...
Start by upgrading your RouterOS version. Some older releases have had certain weaknesses or vulnerabilities, that have been fixed. Keep your device up to date, to be sure it is secure. Click "check for updates" in Winbox WinBox or WebfigWebFig, to upgrade. We suggest you follow announcements on our security announcement blog to be informed about any new security issues.
Access to a router
Access username
Change the default username username admin to a different name. A custom name helps to protect access to your router if anybody got has direct access to your router:
...
MikroTik routers require password configuration, we suggest using a password generator tool to create secure and non-repeating passwords. With a secure password, we mean:
- Minimum 12 characters;
- Include numbers, Symbols, Capital and lower case lowercase letters;
- Is not a Dictionary Word or a Combination of Dictionary Words;
...
RouterOS has built-in options for easy management access to network devices. The particular services should be shut down on production networks: MAC-Telnet, MAC-WinboxWinBox, and MAC-Ping:
| Code Block | ||
|---|---|---|
| ||
/tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=none /tool mac-server ping set enabled=no |
...
MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in the network, and disable neighbor discovery on all interfaces:
...
A router might have DNS cache enabled, which decreases the resolving time for DNS requests from clients to remote servers. In case DNS cache is not required on your router or another router is used for such purposes, disable it:
...
It is good practice to disable all unused interfaces on your router, in order to decrease unauthorized access to your router:
...