If you never used my web site https://mikrotikconfig.com to build firewalls and QOS, you have been working too hard! I recently (today) updated the database of IP addresses by Country to generate MikroTik IP Address Lists by country. Check it out!
UPDATE: 12/31/18 With the help of Google, I wrote a bash script to automatically update the lists daily!
Several vulnerabilities and exploits have recently plagued MikroTIk users. Specifically, these vulnerabilities affected the RouterOS webfig configuration interface, if no firewall was put in place to protect it. Granted, you can be critical of MikroTik but after all, running without a firewall is a user problem not a MikroTik problem.
MikroTik fixed the vulnerability in the following RouterOS releases:
6.37.5 in the Bugfix channel
6.38.5 in the Current channel
The vulnerability in question was exploited by several malicious tools and affected users of RouterOS who had not upgraded RouterOS above the mentioned versions, and had opened the www service port (TCP port 80) to untrusted networks.
Many users may have unknowingly had their credentials compromised BEFORE their router was upgraded, but not yet actually hacked. This means many upgraded and thought they were completely safe until a few weeks ago when strange behaviors may have been observed. Specifically what we have seen is IP blacklisting by game sites like Playstation and XBox, slow speeds, inability to manage the router and so on. The telltale sign of this hack is viewing the system log and it is only one line long. If this has happened to you, the best solution is to clean up the config to remove the hack, export the config, check the config closely and then Netinstall the router and import the config. Again, this is the most drastic but the safest approach. Here are the things we have seen done by the hacker you will need to clean up:
Reset it to 1000 lines
/ip firewall filter
Remove this rule and enable your drop rule if disabled
Delete any scheduled entries you didn’t add. Look for one that starts a script named “port 54321”
Delete this script
The hack adds a user “system”, delete that
I saw one router thad had a ppp user added. I can’t remember the user name but check that as well.
Those are the things we have found in many routers so get your routers cleaned up, change the passwords, add a real set of firewall rules (http://mikrotikconfig.com is a good place to star) and be safe.
With so many options of NAT, Router, Bridged, etc., it can be overwhelming to create the correct architecture for your first Baicells LTE deployment the first time. To facilitate this for you, I created a Baicells LTE HowTo Knowledge Base article that outlines the best fit scenario for LTE deployments for WISPs. You can read the article HERE.
As someone that has organized and lead technical training for more than ten years, I can say I have been asked this question many times. The commonality is that most people are self-taught, and use certain products in the daily conduction of their jobs, and feel like formal training doesn’t have sufficient value to warrant the time off from work, or the expense associated with it. I would like to take a few moments today to outline what I believe the benefits of formal training are. This post is timely because we have just such an opportunity coming up in July at ISP Supplies, but more on that later.
No one likes to admit they are weak in any area, yet just like muscles, not using a skill every day leads to weakness. A training program allows you to strengthen those skills, that each employee needs, to improve and brings all employees to a higher level so they all have similar skills and knowledge. You get sharper, the network runs better and everyone benefits.
Consistency and Performance
Training programs are structured to present the greatest amount of information in the least amount of time. This means you get the opportunity to see all the features of a product, or system rather than just the ones you regularly use. In the process, students almost always learn a new or more efficient way to perform a function. This leads to consistency and repeatability which increases efficiency. Once again, things just work better.
Employees that are subjected to training opportunities perform at a higher level than those that have to seek out training on their own. This fact speaks for itself.
The value of attending a training even is not just the material, it is the chance to network with other professionals in your area of expertise and thereby create relationships that benefit you today and in the future.
I began the post with the words “just such an opportunity” and now I want to invite you to gain the benefit that only formal training can provide by attending our fun and educational Summertime Cookout With Cambium Networks There is more information and the opportunity register HERE. I hope you can make it!
We are excited about the latest product from Baicells, the Nova 436. We received our first shipment late last week and this new LTE Base Station has some really cool features, never before seen from Baicells and not at this price point. The Nova 436 is the first Baicells LTE product to deliver carrier aggregation, even across discontiguous channels. Carrier aggregation is used in LTE-Advanced in order to increase the bandwidth, and thereby increase the bitrate or throughput. This is critical for the upcoming CBRS bands, where “PAL” and “GAA” channels allocated by the SAS may not be contiguous.
Quick Facts: Max peak rate of the aggregated carriers is 224 Mbps DL. Fully featured, these ship with everything you need (except antenna and power cabling) which lets you rack up more savings and simplify ordering and delivery
The Baicells dual carrier base station has some significant advantages over the competition:
One Gig-E copper AND one Gig-E SFP Cage: In split sector mode, the Nova dual carrier base station has independent 20 MHz channels. This is 2x the capacity our main competition only splits with two 10 MHz carriers. Lower weight and less power draw than others, so it’s less expensive to build battery back up support. Better pricing and still no games. No feature restrictions, so you get what you pay for. And, of course, unlike our competition, our Novas come with GPS, modules, and everything needed all for one low price.
The New Nova 436 may also be used in “split sector” mode for maximum footprint and capacity in one package. And, unlike competitive products, each carrier can have as high as 20 MHz of independent channel width. In split sector, you utilize two of the bas station antenna connectors to serve one sector and the other two to serve a second sector. This is a great way to cover 360 degrees with one base station and without an omni. As your cell density increases, you can add a second base station and do carrier aggregation, and increase your total capacity tremendously. This allows operators to “grow into” LTE.
The Nova 436 is available now at ISP Supplies. We are a full service Baicells distributor, ready to serve your LTE needs.
NOTE: Although I was able to make this work, it not work on all of Verizon’s US network outside large metro areas because the LTE card will not run Band 13. They are also not certified on Verizon so use them at your own risk. Check with your cellular provider before using on that carrier’s network. Email firstname.lastname@example.org and complain to them about this limitation.
I grabbed one of these RBwAPR-2nD&R11e-LTE-US off the shelf today at ISP Supplies and wanted to see how hard it would be to make it work with Verizon Wireless. I had an active SIM card from an old Verizon Jetpack to use with it. I inserted the SIM card and fired it up and attached to the onboard 2 GHz WiFi. As suspected, it did not work out of the box. I did a little Googling and figure out Verizon uses an APN which is basically a way LTE carriers differentiate themselves from other carriers on the same technologies. I created the APN profile, applied it to the LTE interface, disabled the DHCP Client and I had internet. This is simple and here are the steps:
Start with the default configuration, no changes. Upgrade to the latest version of RouterOS. This is covered a million other places. Reboot.
Click Interfaces-LTE-LTE APNs and delete the APN’s there. Make a new one named whatever you like. Fill in the AOPN value to “vzwinternet”.
3.Ok out of everything. Double click the LTE interface and select your APN profile you just created.
Count to ten and your device will connect to Verizon. Modify as you wish.
The DHCP Client is not needed (and will be red so delete or disable it so it doesn’t bother you…) as the LTE interface will get it’s IP from the authentication process.
It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (80) ports, to exploit a vulnerability in the RouterOS www server that was patched more than a year ago (in RouterOS v6.38.5, March 2017).
Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the “Check for updates” button, if you haven’t done so within the last year.
Chances are you have recently heard about Slingshot. A ZDNet article explains “Researchers at Kaspersky Lab have discovered espionage malware that appears to have been developed by a government to spy on targets across Africa and the Middle East for the past six years. The researchers haven’t named Slingshot’s country of origin, but note the presence of debug messages written in perfect English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. Slingshot reached targets using a compromised software update for routers made by Latvian firm MikroTik.”
So, do you need to be concerned? This email from Normunds at MikroTik explains the slingshot malware attack and why you should or should not worry about it.
All RouterOS versions are safe if you use Winbox 3. Only the old Winbox v2 downloads DLL files from the router. Winbox v3 has been available since the year 2014.
Kaspersky said they have found a malicious DLL file that was loaded to the end users Windows computer with Winbox from a MikroTik router. They said this is a targeted attack on specific organizations and this tool is not spreading itself.
1. Winbox no longer downloads any DLL files from the device, if you are using Winbox v3. Make sure to upgrade RouterOS and Winbox loader. It has been out for ~4 years.
2. As to how this DLL file got it’s way inside a MikroTik router in the first place, is unclear. Most likely this is related to a previously discovered vulnerability in the www service, which was patched in March 2017. Please note that devices affected were only those which did not have a firewall configured.
After the mentioned fixes, we have repeatedly increased RouterOS file system security and made additional internal mechanisms to prevent anything like this in the future. Please keep your devices up to date and configure a firewall (if you disabled the default one) to prevent any unauthorized IPs from accessing your router.
Best regards, Normunds R.
So, the bottom line is to use WInbox version 3, do a one time upgrade to the current version of RouterOS and worry about something else like, “What’s for lunch?”.