...
Start by upgrading your RouterOS version. Some older releases have had certain weaknesses or vulnerabilities, that have been fixed. Keep your device up to date, to be sure it is secure. Click "check for updates" in Winbox WinBox or WebfigWebFig, to upgrade. We suggest you to follow announcements on our security announcement blog to be informed about any new security issues.
Access to a router
Access username
Change the default username username admin to a different name. A custom name helps to protect access to your router if anybody got has direct access to your router:
| Code Block | ||
|---|---|---|
| ||
/user add name=myname password=mypassword group=full /user removedisable admin |
Access password
MikroTik routers require password configuration, we suggest using a password generator tool to create secure and non-repeating passwords. With a secure password, we mean:
- Minimum 12 characters;
- Include numbers, Symbols, Capital and lower case lowercase letters;
- Is not a Dictionary Word or a Combination of Dictionary Words;
| Code Block | ||
|---|---|---|
| ||
/user set |
...
myname password="!={Ba3N!"40TуX+GvKBz?jTLIUcx/," |
...
Another option to set a password,
...
We strongly suggest using a second method or Winbox interface to apply a new password for your router, just to keep it safe from other unauthorized access.
RouterOS MAC-access
RouterOS has built-in options for easy management access to network devices. The particular services should be shut down on production networks.: MAC-Telnet
...
, MAC-WinBox, and MAC-Ping:
Disable mac-telnet services,
| Code Block | ||
|---|---|---|
|
/tool mac-server set allowed-interface-list=none /tool mac-server |
...
MAC-Winbox
...
mac-winbox |
...
set allowed-interface-list=none /tool mac-server |
...
|
...
MAC-Ping
Disable mac-ping service,
...
ping set enabled=no |
...
Neighbor Discovery
MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in the network, and disable neighbor discovery on all interfaces,:
| Code Block | ||
|---|---|---|
| ||
/ip neighbor discovery-settings set discover-interface-list=none |
Bandwidth server
Bandwidth A bandwidth server is used to test throughput between two MikroTik routers. Disable it in the production environment.:
| Code Block | ||
|---|---|---|
| ||
/tool bandwidth-server set enabled=no |
DNS cache
A router might have DNS cache enabled, which decreases the resolving time for DNS requests from clients to remote servers. In case DNS cache is not required on your router or another router is used for such purposes, disable it.:
| Code Block | ||
|---|---|---|
| ||
/ip dns set allow-remote-requests=no |
Other clients services
RouterOS might have other services enabled (they are disabled by default RouterOS configuration). MikroTik caching proxy, socks, UPnP, and cloud services:
| Code Block | ||
|---|---|---|
| ||
/ip proxy set enabled=no |
...
MikroTik socks proxy,
/ip socks set enabled=no |
...
MikroTik UPNP service,
/ip upnp set enabled=no |
...
MikroTik dynamic name service or IP cloud,
/ip cloud set ddns-enabled=no update-time=no |
More Secure SSH accessRouterOS utilizes stronger crypto for SSH, most newer programs use it, to turn on SSH strong crypto:
It is possible to enable more strict SSH settings (add aes-128-ctr and disallow hmac sha1 and groups with sha1) with this command:
| Code Block | ||
|---|---|---|
| ||
/ip ssh set strong-crypto=yes |
Router interface
Ethernet/SFP interfaces
It is good practice to disable all unused interfaces on your router, in order to decrease unauthorized access to your router.:
| Code Block | ||
|---|---|---|
| ||
/interface print /interface set |
...
X disabled=yes |
...
Where X numbers of unused interfaces.
LCD
Some RouterBOARDs have an LCD module for informational purposes, set a pin:
| Code Block | ||
|---|---|---|
| ||
/lcd/pin/set pin-number=3659 hide-pin-number=yes |
or disable it.:
| Code Block | ||
|---|---|---|
| ||
/lcd |
...
/set enabled=no |