RouterOS version
Start by upgrading your RouterOS version. Some older releases have had certain weaknesses or vulnerabilities, that have been fixed. Keep your device up to date, to be sure it is secure. Click "check for updates" in Winbox or Webfig, to upgrade. We suggest you to follow announcements on our security announcement blog to be informed about any new security issues.
Access to a router
Access username
Change default username admin to a different name. Custom name helps to protect access to your router if anybody got direct access to your router.
/user add name=myname password=mypassword group=full /user remove admin
Access password
MikroTik routers requires password configuration, we suggest using a password generator tool to create secure and non-repeating passwords. With secure password we mean:
- Minimum 12 characters;
- Include numbers, Symbols, Capital and lower case letters;
- Is not a Dictionary Word or Combination of Dictionary Words;
/user set 0 password="!={Ba3N!"40TуX+GvKBz?jTLIUcx/,"
Another option to set a password,
/password
We strongly suggest using second method or Winbox interface to apply a new password for your router, just to keep it safe from other unauthorized access.
Access by IP address
Besides the fact that default firewall protects your router from unauthorized access from outer networks, it is possible to restrict username access for the specific IP address
/user set 0 allowed-address=x.x.x.x/yy
x.x.x.x/yy - your IP or network subnet that is allowed to access your router.
Router services
All production routers have to be administered by SSH, secured Winbox or HTTPs services. Use the latest Winbox version for secure access. Note, that in the newest Winbox versions, "Secure mode" is ON by default, and can't be turned off anymore.
RouterOS services
Most of RouterOS administrative tools are configured at
/ip service print
Keep only secure ones,
/ip service disable telnet,ftp,www,api,api-ssl /ip service print
and also change the default port, this will immediately stop most of the random SSH brute force login attempts:
/ip service set ssh port=2200 /ip service print
Additionally, each /ip service entity might be secured by allowed IP address (the address service will reply to)
/ip service set winbox address=192.168.88.0/24
RouterOS MAC-access
RouterOS has built-in options for easy management access to network devices. The particular services should be shut down on production networks.
MAC-Telnet
Disable mac-telnet services,
/tool mac-server set allowed-interface-list=none /tool mac-server print
MAC-Winbox
Disable mac-winbox services,
/tool mac-server mac-winbox set allowed-interface-list=none /tool mac-server mac-winbox print
MAC-Ping
Disable mac-ping service,
/tool mac-server ping set enabled=no /tool mac-server ping print
Neighbor Discovery
MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in the network, disable neighbor discovery on all interfaces,
/ip neighbor discovery-settings set discover-interface-list=none
Bandwidth server
Bandwidth server is used to test throughput between two MikroTik routers. Disable it in the production environment.
/tool bandwidth-server set enabled=no
DNS cache
Router might have DNS cache enabled, which decreases resolving time for DNS requests from clients to remote servers. In case DNS cache is not required on your router or another router is used for such purposes, disable it.
/ip dns set allow-remote-requests=no
Other clients services
RouterOS might have other services enabled (they are disabled by default RouterOS configuration). MikroTik caching proxy,
/ip proxy set enabled=no
MikroTik socks proxy,
/ip socks set enabled=no
MikroTik UPNP service,
/ip upnp set enabled=no
MikroTik dynamic name service or IP cloud,
/ip cloud set ddns-enabled=no update-time=no
More Secure SSH access
RouterOS utilizes stronger crypto for SSH, most newer programs use it, to turn on SSH strong crypto:
/ip ssh set strong-crypto=yes
Router interface
Ethernet/SFP interfaces
It is good practice to disable all unused interfaces on your router, in order to decrease unauthorized access to your router.
/interface print /interface set x disabled=yes
Where x is a number of the unused interfaces.
LCD
Some RouterBOARDs have an LCD module for informational purposes, set pin or disable it.
/lcd set enabled=no