But Why?
Indeed. Well if you’re a tinkerer….because.
If you require more substance, anything you can do on your home MikroTik (and more) done in the cloud, it can solve CGNAT problems if you sit behind one at home and double in use as a remote gateway to set up for your own VPN server. Data collection through honeypot configurations, a secure gateway into a cloud infrastructure, a http(s) proxy and as a general learning tool if you don’t have the capabilities locally.
**NOTICE TO READER**
I had the want but not the immediate skillset to achieve this, I lean on the MikroTik community to fill the gaps in my knowledge – Massive thanks to the forum member wrkq for his work and spoon feeding this one. Forum link is at the end of the post.
The Setup
Here’s your pre-requisite, you need an OVH account and to have purchased/rented one of the VPS servers. At time of writing this I am using their most basic starter 1/2/20 server which as a new user, I am getting for just 83 pence pe rmonth for the first 12 months.
The OS doesn’t particularly matter but I went for the most up to date Debian.
Let’s do it!
Log into your OVH account and navigate your way to managing your shiny new VPS.
Click the three dots under “Boot” heading, “Reboot in rescue mode”. This will take a minute or two to reboot into rescue mode.
Click the three dots under “Name” heading, Choose”KVM” to pop an in browser console.
Use the IP/password displayed on the rescue console to connect in via SSH. The WAN IP can be found in your machine details.
I’m going to skip a middle explanation and checks here – OVH utilises /dev/sda for rescue and your VPS resides on /dev/sdb
Zero the partition by passing this command (note you don’t sudo as you’re already logged in as root)dd if=/dev/zero of=/dev/sdb bs=1M count=1024
Quickly add in the ability to unzip – This does not mean your CHR will be able to unzip, it means your rescue shell can unzip and this is a non-persistent addition as sda will be destroyed once finished with.apt install unzip
Let’s download a CHR imagewget https://download.mikrotik.com/routeros/7.16.1/chr-7.16.1.img.zip
And let’s unzip itunzip chr-7.16.1.img.zip
Now we want to write this across onto our persistent (VM) diskdd if=chr-7.16.1.img of=/dev/sdb bs=1M
Confirm this is done well, properly and correctlysync
And again for good lucksync
We are nearly done but from the SSH shell or KVM issue the below command (try not to get ahead of yourself here)reboot
Your VM will now reboot itself back into rescue mode, this is fine and we want this (for now).
Get your skates on – We’re bringing it up
We’re in the final stage now, CHR is copied over and you’re ready to leave rescue mode and go public but your problem now is that when OVH assigns it’s public IP via DHCP, your CHR is open to the world by default with a login of admin and no password. You need to move quickly now.
Let’s leave rescue mode and hammer the KVM so you can get in and get safe
On the VPS control panel, “Boot” header and “Reboot my VPS”and this action will leave rescue mode.
“Three dots next to the machine name -> KVM” Keep trying, click, no connect, close, retry until it works. When it does, username admin, no password and change the password to something you’re going to remember. Don’t go full blown mega complex instantly – this is a race to change it initially not to make it unbreakable (that comes once you’re safe).
Quick check to make sure you’re alone
One final command to issue once you are logged in with a non-standard password./user/active/print
This checks for any other users, there should only be an admin login via console. If there are ANY other users via shell, ssh, winbox, web or other means, sadly you’re compromised and need to start again.
For the successful – Well done – Get this baby locked down properly now, put a more complex admin password on, start hardening the setup, remove any ip services and access mechanisms you won’t use and put a couple of input rules into your Firewall filters.
We’re Done Here!
That’s it, we are all done. If you’re still at a loss of how to start hardening please read on into my other posts about firewalling, password changes and generally tightening up. My YouTube videos are still available (cheeky link) if you prefer visuals.
Forum Link
https://forum.mikrotik.com/viewtopic.php?t=120413
Again a huge thanks to the MT community and wrkq for steering me right on this one.
You must be logged in to post a comment.