Shulou(Shulou.com)06/01 Report--

The purpose of this chapter is to protect the router. To prevent malicious login, we need to secure the router. So what needs to be reinforced in Router OS?

It is divided into four directions:

1. Change your login account and password.

two。 Modify your login port.

3. Shut down unwanted ports.

4. Limit the login method and login IP.

1. Change your login account and password

a. Create a new account

The default login account for ROS is admin, so there are many scripts on the network that are based on admin for brute force cracking. So, our first thing is to modify our account.

Click System > Users:

Click the + sign, add a new account, enter your favorite account name and password, and then click OK. (ROS can no longer directly modify the default admin, only add it, and then delete or disable admin. In this case, I will delete admin directly)

b. Delete admin account

Click admin, then click the-sign to delete admin

Final result:

At this point, close winbox and log in with your new account and password.

two。 Modify login port

There are many ports we can log in, which also cause security problems in certain ways. Click IP > Services to see the ports that can be used to log in:

In this example, we modify the ports of winbox and SSH.

Click a name and double-click to modify the port.

The effect is as follows:

3. Disable unnecessary ports

In the picture above, we can disable these categories such as API and API-SSL,FTP,Telnet,WWW if we don't use them.

Click, and then click the red X in the upper left corner, which will turn gray.

The effect is as follows:

Attached:

API: log in to the service using the API interface.

API-SSL: log in to the service using the API interface that requires SSL encryption.

FTP:FTP service for uploading files to ROS or downloading files from ROS.

SSH: use SSH login configuration or SCP to transfer files.

Telnet: use telnet for login configuration.

Winbox:winbox login service.

Www: login configuration using the web version.

Www-ssl: webpage login configuration based on ssl encryption.

4. Restrict login method and login IP

Login restrictions are divided into service restrictions and account restrictions.

a. Service restriction

As we said above, we can use Available From to limit the login ip scope of the service. This can effectively block the login of illegal addresses. The restricted address can be a single IP or a network segment.

The result of configuration completion is as follows:

b. Restrict account login to IP

To restrict your account to log in to IP, go to IP > Users, double-click the account you want to restrict, and then enter your IP or network segment in Available From, just like the service limit.

Click System > Users

Finally, because we have modified the port of the Winbox service, the next time we log in with winbox, we should use the IP: Port form.

If you log in using the MAC address, you do not need to enter a port.

Remember to take good care of ports, accounts and passwords.

PS: if you are using an original router, then the factory default settings have been restricted in the firewall that we can only log in through the private network, but not on the public network. However, it is recommended to modify the router according to the above operation to ensure the security of routing to the maximum extent.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.