Manual:Security

From MikroTik Wiki
Revision as of 09:00, 20 August 2021 by Guntis (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This article describes security measures in RouterOS user authentication. The article applies to RouterOS v6.45 and newer.

  • All passwords on the router are hashed (SHA256) and encrypted (ECC);
  • all RADIUS authentications (ssh,local,winbox,webfig,btest,telnet) will use MS-CHAPv2;
  • WinBox uses EC-SRP5 for key exchange and authentication (requires latest WinBox version), both sides verify that other side knows password (no man in the middle attack is possible);
  • WinBox in ROMON mode requires that agent is the latest version to be able to connect to latest version routers;
  • WinBox uses AES128-CBC-SHA as encryption algorithm (requires new WinBox version);
  • Bandwidth-test uses EC-SRP5 for authentication, older version bandwidth-test clients can connect to newer version server only in no-authentication mode;
  • MAC telnet uses EC-SRP5 for authentication, to connect to newer server, client needs to be upgraded;
  • WebFig uses ECDH for encryption key exchange;
  • Backup by default does not encrypt backup file, password now needs to be provided explicitly to encrypt it;
Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:Security&oldid=34467"