Академический Документы
Профессиональный Документы
Культура Документы
The following steps are recommendation how to protect your router. We strongly
suggest to keep default firewall, it can be patched by other rules that fullfils
your setup requirements. Other tweaks and configuration options to harden your
router's security are described later.
Contents
1 RouterOS version
2 Access to a router
2.1 Access username
2.2 Access password
2.3 Access by IP address
3 Router services
3.1 RouterOS services
3.2 RouterOS MAC-access
3.2.1 MAC-Telnet
3.2.2 MAC-Winbox
3.2.3 MAC-Ping
3.3 Neighbor Discovery
3.4 Bandwidth server
3.5 DNS cache
3.6 Other clients services
3.7 More Secure SSH access
4 Router interface
4.1 Ethernet/SFP interfaces
4.2 LCD
5 Firewall
5.1 IPv4 firewall to a router
5.2 IPv4 firewall for clients
6 IPv6
6.1 IPv6 ND
6.2 IPv6 firewall to a router
6.3 IPv6 firewall for clients
RouterOS version
Start by upgrading your RouterOS version. Some older releases have had certain
weaknesses or vulnerabilities, that have been fixed. Keep your device up to date,
to be sure it is secure. Click "check for updates" in Winbox or Webfig, to upgrade.
We suggest you to follow announcements on our security announcement blog to be
informed about any new security issues.
Access to a router
Access username
Change default username admin to different name, custom name helps to protect
access to your rotuer, if anybody got direct access to your router.
Icon-warn.png
Warning: Use secure password and different name for your router's username.
Access password
/password
We strongly suggest to use second method or Winbox interface to apply new password
for your router, just to keep it safe from other unauthorised access.
Access by IP address
Besides the fact that default firewall protects your router from unauthorized
access from outer networks, it is possible to restrict username access for the
specific IP address
Note: login to router with new credentials to check that username/password are
working.
Router services
and also change the default port, this will immediately stop most of the random SSH
bruteforce login attempts:
Additionaly each /ip service entity might be secured by allowed IP address (the
address service will reply to)
RouterOS MAC-access
RouterOS has built-in options for easy management access to network devices. The
particular services should be shutdown on production networks.
MAC-Telnet
Disable mac-telnet services,
MAC-Winbox
MAC-Ping
Neighbor Discovery
MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik
routers in the network, disable neighbor discovery on all interfaces,
Bandwidth server
Bandwidth server is used to test throughput between two MikroTik routers. Disable
it in production enironment.
DNS cache
Router might have DNS cache enabled, that decreases resolving time for DNS requests
from clients to remote servers. In case DNS cache is not required on your router or
another router is used for such purposes, disable it.
RouterOS might have other services enabled (they are disabled by default RouterOS
configuration). MikroTik caching proxy,
RouterOS utilises stronger crypto for SSH, most newer programs use it, to turn on
SSH strong crypto:
Router interface
Ethernet/SFP interfaces
/interface print
/interface set x disabled=yes
LCD
Some RouterBOARDs have LCD module for informational purpose, set pin or disable it.
Firewall
We strongly suggest to keep default firewall on. Here are few adjustment to make it
more secure, make sure to apply the rules, when you understand what are they doing.
IPv4 firewall to a router
IPv6
Currently IPv6 package is disabled by default. Please enable package with care, as
RouterOS will not create any default firewall rules for IPv6 at the moment.
IPv6 ND
Enabled IPv6 puts your clients available for public networks, set proper firewall
to protect your customers.