Professional Documents
Culture Documents
W1
Rule Title
The network element must not have any
default manufacturer passwords.
W2
W7
W8
Vulnerability Discussion
Network elements not protected with strong
password schemes provide the opportunity for
anyone to crack the password thus gaining access
to the device and causing network outage or denial
of service. Many default vendor passwords are well
known; hence, not removing them prior to deploying
Call home services or features will routinely send
data such as configuration and diagnostic
information to the vendor for routine or emergency
analysis and troubleshooting. The risk that
transmission of sensitive data sent to unauthorized
The OOBM access switch will connect to the
management interface of the managed network
elements. The management interface of the
managed network element will be directly
connected to the OOBM network. An OOBM interface
does not forward transit traffic; thereby, providing
complete separation of production and management
traffic. Since all management traffic is immediately
forwarded into the management network, it is not
exposed to possible tampering. The separation also
ensures that congestion or failures in the managed
network do not affect the management of the
device. If the OOBM interface does not have an IP
address from the managed network address space,
it will not have reachability from the NOC using
scalable and normal control plane and forwarding
mechanisms.
RouterOS command
REMARKS
wireless
wireless
wireless
wireless
wireless
wireless
wireless
security-profiles
security-profiles
security-profiles
security-profiles
security-profiles
security-profiles
security-profiles
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/interface wireless
/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
/ip hotspot profile
security-profiles
security-profiles
security-profiles
security-profiles
manual-tx-power-table
manual-tx-power-table
manual-tx-power-table
manual-tx-power-table
manual-tx-power-table
manual-tx-power-table
nstreme
nstreme
nstreme
/queue type
/queue type
/queue type
/queue type
/queue type
/queue type
/queue type
/routing bgp instance
/routing bgp instance
/routing bgp instance
/routing bgp instance
/routing bgp instance
/routing ospf instance
/routing ospf instance
/routing ospf instance
/routing ospf instance
/routing ospf instance
/routing ospf instance
/routing ospf instance
/routing ospf area
/routing ospf area
/routing ospf area
/snmp community
/snmp community
/snmp community
/snmp community
/system logging action
/system logging action
/system logging action
/system logging action
/system logging action
/system logging action
/system logging action
/system logging action
/system logging action
/user group
/user group
/user group
/user group
/user group
/user group
/user group
/interface bridge port
/interface bridge port
/interface bridge port
/interface bridge port
/interface bridge port
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
/interface
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge port
bridge settings
bridge settings
bridge settings
ethernet switch port
ethernet switch port
ethernet switch port
ethernet switch port
ethernet switch port
ethernet switch port
l2tp-server server
l2tp-server server
l2tp-server server
l2tp-server server
ovpn-server server
ovpn-server server
ovpn-server server
ovpn-server server
pptp-server server
pptp-server server
pptp-server server
sstp-server server
sstp-server server
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
/ip
dns static
firewall connection tracking
firewall connection tracking
firewall connection tracking
firewall connection tracking
firewall connection tracking
firewall connection tracking
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall filter
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall nat
firewall service-port
firewall service-port
firewall service-port
firewall service-port
firewall service-port
firewall service-port
firewall service-port
hotspot service-port
hotspot service-port
hotspot walled-garden
hotspot walled-garden
hotspot walled-garden
hotspot walled-garden
hotspot walled-garden ip
hotspot walled-garden ip
hotspot walled-garden ip
hotspot walled-garden ip
ip
ip
ip
ip
ip
/ppp aaa
/ppp aaa
/queue interface
/queue interface
/queue interface
/queue interface
/queue interface
/queue interface
/queue interface
/radius
/radius
/radius
/radius
/radius incoming
/radius incoming
/routing bfd interface
/routing bfd interface
/routing bfd interface
/routing mme
/routing mme
/routing mme
/routing mme
/routing rip
/routing rip
/routing rip
/routing rip
/routing rip
/snmp
/snmp
/snmp
/system clock
/system clock
/system clock manual
/system clock manual
/system clock manual
/system identity
/system identity
/system leds
/system leds
/system logging
/system logging
/system logging
/system logging
/system logging
/system logging
/system note
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
note
ntp client
ntp client
ntp client
resource irq
resource irq
resource irq
resource irq
resource irq
routerboard settings
routerboard settings
routerboard settings
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
scheduler
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
/system
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system script
/system upgrade mirror
/system upgrade mirror
/system upgrade mirror
/system watchdog
/system watchdog
/system watchdog
/tool bandwidth-server
/tool bandwidth-server
/tool bandwidth-server
/tool e-mail
/tool e-mail
/tool graphing
/tool graphing
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server
/tool mac-server mac-winbox
/tool mac-server mac-winbox
/tool mac-server mac-winbox
/tool mac-server mac-winbox
/tool mac-server mac-winbox
/tool mac-server mac-winbox
/tool mac-server mac-winbox
/tool mac-server mac-winbox
/tool mac-server ping
/tool mac-server ping
/tool sms
/tool sms
/tool sniffer
/tool sniffer
/tool sniffer
/tool sniffer
/tool sniffer
/tool traffic-generator
/tool traffic-generator
/user aaa
/user aaa
/user aaa
/user aaa
/interface bridge
add admin-mac=D4:CA:6D:9F:3D:25 ageing-time=5m arp=enabled auto-mac=no \
disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1504 \
name=bridge-local priority=0x8000 protocol-mode=rstp transmit-hold-count=\
6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 \
mac-address=D4:CA:6D:9F:3D:24 mtu=1500 name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:9F:3D:25 \
master-port=none mtu=1500 name=ether2-master-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:9F:3D:26 \
master-port=none mtu=1500 name=ether3-slave-local speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:9F:3D:27 \
master-port=none mtu=1500 name=ether4-slave-local speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:9F:3D:28 \
master-port=none mtu=1500 name=ether5-slave-local speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" eap-methods=passthrough \
group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
management-protection=disabled management-protection-key="" mode=none \
name=default radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
"" wpa2-pre-shared-key=""
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
management-protection=disabled management-protection-key="" mode=\
dynamic-keys name=password radius-eap-accounting=no \
radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
password wpa2-pre-shared-key=1e090e7e4e6807
/interface wireless
set 0 adaptive-noise-immunity=client-mode allow-sharedkey=no antenna-gain=0 \
antenna-mode=ant-a area="" arp=enabled band=2ghz-b/g/n basic-rates-a/g=\
36Mbps basic-rates-b=11Mbps bridge-mode=enabled channel-width=20mhz \
compression=no country=no_country_set default-ap-tx-limit=0 \
default-authentication=yes default-client-tx-limit=0 default-forwarding=\
yes dfs-mode=no-radar-detect disable-running-check=no disabled=no \
disconnect-timeout=3s distance=indoors frame-lifetime=0 frequency=2412 \
frequency-mode=manual-txpower frequency-offset=0 hide-ssid=no \
ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 \
ht-basic-mcs=mcs-5,mcs-7 ht-guard-interval=long ht-rxchains=0 \
ht-supported-mcs=mcs-5,mcs-7,mcs-12,mcs-15 ht-txchains=0 \
hw-fragmentation-threshold=disabled hw-protection-mode=rts-cts \
hw-protection-threshold=255 hw-retries=7 l2mtu=2290 mac-address=\
D4:CA:6D:9F:3D:29 max-station-count=2007 mode=ap-bridge mtu=1500 \
multicast-helper=default name=wlan1 noise-floor-threshold=-90 \
nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-preshared-key="" \
nv2-qos=default nv2-queue-count=2 nv2-security=disabled \
on-fail-retry-time=100ms periodic-calibration=default \
periodic-calibration-interval=60 preamble-mode=both \
proprietary-extensions=post-2.9.25 radio-name=D4CA6D9F3D29 \
rate-selection=advanced rate-set=configured scan-list=default \
security-profile=default ssid="_WF SMART" station-bridge-clone-mac=\
00:00:00:00:00:00 supported-rates-a/g=36Mbps,54Mbps supported-rates-b=\
11Mbps tdma-period-size=2 tx-power=1 tx-power-mode=all-rates-fixed \
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
wireless-protocol=any wmm-support=enabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
3200 framer-policy=none
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no use-radius=no
add dns-name=pow.portal.ph hotspot-address=192.168.88.1 html-directory=\
106.186.124.211
add action=accept comment=allow_source disabled=no src-address=65.181.120.40
add action=accept comment=allow_destination disabled=no dst-address=\
65.181.120.40
add action=accept disabled=no dst-address=192.168.88.1
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
no src-address=0.0.0.0
/ip route
add disabled=no distance=1 dst-address=192.168.0.0/16 gateway=pow_vpn scope=\
30 target-scope=10
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1-gateway queue=only-hardware-queue
set ether2-master-local queue=only-hardware-queue
set ether3-slave-local queue=only-hardware-queue
set ether4-slave-local queue=only-hardware-queue
set ether5-slave-local queue=only-hardware-queue
set wlan1 queue=wireless-default
/radius
add accounting-backup=no accounting-port=1813 address=106.186.124.211 \
authentication-port=1812 called-id="" comment=pow_radius disabled=no \
domain=pow.wifun.ph realm="" secret=4332wurx service=hotspot timeout=5s
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" \
trap-target="" trap-version=1
/system clock
set time-zone-name=Asia/Singapore
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=Wifun_d4ca6d9f3d24
/system leds
set 0 disabled=no interface=wlan1 leds=wlan-led type=wireless-status
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
add action=WebProxy disabled=no prefix="" topics=web-proxy
/system note
\n:local bandwidth;\r\
\n:local txAll;\r\
\n:local rxAll;\r\
\n\r\
\n:local count [:tonum [/ip hotspot active print count-only]];\r\
\n\r\
\n:local txbps;\r\
\n:local rxbps;\r\
\n\r\
\n/interface monitor wlan1 once do={\r\
\n:set txbps \$(\"tx-bits-per-second\");\r\
\n:set rxbps \$(\"rx-bits-per-second\");\r\
\n}\r\
\n\r\
\n:set wlanID [/interface find name=wlan1];\r\
\n\r\
\n:set txAll \"\$txAll\$[/interface get \$wlanID tx-byte]\";\r\
\n:set rxAll \"\$rxAll\$[/interface get \$wlanID rx-byte]\";\r\
\n\r\
\n:set newlist \"\$actusrlist;\$count;\$txbps;\$rxbps;\$txAll;\$rxAll\";\r\
\n\r\
\n:log error \$newlist;\r\
\n\r\
\n:local localFilename;\r\
\n:set localFilename \"\$[/system identity get name].txt\";\r\
\n/file print file=\$localFilename;\r\
\n/file set \$localFilename contents=\"\$newlist\";\r\
\n\r\
\n:log info \"Uploading file\";\r\
\n/tool fetch address=cp1.wifun.org src-path=\$localFilename user=active m\
ode=ftp password=activewurx dst-path=\$localFilename upload=yes;\r\
\n\r\
\n:set oldlist \$newlist;\r\
\n:log error \"Active list sent\";"
add name=WiFunUpdate policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source=":log info \"WiFun Version Updater\";\r\
\n:local update;\r\
\n:local mac;\r\
\n:local password;\r\
\n:local list ;\r\
\n:local newList;\r\
\n\r\
\n:log info \"Checking Files\";\r\
\n:set update \"\$[/file find where name~\"updates/\"]\";\r\
\n\r\
\n:set mac \"\$[/system identity get name] \";\r\
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol=\
"" filter-mac-address="" filter-mac-protocol="" filter-port="" \
filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes \
only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
use-radius=no
REF.
WPA2-Pre-shared key
W5
Remarks
W25
W29
RADIUS server
Shared secret for authentication reply only of
router, not authentication used by RADIUS