mikrotik

Overview

Configure

Install on nanoPi

virt-install -n chr \
--autostart \
--noautoconsole \
--network=bridge:br0 \
--network=bridge:br1 \
--ram 512 --arch=x86_64 \
--vcpus=4 \
--disk path=/kvm/mikrotik.qcow2 \
--graphics vnc,listen=0.0.0.0,password=vncvncvnc \
--os-type linux --os-variant=debian2.0 --boot hd

Print information

# packages
/system package print
/system routerboard print
/system default-configuration print

/ip dhcp-client print detail
/ip ssh print
/system clock print
/system ntp client print
/disk print

/system default-configuration print

/interface print stats where running
/interface print stats follow where running
/interface ethernet print
/interface ethernet poe print detail

/ip arp print
/ip arp print detail file=arp_inventory.txt

Packages

Update package

/system package update download
/system reboot

/system routerboard print
/system routerboard upgrade

enable/disable packages

/system package disable ipv6
/system package print

Interfaces

/interface print
/interface print stats where running
/interface print stats follow where running
/interface ethernet print
/interface ethernet poe print detail


/interface ethernet poe power-cycle ether5 duration=10s
/interface print where running
/interface print where !running
/interface ethernet monitor ether1
/interface ethernet cable-test ether5

dhcp client

/ip dhcp-client add disabled=no interface=ether1
/ip dhcp-client print

Static IP and default route

/ip address add address=1.2.3.100/24 interface=ether1
/ip route add gateway=1.2.3.1
/ip dns set servers=8.8.8.8

/ip address print

Routing

# disable source routing
/ip settings set accept-source-route=no

Static routes

/ip route add dst-address=192.168.10.0/24 gateway=10.1.20.1
/ip route print where static
# default address
/ip route add dst-address=0.0.0.0/0 gateway=17.25.36.1

/ip route nexthop print

OSPF

/routing ospf
network add area=backbone network=172.16.1.0/30 comment=Tunnel
network add area=backbone network=192.168.1.0/24 comment=LAN

Add user and change Password

/user set 0 password="!={Ba3N!40TуX+GvKBzjTLIUcx/,"
# можно по-другому
/password

/user add name=myname password=mypassword group=full
/user remove admin

Directory and file

/file print

Reset

/system reset-configuration no-defaults=yes skip-backup=yes

SSH

MikroTik Tutorial: RouterOS SSH Public Key Auth using RSA keys

/ip ssh set strong-crypto=yes
/ip ssh print

/ip ssh regenerate-host-key

# auth with ssh-key
user ssh-keys import user=admin public-key-file=ssh-pubkey.txt
/user ssh-keys print

Users

/user set admin name=tikadmin
/user set admin password=abc123!
/user add name=tyler group=full comment="Tyler Hart" password=abc123!

/user disable tyler
/user active print
/user remove tyler

# auth with keys
scp .ssh/id_rsa.pub [email protected]:mykey.pub
/user ssh-keys import public-key-file=mykey.pub user=admin

New Heading

Firewall

Honeypot

Итак, что такое honeypot в двух словах — это приманка, в нашем случае какой-либо популярный порт на внешнем IP, любой запрос на этот порт от внешнего клиента отправляет src адрес в черный список

/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker" \
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox" \
connection-state=new dst-port=22,3389,8291 in-interface=\
ether2 protocol=tcp log=yes

add action=add-src-to-address-list address-list="Honeypot Hacker" \
address-list-timeout=30d0h0m chain=input comment=\
"block honeypot asterisk" connection-state=new dst-port=5060 \
in-interface=ether2 protocol=udp log=yes

/ip firewall raw
add action=drop chain=prerouting in-interface=ether2 src-address-list=\
"Honeypot Hacker"

Первое правило на популярных TCP портах 22, 3389, 8291 внешнего интерфейса ether4-wan отправляет IP «гостя» в список «Honeypot Hacker» (порты для ssh, rdp и winbox заблаговременно отключены или изменены на другие). Второе делает то-же самое на популярном UDP 5060.

Третье правило на стадии прероутинга дропает пакеты «гостей» чей srs-address попал в «Honeypot Hacker».

PreviousRouters NextPython