{"id":5414,"date":"2023-08-04T23:13:06","date_gmt":"2023-08-05T04:13:06","guid":{"rendered":"https:\/\/www.incredigeek.com\/home\/?p=5414"},"modified":"2023-08-05T10:30:03","modified_gmt":"2023-08-05T15:30:03","slug":"hardening-mikrotik-routeros","status":"publish","type":"post","link":"https:\/\/www.incredigeek.com\/home\/hardening-mikrotik-routeros\/","title":{"rendered":"Hardening Mikrotik RouterOS"},"content":{"rendered":"\n<p><a href=\"https:\/\/wiki.mikrotik.com\/wiki\/Manual:Securing_Your_Router\">https:\/\/wiki.mikrotik.com\/wiki\/Manual:Securing_Your_Router<\/a><\/p>\n\n\n\n<p>Things to harden<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delete default admin user<\/li>\n\n\n\n<li>Disable unused services and whitelist IP&#8217;s<\/li>\n\n\n\n<li>Secure SSH<\/li>\n\n\n\n<li>DNS<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Delete default admin user<\/h2>\n\n\n\n<p>Before deleting the default admin user, create your own user account.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/user\/add name=MyUsername group=full password=mylongsecurepassword<\/pre>\n\n\n\n<p>Note: running <code>\/user\/add<\/code> will prompt you for the rest of the options.<\/p>\n\n\n\n<p>Delete the default admin user with<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/user remove admin<\/pre>\n\n\n\n<p>We want to delete the default admin user for two reasons.  1. There is no default password for this user. 2. It is a default username which means it will be targeted for brute force attacks.<\/p>\n\n\n\n<p>Consider using the \/users\/groups for more granular control.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Disable unused services<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2023\/08\/image-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"590\" height=\"266\" src=\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2023\/08\/image-1.png\" alt=\"\" class=\"wp-image-5415\" srcset=\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2023\/08\/image-1.png 590w, https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2023\/08\/image-1-300x135.png 300w, https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2023\/08\/image-1-500x225.png 500w\" sizes=\"auto, (max-width: 590px) 100vw, 590px\" \/><\/a><\/figure>\n\n\n\n<p>In the following, we disabled all services except SSH and Winbox.  We also limit access to those services only from private &#8220;RFC 1918&#8221; IP addresses.  Customize as needed.  <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/ip service\nset telnet disabled=yes\nset ftp disabled=yes\nset www disabled=yes\nset www-ssl tls-version=only-1.2\nset ssh address=\"set winbox address=\"192.168.0.0\/16,172.16.0.0\/12,10.0.0.0\/8\"\nset api disabled=yes\nset winbox address=\"set winbox address=\"192.168.0.0\/16,172.16.0.0\/12,10.0.0.0\/8\"\nset api-ssl disabled=yes tls-version=only-1.2<\/pre>\n\n\n\n<p>for www-ssl and api-ssl, tls-version is not a required argument, but you may consider using it if you need the API or Webfig.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secure SSH<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">\/ip\/ssh\/set strong-crypto=yes allow-none-crypto=no always-allow-password-login=no host-key-size=4096<\/pre>\n\n\n\n<p>And regenerate the SSH host key.  It will prompt for a [y\/N], hit y to regenerate.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/ip\/ssh\/regenerate-host-key <\/pre>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-incredigeek wp-block-embed-incredigeek\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"o1o6Tf4Rh2\"><a href=\"https:\/\/www.incredigeek.com\/home\/hardening-ssh-on-mikrotik-routers\/\">Hardening SSH on Mikrotik Routers<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Hardening SSH on Mikrotik Routers&#8221; &#8212; Incredigeek\" src=\"https:\/\/www.incredigeek.com\/home\/hardening-ssh-on-mikrotik-routers\/embed\/#?secret=HDDczdbCIc#?secret=o1o6Tf4Rh2\" data-secret=\"o1o6Tf4Rh2\" width=\"584\" height=\"329\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">DNS<\/h2>\n\n\n\n<p>Unless your device is being used as a DNS resolver, it is best to disable the &#8220;Allow Remote Request&#8221;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ip dns\/set allow-remote-requests=no<\/pre>\n\n\n\n<p>If you do need it enabled, then be sure to add some firewall rules to keep your router from being used in amplification attacks.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp<\/pre>\n\n\n\n<p>You can configure interface lists in <code>\/interface\/list<\/code> or Interface -> Interface List in the gui<\/p>\n\n\n\n<p>Or you can change to in-interface and specify the WAN interface directly.  You could also set it to !LAN if you have a LAN interface list set up.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>https:\/\/wiki.mikrotik.com\/wiki\/Manual:Securing_Your_Router Things to harden Delete default admin user Before deleting the default admin user, create your own user account. \/user\/add name=MyUsername group=full password=mylongsecurepassword Note: running \/user\/add will prompt you for the rest of the options. Delete the default admin user &hellip; <a href=\"https:\/\/www.incredigeek.com\/home\/hardening-mikrotik-routeros\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[452,573],"tags":[435,277,160,1555,1553,301,1554,388,570,221],"class_list":["post-5414","post","type-post","status-publish","format-standard","hentry","category-mikrotik","category-security","tag-crypto","tag-dns","tag-firewall","tag-guide","tag-harden","tag-mikrotik","tag-rouer","tag-routeros","tag-secure","tag-ssh"],"_links":{"self":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5414","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/comments?post=5414"}],"version-history":[{"count":2,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5414\/revisions"}],"predecessor-version":[{"id":5417,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/5414\/revisions\/5417"}],"wp:attachment":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/media?parent=5414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/categories?post=5414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/tags?post=5414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}