I have been testing Mikrotik and found them good but man they have security holes, but to be fair its mostly admins fault for leaving management exposed, but I don’t think I ever heard of routers being hacked this often it makes me think again before using them…
https://www.reddit.com/r/mikrotik/comments/dp4krj/psa_upgrade_your_routers_winbox_is_cracked_again/
Just like they said in that reddit post, it is important to keep your control plane off the internet, and that is true even if you are not using Mikrotik.
I agree Tom.
What confuses me a little is why MikroTik so many times? doesn’t other firewall admins also make mistakes and expose management? but we do not hear of all these hacks for other venders. I think trying to reinvent everything that’s already there and opensource like MikroTik does will add more security holes. Please correct me any where I am mistaken.
I find that inexpensive hardware such as MikroTik is more often bought by people starting out and therefore they are the same people making mistakes. The MikroTik product has a lot of power and options and once a good network engineer learns their system, it can be deployed successfully. I have seen a lot of them in the WISP market. Running a rural ISP is not a high margin business so they need very affordable equipment that can be easily managed from the command line.
Thanks Tom for your informative reply, makes sense now.
Are they only vulnerable when the winbox port is exposed to the public side of the firewall? If so is that enabled by default?
Yes, winbox now also ssh ports have to be exposed and no they are not exposed by default anymore, but as I keep reading this is not brut force attacks on your user or password but vulnerabilities in the software. Tom sorry if I am wrong but did you not make a video on tunneling to pfsense admin remotely using ssh? that needs to have ssh ports open right?
Yes, I have a video on that topic and yes, for that you would need to have SSH exposed.
MY Point exactly.
exposing ssh in pfsense did not get you hacked but if you do that in routeros you get hacked, because their implementation of ssh is insecure, its not that hackers are guessing passwords but are exploiting vulnerabilities in their implementations, So to quote you Tom in your post, “it is important to keep your control plane off the internet, and that is true even if you are not using Mikrotik.” and I agree fully btw, I only manage remotely using VPN or UNMS with edge routers and command center for Untangle,
So your video made pfsense as insecure as routeros? as you exposed ssh port, maybe not as pfsense did not reinvent the wheel and made ssh more insecure.
If you have to expose a port for management on pfsense we recommend you filter what IP address can access the port. For example, locking it down so only our office public IP is allowed.
Thanks for your reply Tom.
To be Really clear on this , I am in no way shape or form questioning your security or how you do things, I know you are one of the most security conscious guys out there. All I am debating is weather routeros is really more vulnerable then other known vendors like ubnt,pfsense and so on. + aside from that there hardware is cheep and they got some fast hw like ccr1009 but really there are to much steps to do 1 simple thing such as simple dual wan is a real pain to do it like we do in pfsense or edge routers, so aside the hw I really did not see any benefits.