Manual:Securing Your Router

From MikroTik Wiki
Revision as of 14:44, 23 March 2017 by SergejsB (talk | contribs) (Created page with "The following steps are recommendation how to protect your router. We strongly suggest to keep default firewall, it can be patched by other rules that fullfils your setup requ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The following steps are recommendation how to protect your router. We strongly suggest to keep default firewall, it can be patched by other rules that fullfils your setup requirements. Other tweaks and configuration options to harden your router's security are described later.


Access to a router

Access username

Change default username admin to different name, custom name helps to protect access to your rotuer, if anybody got direct access to your router. 

/user print
/user set 0 name=myname

Access password

MikroTik routers requires password configuration, we suggest to use pwgen or other password generator tool to create secure and non-repeating passwords, 

/user set 0 password="!={Ba3N!"40TуX+GvKBz?jTLIUcx/,"

Another option to set a password, 

/password

We strongly suggest to use second method or Winbox interface to apply new password for your router, just to keep it safe from other unauthorised access.

Access by IP address

Besides the fact that default firewall protects your router from unauthorized access from outer networks, it is possible to restrict username access for the specific IP address 

/user set 0 allowed-address=x.x.x.x/yy

x.x.x.x/yy - your IP or network subnet that is allowed to access your router.

2) router's services

All your production routers have to be administred by SSH, secured Winbox or HTTPs services. [screenshot of secure winbox to 192.168.88.1] [screenshot of ssh to 192.168.88.1]

  • Most of RouterOS administrative tools are configured at

/ip service print

Make sure to leave only secure ones,

/ip service disable

/ip service disable telnet,ftp,www,api,api-ssl /ip service print

Additionaly each /ip service entity might be secured by allowed address (the address service will reply to) /ip service set winbox allowed-address=192.168.88.0/24

  • RouterOS MAC-access and discovery services

RouterOS has built-in options for easy management access to network devices. The particular services should be shutdown on production networks.

Disable mac-telnet services, /tool mac-server set [find] disabled=yes /tool mac-server print

Disable mac-winbox services, /tool mac-server mac-winbox set [find] disabled=yes /tool mac-server mac-winbox print


Disable mac-ping service, /tool mac-server ping set enabled=no /tool mac-server ping print


After disabling verify that services are disabled actually.

  • Disable MNDP

MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in the network, disable neighbor discovery on all interfaces, /ip neighbor discovery> set [find] discover=no

  • IPv6 ND

/ipv6 nd set [find] disabled=yes


  • Bandwidth server

Bandwidth server is used to test throughput between two MikroTik routers. Disable it in productions enironment. /tool bandwidth-server set enabled=no

  • DNS cache

Router might have DNS cache enabled, that decreases resolving time for DNS requests from clients to remote server. In case DNS cache is not required on your router or another router is use for such purposes, disable it or configure firewall to protect your router.

/ip dns set allow-remote-requests=no

  • Other clients services

RouterOS might have other services enabled, make sure to have disabled them all (if they are not used).

MikroTik caching proxy /ip proxy set set enabled=no

MikroTik socks proxy /ip socks set enabled=no

MikroTik UPNP service /ip upnp set enabled=no

MikroTik dynamic name service ip cloud set ddns-enabled=no update-time=no



3) Router interfaces

Disable all unused interfaces on your router. /interface print /interface set x disabled=yes

x - number of unused interfaces.


Strong Crypto

Some RouterBOARDs have LCD module for informational purpose, set pin or disable it. /lcd set enabled=no


Strong Crypto

Stronger crypto for SSH is available as of RouterOS 6.30, so we'll enable that. SSH clients like Putty that can utilize the stronger crypto will default to that, and leave the weaker algorithms unused. As of November 2016 there is no way to explicitly disable the weaker crypto algorithms in the Mikrotik for purposes of SSH. Turn on the SSH strong crypto:

/ip ssh set strong-crypto=yes




4) Firewall

Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:Securing_Your_Router&oldid=29156"