



Configure MikroTik to Run the ScriptScripts can be written directly to console or can be stored in Script repository• Example script that directly run in console:

[admin@MikroTik]>:put (45+23+1)• Script repository ( /system script) can be run by running other

script, on event scheduler or netwatch

40



Configure in Script Repository (/system script):foreach a in=[/ip firewall address-list find list=port_scaners] do={:global ip [/ip firewall address-list get $a address];:log warning ("Scan Attack from:" .$ip);:local sysname [/system identity get name];:local date [/system clock get date];:local time [/system clock get time];/tool e-mail send from="Router $sysname<[email protected]>" to="[email protected]" start-tls=yes server=74.125.127.108 port=587 user=mikrotik.ids password=t3ddyb3ar subject="Scan Attack!" body=" Dear Admin, \n \nWe have note that on $date at $time. There is scanning attack to $sysname from IP $ip, and has been blocked by firewall. \nSeehttp://whois.sc/$ip for detail IP attacker information. \n \n Thanks & Regard \nIDS Machine":log warning "IP intruder telah diblock dan Email report telahdikirim."}

Find match address list

Get the IP addressLog it on machine

Get router id, date & timesend the report

41



Configure in Script Repository (/system script)

Download script from www.trainingmikrotik.com/ids

42



Configure in System SchedulerIn /system schedule add schedule in order to run the scripts within a certain period

Interval set to 5m, because the ip address list time out set to 5m 10s, its to ensure that the IP in address-list sent once.

43



In /system log, add logging for mail topics, Its make us easy to get the log if there are troubleshoot in send mail

44

ATACKER DEMO


– Today most of the attackers who attackedcontinuously usually is a machine or boot

– In this demonstration, we will use Software fortesting/simulation

– For demo, We will using Nmap for scanning andBrute Force for involves systematically checkingall possible code, combination, or password untilthe correct one is found

45

ATACKER DEMO


Download NMAP from https://nmap.org/, and run it:

46

ATACKER DEMO


Check in your email inbox:

47

CONCLUTIONS


üWe can change our mikrotik box to become asmart machine that inform us if it’s attacked byintruders.

üWe can improve this method to any maliciousconnection

48

“If you cannot survive in the tired of learning, then you will be suffering by the pain of stupidity” (Imam Syafi’i)

THANK YOUFOR YOUR TIME

If you have any other questions or would like me to clarify anything else, please, let me know. I am always glad to help in any way I can

Jakarta & Semarang, [email protected]+62 [email protected]/ropix

ADDRESS:

WEBSITE:

EMAIL:TELEPHONE:

id.linkedin.com/in/ropix/rofiq.fauzi

CONTACT


49