This. It really should be a no-brainer to protect your devices by only allowing management from specific management networks. If you don’t, you are asking for trouble.
> On Aug 5, 2018, at 1:06 PM, Jesse DuPont <jesse.dup...@celeritycorp.net> > wrote: > > Exactly what Lewis said. We take an "allow specific things, block everything > else" approach. We only allow a small list of IP addresses to access Winbox > or SSH on a router. And aside from a small list of other services the router > needs to respond on (rate-limited ICMP, established/related, DHCP on some > interfaces, OSPF or LDP on some interfaces, BGP from IP ranges of internal > routers), everything else in the INPUT chain is explicitly dropped. > >> On 8/5/18 1:32 PM, Lewis Bergman wrote: >> It can be inconvenient, but we only allow connections from our ip at work. >> If you want in, you have to VPN there first. >> >>> On Sun, Aug 5, 2018, 1:12 PM CBB - Jay Fuller <par...@cyberbroadband.net> >>> wrote: >>> >>> Looking through all of our routers, most running the latest firmware, most >>> running non-standard winbox ports, i still see the following today: >>> >>> * accept rule in firewall (for port 10438 i think, same port enabled on ip >>> -> socks) >>> * account added called "service" >>> * socks config changed ; enabled >>> * log entries changed to only show one line >>> >>> anyone else seeing this? What are they doing? >>> >>> >>> -- >>> AF mailing list >>> AF@af.afmug.com >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
