Secure a MikroTik Router

The default configuration of a MikroTik router helps you to get it up and running very quickly. But you should do some additional steps to protect your device and your infrastructure before you connect the router to your network.

Username and Password

First of all you should change the password of the admin user. Do it even if you just want to test something. It is also recommended to change the username of the default admin user.

/user add name=new-user password=secure-password group=full
/user remove admin

You can use the /password command or WinBox to change the password without a log entry in the command history of the shell.

IP Access

Use the firewall to limit the access to the router. But you can also limit the access for a user to a specified network.

/user set 0 allowed-address=aa.bb.cc.dd/xx

Sometimes it is a good idea to add an rescue or emergency user and limit the access to console only. To do this change the allowed-address to 127.0.0.1/32

/user set 0 allowed-address=127.0.0.1/32

Unused Services

To reduce the attack surface all unused service should be deactivated.

First off all deactivate all services without encryption. So if you use SSH and/or WinBox you can deactivate telnet and ftp.

/ip service disable [find name="telnet"]
/ip service disable [find name="ftp"]      

If you are not planing to use the REST API of your MikroTik you can also deactivate it. The WinBox tool connects to the winbox service not the API service.

/ip service disable [find name="api"]     
/ip service disable [find name="api-ssl"]

If you don't use the web interface to manage your router you should deactivate it. Or if you use it, add a valid SSL Certificate and deactivate the service without SSL encryption.

/ip service disable [find name="www"]     
/ip service disable [find name="www-ssl"]

Check if everything is as expected.

/ip service print

MAC-Access

By default you can manage a MikroTik without configuring any IP address just by accessing it on Layer 2. This is a great feature if you start learning how to configure your router or in a test lab to get access to the device even if you have screwed up the configuration. But in production the layer 2 access is a bad idea because it opens new entry points.

Disable the MAC-Telnet service.

/tool mac-server set allowed-interface-list=none
/tool mac-server print

Disable WinBox over MAC or if you have a device without serial port like the hex you might want to add a dedicated port to get a chance to access your device even if you screwed up the configuration. But be aware that this might not always be possible.

/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server mac-winbox print

The next command uses an interface list to enable WinBox over MAC on defined interfaces.

/tool mac-server mac-winbox set allowed-interface-list=mac-winbox

Most people might not even know how to use the MAC-Ping service. So you can deactivate it without any drawbacks.

/tool mac-server ping set enabled=no
/tool mac-server ping print

If you don't use the RoMON feature you should deactivate it.

/tool romon set enabled=no
/tool romon print 

If you use the RoMON feature you should set a secret.

/tool romon set secrets="my-super-secret" enable=yes
/tool romon print

Neighbor Discovery

It is possible to detect other MikroTik routers in the network. But this opens a new attack vector. You should deactivate the neighbor discovery on all ports not connected to an other MikroTik router or even better deactivate it on all interfaces

/ip neighbor discovery-settings set discover-interface-list=none
/ip neighbor discovery-settings print

Bandwidth Server

You should not use the bandwidth server in production environments. So you can deactivate it and reactivate if you have to perform some troubleshooting.

/tool bandwidth-server set enabled=no 
/tool bandwidth-server print 

DNS Cache

If you don't use your MikroTik as DNS resolver you should deactivate the service.

/ip dns set allow-remote-requests=no
/ip dns print

Other services

Deactivate the HTTP proxy.

/ip proxy set enabled=no
/ip proxy print

Deactivate the socks proxy.

/ip socks set enabled=no
/ip socks print

Don't use UPNP.

/ip upnp set enabled=no
/ip upnp print

If you don't use the MikroTik DDNS feature and have configured one ore more NTP servers you should deactivate the MikroTik features.

/ip cloud set ddns-enabled=no update-time=no
/ip cloud print

SSH

Only use the ciphers defined as strong.

/ip ssh set strong-crypto=yes
/ip ssh print

After setting a SSH-Key for an user he/she should not be allowed to login via password anymore.

/ip ssh set always-allow-password-login=no
/ip ssh print

Deactivate unused interfaces

Do it manually.

/interface print
/interface disable numbers=1 

Or deactivate all Ethernet interfaces not running at the moment. I highly recommend running this command in SAFE-mode.

/interface disable [find type=ether && running=no ]

LCD

The LCD looks interesting and provides some information. But if you have installed your router in a data center in a 19" rack you might not even see it. So you can reactive it.

/lcd set enabled=no

Links

Related articles