Username and Password
First of all you should change the password of the admin user. Do it even if you just want to test something. It is also recommended to change the username of the default admin user.
/user add name=new-user password=secure-password group=full /user remove admin
You can use the
/password command or WinBox to change the password without a log entry in the command history of the shell.
Use the firewall to limit the access to the router. But you can also limit the access for a user to a specified network.
/user set 0 allowed-address=aa.bb.cc.dd/xx
Sometimes it is a good idea to add an rescue or emergency user and limit the access to console only. To do this change the
/user set 0 allowed-address=127.0.0.1/32
To reduce the attack surface all unused service should be deactivated.
First off all deactivate all services without encryption. So if you use SSH and/or WinBox you can deactivate telnet and ftp.
/ip service disable [find name="telnet"] /ip service disable [find name="ftp"]
If you are not planing to use the REST API of your MikroTik you can also deactivate it. The WinBox tool connects to the winbox service not the API service.
/ip service disable [find name="api"] /ip service disable [find name="api-ssl"]
If you don't use the web interface to manage your router you should deactivate it. Or if you use it, add a valid SSL Certificate and deactivate the service without SSL encryption.
/ip service disable [find name="www"] /ip service disable [find name="www-ssl"]
Check if everything is as expected.
/ip service print
By default you can manage a MikroTik without configuring any IP address just by accessing it on Layer 2. This is a great feature if you start learning how to configure your router or in a test lab to get access to the device even if you have screwed up the configuration. But in production the layer 2 access is a bad idea because it opens new entry points.
Disable the MAC-Telnet service.
/tool mac-server set allowed-interface-list=none /tool mac-server print
Disable WinBox over MAC or if you have a device without serial port like the hex you might want to add a dedicated port to get a chance to access your device even if you screwed up the configuration. But be aware that this might not always be possible.
/tool mac-server mac-winbox set allowed-interface-list=none /tool mac-server mac-winbox print
The next command uses an interface list to enable WinBox over MAC on defined interfaces.
/tool mac-server mac-winbox set allowed-interface-list=mac-winbox
Most people might not even know how to use the MAC-Ping service. So you can deactivate it without any drawbacks.
/tool mac-server ping set enabled=no /tool mac-server ping print
If you don't use the RoMON feature you should deactivate it.
/tool romon set enabled=no /tool romon print
If you use the RoMON feature you should set a secret.
/tool romon set secrets="my-super-secret" enable=yes /tool romon print
It is possible to detect other MikroTik routers in the network. But this opens a new attack vector. You should deactivate the neighbor discovery on all ports not connected to an other MikroTik router or even better deactivate it on all interfaces
/ip neighbor discovery-settings set discover-interface-list=none /ip neighbor discovery-settings print
You should not use the bandwidth server in production environments. So you can deactivate it and reactivate if you have to perform some troubleshooting.
/tool bandwidth-server set enabled=no /tool bandwidth-server print
If you don't use your MikroTik as DNS resolver you should deactivate the service.
/ip dns set allow-remote-requests=no /ip dns print
Deactivate the HTTP proxy.
/ip proxy set enabled=no /ip proxy print
Deactivate the socks proxy.
/ip socks set enabled=no /ip socks print
Don't use UPNP.
/ip upnp set enabled=no /ip upnp print
If you don't use the MikroTik DDNS feature and have configured one ore more NTP servers you should deactivate the MikroTik features.
/ip cloud set ddns-enabled=no update-time=no /ip cloud print
Only use the ciphers defined as strong.
/ip ssh set strong-crypto=yes /ip ssh print
After setting a SSH-Key for an user he/she should not be allowed to login via password anymore.
/ip ssh set always-allow-password-login=no /ip ssh print
Deactivate unused interfaces
Do it manually.
/interface print /interface disable numbers=1
Or deactivate all Ethernet interfaces not running at the moment. I highly recommend running this command in SAFE-mode.
/interface disable [find type=ether && running=no ]
The LCD looks interesting and provides some information. But if you have installed your router in a data center in a 19" rack you might not even see it. So you can reactive it.
/lcd set enabled=no