Networking HowTos
Networking HowTos

Secure MikroTik RouterOS Router via CLI

June 14, 2017 MikroTik / RouterOS

Mikrotik RouterOS devices are extremely powerful router devices. This can sometimes mean that the configuration of them isnt as simple as point and click for a new user. This howto will outline some recommended steps you can take to secure your Mikrotik RouterOS device, be it RouterBoard, a x86 install on bare metal, or a CHR (Cloud Hosted Router).
This guide will not go into detail on configuring the firewall. That is more complex and is going to be heavily dependent on your own scenario. As a general rule of thumb, block everything coming into your router, and poke holes in the firewall for the services you need.
Here are the steps to help secure your Mikrotik RouterOS router via the command line interface.
Change the admin password.
This first point should be the most obvious. The default admin account is blank, so the first thing you need to do is change the admin password.

/user set [find name=admin] password=Password123

Replace ‘admin’ with the name of the account you want to change the password for.
Change the admin username to be something more unique
In this example the default ‘admin’ username will be renamed to ‘test’. This can help prevent people guessing usernames and passwords and subsequently gaining access to your router. Its much harder to try and guess a password via brute force when you don’t know what the username is.

/user set [find name=admin] name=test

Replace ‘test’ with the name of the account you want to change it to.
Disable unused interfaces
Having interfaces enabled when your router is in a publicly accessable location can mean someone can physically go up to the router, and plug a cable in. To prevent this, disable any unused interfaces.
Show the interfaces on your device

/interface print

This will vary greatly depending on your hardware.
Example output:

Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU
 0  R  ether1                              ether            1500
 1  R  ether2                              ether            1500
 2  R  ether3                              ether            1500
 3  R  ether4                              ether            1500
 4  R  ether5                              ether            1500

Disable one of the interfaces
In this example we will disable ether4.

/interface set [find name=ether4] disabled=yes

Replace ether4 with the name of the interface you want to disable.
Check to ensure its disabled

[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU
 0  R  ether1                              ether            1500
 1  R  ether2                              ether            1500
 2  R  ether3                              ether            1500
 3  X  ether4                              ether            1500
 4  R  ether5                              ether            1500

The X in the 2nd column shows that it has been disabled.
Disable unused services
Show the services that are available on the router.

/ip service print

Example output

Flags: X - disabled, I - invalid
 #   NAME      PORT ADDRESS                                       CERTIFICATE
 0   telnet      23
 1   ftp         21
 2   www         80
 3   ssh         22
 4 XI www-ssl    443                                               none
 5   api       8728
 6   winbox    8291
 7   api-ssl   8729                                               none

Disable any unused services, especially the unsecure ones such as telnet.
This example command will disable the telnet service.

/ip service set [find name=telnet] disabled=yes

Note: Firewall rules should be set up to limit access to the services that you don’t want to disable.
Verify the service has been disabled

[admin@MikroTik] > /ip service print
Flags: X - disabled, I - invalid
 #   NAME      PORT ADDRESS                                       CERTIFICATE
 0 XI telnet      23
 1   ftp         21
 2   www         80
 3   ssh         22
 4 XI www-ssl    443                                               none
 5   api       8728
 6   winbox    8291
 7   api-ssl   8729                                               none

It would be best to disable all unsecured/unencrypted/unused services
Here is an example to only allow ssh:

/ip service set [find name=telnet] disabled=yes
/ip service set [find name=ftp] disabled=yes
/ip service set [find name=www] disabled=yes
/ip service set [find name=ssh] disabled=no
/ip service set [find name=www-ssl] disabled=yes
/ip service set [find name=api] disabled=yes
/ip service set [find name=winbox] disabled=yes
/ip service set [find name=api-ssl] disabled=yes

Disable MAC Telnet Access
The MAC server feature can be used to access the Mikrotik/RouterOS device by MAC address only, even if not IP address is set on the router. While it can be extremely handy on the trusted private side of the network, you shouldn’t have a need to have this enabled on a un-trusted interface.
View the state of the MAC server

/tool mac-server print

Example output

Flags: X - disabled, * - default
 #    INTERFACE
 0  * all

Disable the MAC server on all interfaces.

/tool mac-server set [find interface=all] disabled=yes

Ensure its disabled:

[admin@MikroTik] > /tool mac-server print
Flags: X - disabled, * - default
 #    INTERFACE
 0 X* all

Note: if you need MAC Telnet access, please configure it to only be on your trusted private network interfaces.
Disable MAC WinBox Access
This is essentially the process as above, but adding the mac-winbox option.
Check MAC WinBox server status

/tool mac-server mac-winbox print

example output

Flags: X - disabled, * - default
 #    INTERFACE
 0  * all

Disable MAC WinBox on all interfaces

/tool mac-server mac-winbox set [find interface=all] disabled=yes

Example output after disabling

[admin@MikroTik] > /tool mac-server mac-winbox print
Flags: X - disabled, * - default
 #    INTERFACE
 0 X* all

Note: if you need MAC WinBox access, please configure it to only be on your trusted private network interfaces.
Disable MAC Server Ping
Again, very similar to the above two features.
Show the status

/tool mac-server ping print

Example output

  enabled: yes

Disable MAC server ping

/tool mac-server ping set enabled=no

Verify its disabled

[admin@MikroTik] > /tool mac-server ping print
  enabled: no

Disable neighbor discovery on public interfaces
Neighbor device discovery can be a handy tool, but there is no need for it to be enabled on a public interface.
View current state of neighbor discovery interfaces

/ip neighbor discovery print

example output

Flags: X - disabled
 #   NAME
 0   ether1
 1   ether2
 2   ether3
 3   ether4
 4   ether5

Disable neighbor discovery on public interfaces
In this example, i will disable neighbor discovery on the ether5 interface

/ip neighbor discovery set [find name=ether5] discover=no

verify it is now disabled

[admin@MikroTik] > /ip neighbor discovery print
Flags: X - disabled
 #   NAME
 0   ether1
 1   ether2
 2   ether3
 3   ether4
 4 X ether5

Enable strong SSH Crypto
Check what SSH settings you are currently using

/ip ssh print

Example output

           forwarding-enabled: no
  always-allow-password-login: no
                strong-crypto: no
                host-key-size: 2048

Enable strong crypto

/ip ssh set strong-crypto=yes

Ensure its been applied

[admin@MikroTik] > /ip ssh print
           forwarding-enabled: no
  always-allow-password-login: no
                strong-crypto: yes
                host-key-size: 2048

Enable reverse path filtering
Check the IP settings

/ip settings print

Example output

              ip-forward: yes
          send-redirects: yes
     accept-source-route: no
        accept-redirects: no
        secure-redirects: yes
               rp-filter: no
          tcp-syncookies: no
    max-neighbor-entries: 8192
             arp-timeout: 30s
         icmp-rate-limit: 10
          icmp-rate-mask: 0x1818
             route-cache: yes
         allow-fast-path: yes
   ipv4-fast-path-active: yes
  ipv4-fast-path-packets: 0
    ipv4-fast-path-bytes: 0
   ipv4-fasttrack-active: no
  ipv4-fasttrack-packets: 0
    ipv4-fasttrack-bytes: 0

Turn on reverse path filtering

/ip settings set rp-filter=strict

Verify it is now enabled

[admin@MikroTik] > /ip settings print
              ip-forward: yes
          send-redirects: yes
     accept-source-route: no
        accept-redirects: no
        secure-redirects: yes
               rp-filter: strict
          tcp-syncookies: no
    max-neighbor-entries: 8192
             arp-timeout: 30s
         icmp-rate-limit: 10
          icmp-rate-mask: 0x1818
             route-cache: yes
         allow-fast-path: yes
   ipv4-fast-path-active: yes
  ipv4-fast-path-packets: 0
    ipv4-fast-path-bytes: 0
   ipv4-fasttrack-active: no
  ipv4-fasttrack-packets: 0
    ipv4-fasttrack-bytes: 0

Disable SOCKS server
The SOCKS server should always be disabled nowadays, unless you have a unusual use case scenario where something needs to use it. If this is the case, please ensure its not accessible from the public interfaces via a firewall filter.
Check the SOCKS server status

/ip socks print

Example output

                  enabled: no
                     port: 1080
  connection-idle-timeout: 2m
          max-connections: 200

In this example, it is already disabled (enabled=no)
Disable SOCKS server

/ip socks set enabled=no

Disable the bandwidth test server
Check the status of the bandwidth test server

/tool bandwidth-server print

Example output

                  enabled: yes
             authenticate: yes
  allocate-udp-ports-from: 2000
             max-sessions: 100

Disable the bandwidth server tool

/tool bandwidth-server set enabled=no

Confirm the service has now been disabled

[test@MikroTik] > /tool bandwidth-server print
                  enabled: no
             authenticate: yes
  allocate-udp-ports-from: 2000
             max-sessions: 100

Disable remote DNS queries
RouterOS has the ability to act as a caching DNS server. If you dont wish to use this feature, its best to disable it, if its not already disabled.
Check the status

/ip dns print

Example output

                      servers:
              dynamic-servers:
        allow-remote-requests: no
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 9KiB

Note: in this example, its already disabled (allow-remote-requests=no).
Disable remote DNS requests

/ip dns set allow-remote-requests=no

Other / General
Keep your router up to date. Bugs and exploits are found from time to time on all devices, and your router is no different. Please ensure you are running a current version of the RouterOS operating system.

You Might Also Like