Mikrotik Router Hardening By Maraka Antony
Mikrotik routers straight out of the box require security hardening like any other router. You can do very basic configuration changes immediately to reduce attack surface while also implementing best practices, and more advanced changes allow routers to pass compliance scans and formal Security audits.
Below is a simple configuration to improve the security of Our Router
User is soc and password will be W!M@x for SysAdmin who will be doing all Router Management.
 |
Now delete the default admin user account by using the below command.
To confirm use of the new password and user soc, power off the router and power on again.
You can create more user accounts for all the Router administrators. When an administrator leaves the organization their access to the router should be removed so they are unable to change any configurations. If an administrator goes on a leave of absence or is put on some manner of "legal hold" it can also be a good idea to temporarily disable their access, depending on the company's compliance requirements and legal counsel input.
To disable an account use the disable command.
First I will add another user Kimtai with password Admin@123 then latter disable his account.
NB: The group=full gives the user read and write ability to the router. Other options exist for group, ie read or write.
Disable user Kimtai account, a flag of X shows that it has been disabled as shown below.
1. 2. Assigning IPS to Interfaces.
IP and Interface Plan
Interface IP Description
Ether1 192.168.88.100/24 ether1-WAN
Ether2 10.10.10.1/24 ether2-Management
Ether3 192.168.0.1/24 ether3-LAN
Check interfaces on the Router
Edit the names according to the list above.
Take note of the # flags; 0, 1,2, 3. This is what we will use in assigning the names to interfaces as below.
Always disable unused ports on your Router or managed switches. Here we shall disable port 4
Disable Ether4
Add the IPs as of the previous IP table. You can use comments to distinguish the ports too.
3. Neighbor Discovery
Another best practice is to disable neighbor discovery, which will stop the router from being discovered by other devices running Mikrotik Neighbor Discovery Protocol (NDP) or Cisco Discovery Protocol (CDP).
By default this setting is enabled on Mikrotik Routers and Switches as show below.
To disable Neighbor Discovery use the following,
4. Services
List services running on the router:
Disable the weak protocol applications. Services like Telnet, FTP, and WWW are inherently unsecure and shouldn't be used in production environments given secure alternatives like SSH and HTTPS.
4. Disable the SOCKS service, and Disable remote DNS requests.
5. Disable bandwidth-server tool.
6. We'll also shut off the MAC Telnet and MAC Winbox servers. These are used to give administrators access to a router without an IP address assigned, but by default are turned on and running on ALL interfaces - even WAN interfaces. A user inside your LAN could connect to the device via one of the MAC services, and that access needs to be restricted both from internal and external networks. We'll disable these services entirely, and it's suggested re-enabling them only on dedicated management interfaces.
7. Disable RoMON feature, If you're using it for device management it to reduce the attack surface:
8. Strong Crypto
Stronger crypto for SSH is available as of RouterOS 6.30, so we'll enable that. SSH clients like Putty that can utilize the stronger crypto will default to that, and leave the weaker algorithms unused. As of November 2016 there is no way to explicitly disable the weaker crypto algorithms in the Mikrotik for purposes of SSH. Turn on the SSH strong crypto:
With the above configs, the router can be secure from some simple and sophisticated attacks from Hackers.
