Mikrotik RouterOS devices are extremely powerful router devices. This can sometimes mean that the configuration of them isnt as simple as point and click for a new user. This howto will outline some recommended steps you can take to secure your Mikrotik RouterOS device, be it RouterBoard, a x86 install on bare metal, or a CHR (Cloud Hosted Router).
This guide will not go into detail on configuring the firewall. That is more complex and is going to be heavily dependent on your own scenario. As a general rule of thumb, block everything coming into your router, and poke holes in the firewall for the services you need.
Here are the steps to help secure your Mikrotik RouterOS router via the command line interface.
Change the admin password.
This first point should be the most obvious. The default admin account is blank, so the first thing you need to do is change the admin password.
/user set [find name=admin] password=Password123
Replace ‘admin’ with the name of the account you want to change the password for.
Change the admin username to be something more unique
In this example the default ‘admin’ username will be renamed to ‘test’. This can help prevent people guessing usernames and passwords and subsequently gaining access to your router. Its much harder to try and guess a password via brute force when you don’t know what the username is.
/user set [find name=admin] name=test
Replace ‘test’ with the name of the account you want to change it to.
Disable unused interfaces
Having interfaces enabled when your router is in a publicly accessable location can mean someone can physically go up to the router, and plug a cable in. To prevent this, disable any unused interfaces.
Show the interfaces on your device
/interface print
This will vary greatly depending on your hardware.
Example output:
Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 R ether1 ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 4 R ether5 ether 1500
Disable one of the interfaces
In this example we will disable ether4.
/interface set [find name=ether4] disabled=yes
Replace ether4 with the name of the interface you want to disable.
Check to ensure its disabled
[admin@MikroTik] > /interface print Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 R ether1 ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 X ether4 ether 1500 4 R ether5 ether 1500
The X in the 2nd column shows that it has been disabled.
Disable unused services
Show the services that are available on the router.
/ip service print
Example output
Flags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE 0 telnet 23 1 ftp 21 2 www 80 3 ssh 22 4 XI www-ssl 443 none 5 api 8728 6 winbox 8291 7 api-ssl 8729 none
Disable any unused services, especially the unsecure ones such as telnet.
This example command will disable the telnet service.
/ip service set [find name=telnet] disabled=yes
Note: Firewall rules should be set up to limit access to the services that you don’t want to disable.
Verify the service has been disabled
[admin@MikroTik] > /ip service print Flags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE 0 XI telnet 23 1 ftp 21 2 www 80 3 ssh 22 4 XI www-ssl 443 none 5 api 8728 6 winbox 8291 7 api-ssl 8729 none
It would be best to disable all unsecured/unencrypted/unused services
Here is an example to only allow ssh:
/ip service set [find name=telnet] disabled=yes /ip service set [find name=ftp] disabled=yes /ip service set [find name=www] disabled=yes /ip service set [find name=ssh] disabled=no /ip service set [find name=www-ssl] disabled=yes /ip service set [find name=api] disabled=yes /ip service set [find name=winbox] disabled=yes /ip service set [find name=api-ssl] disabled=yes
Disable MAC Telnet Access
The MAC server feature can be used to access the Mikrotik/RouterOS device by MAC address only, even if not IP address is set on the router. While it can be extremely handy on the trusted private side of the network, you shouldn’t have a need to have this enabled on a un-trusted interface.
View the state of the MAC server
/tool mac-server print
Example output
Flags: X - disabled, * - default # INTERFACE 0 * all
Disable the MAC server on all interfaces.
/tool mac-server set [find interface=all] disabled=yes
Ensure its disabled:
[admin@MikroTik] > /tool mac-server print Flags: X - disabled, * - default # INTERFACE 0 X* all
Note: if you need MAC Telnet access, please configure it to only be on your trusted private network interfaces.
Disable MAC WinBox Access
This is essentially the process as above, but adding the mac-winbox option.
Check MAC WinBox server status
/tool mac-server mac-winbox print
example output
Flags: X - disabled, * - default # INTERFACE 0 * all
Disable MAC WinBox on all interfaces
/tool mac-server mac-winbox set [find interface=all] disabled=yes
Example output after disabling
[admin@MikroTik] > /tool mac-server mac-winbox print Flags: X - disabled, * - default # INTERFACE 0 X* all
Note: if you need MAC WinBox access, please configure it to only be on your trusted private network interfaces.
Disable MAC Server Ping
Again, very similar to the above two features.
Show the status
/tool mac-server ping print
Example output
enabled: yes
Disable MAC server ping
/tool mac-server ping set enabled=no
Verify its disabled
[admin@MikroTik] > /tool mac-server ping print enabled: no
Disable neighbor discovery on public interfaces
Neighbor device discovery can be a handy tool, but there is no need for it to be enabled on a public interface.
View current state of neighbor discovery interfaces
/ip neighbor discovery print
example output
Flags: X - disabled # NAME 0 ether1 1 ether2 2 ether3 3 ether4 4 ether5
Disable neighbor discovery on public interfaces
In this example, i will disable neighbor discovery on the ether5 interface
/ip neighbor discovery set [find name=ether5] discover=no
verify it is now disabled
[admin@MikroTik] > /ip neighbor discovery print Flags: X - disabled # NAME 0 ether1 1 ether2 2 ether3 3 ether4 4 X ether5
Enable strong SSH Crypto
Check what SSH settings you are currently using
/ip ssh print
Example output
forwarding-enabled: no
always-allow-password-login: no
strong-crypto: no
host-key-size: 2048
Enable strong crypto
/ip ssh set strong-crypto=yes
Ensure its been applied
[admin@MikroTik] > /ip ssh print
forwarding-enabled: no
always-allow-password-login: no
strong-crypto: yes
host-key-size: 2048
Enable reverse path filtering
Check the IP settings
/ip settings print
Example output
ip-forward: yes
send-redirects: yes
accept-source-route: no
accept-redirects: no
secure-redirects: yes
rp-filter: no
tcp-syncookies: no
max-neighbor-entries: 8192
arp-timeout: 30s
icmp-rate-limit: 10
icmp-rate-mask: 0x1818
route-cache: yes
allow-fast-path: yes
ipv4-fast-path-active: yes
ipv4-fast-path-packets: 0
ipv4-fast-path-bytes: 0
ipv4-fasttrack-active: no
ipv4-fasttrack-packets: 0
ipv4-fasttrack-bytes: 0
Turn on reverse path filtering
/ip settings set rp-filter=strict
Verify it is now enabled
[admin@MikroTik] > /ip settings print
ip-forward: yes
send-redirects: yes
accept-source-route: no
accept-redirects: no
secure-redirects: yes
rp-filter: strict
tcp-syncookies: no
max-neighbor-entries: 8192
arp-timeout: 30s
icmp-rate-limit: 10
icmp-rate-mask: 0x1818
route-cache: yes
allow-fast-path: yes
ipv4-fast-path-active: yes
ipv4-fast-path-packets: 0
ipv4-fast-path-bytes: 0
ipv4-fasttrack-active: no
ipv4-fasttrack-packets: 0
ipv4-fasttrack-bytes: 0
Disable SOCKS server
The SOCKS server should always be disabled nowadays, unless you have a unusual use case scenario where something needs to use it. If this is the case, please ensure its not accessible from the public interfaces via a firewall filter.
Check the SOCKS server status
/ip socks print
Example output
enabled: no
port: 1080
connection-idle-timeout: 2m
max-connections: 200
In this example, it is already disabled (enabled=no)
Disable SOCKS server
/ip socks set enabled=no
Disable the bandwidth test server
Check the status of the bandwidth test server
/tool bandwidth-server print
Example output
enabled: yes
authenticate: yes
allocate-udp-ports-from: 2000
max-sessions: 100
Disable the bandwidth server tool
/tool bandwidth-server set enabled=no
Confirm the service has now been disabled
[test@MikroTik] > /tool bandwidth-server print
enabled: no
authenticate: yes
allocate-udp-ports-from: 2000
max-sessions: 100
Disable remote DNS queries
RouterOS has the ability to act as a caching DNS server. If you dont wish to use this feature, its best to disable it, if its not already disabled.
Check the status
/ip dns print
Example output
servers:
dynamic-servers:
allow-remote-requests: no
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 9KiB
Note: in this example, its already disabled (allow-remote-requests=no).
Disable remote DNS requests
/ip dns set allow-remote-requests=no
Other / General
Keep your router up to date. Bugs and exploits are found from time to time on all devices, and your router is no different. Please ensure you are running a current version of the RouterOS operating system.
