Why?
How?
01. Keeping router up-to-date firmware.
02. Securing user & password.
03. Securing physical access.
04. Configuring packages.
System> Package> Check For Update> Update and Installation> Ok.
05. Hardening services.
IP> Services> IP Service List
06. Loading firewall.
07. Logging
08. NTP sync
09. Misc
10. Secure mode for Winbox.
11. MAC-access restriction.
Tools> Winbox Interfaces>
12. Site restriction
IP> Firewall> Layer7 Protocols>
IP> Firewall> Filter Rules> (+)
General
Advanced
Action
13. Virus port filtering
IP> Firewall> (+)
14. Log server
System> Logging> Actions
- Prevent un-authorized people to access to the system.
- Intruder can steal information from you, or even deny you access to your resources.
- Intruder can use your resources to access to the other system.
How?
- Keeping router up-to-date.
- Securing user & password.
- Securing physical access.
- Configuring packages.
- Hardening services.
01. Keeping router up-to-date firmware.
- Use current version
- Check Changelog before upgrade to newer version
- Download from trusted source
- Check file (MD5) when download from third party site
- https://mikrotik.com/download
02. Securing user & password.
- System> Users
- Change admin account name.
- Set complex password.
- Create separate account for each user.
- Set allowed address.
- Put read-only user in “read” group
03. Securing physical access.
- Interfaces> Interface List
- Disable Console (optional).
- Always logout console session.
- Disable Unused interface.
- Don’t configunused interface (optional).
04. Configuring packages.
System> Package> Check For Update> Update and Installation> Ok.
- Disable unused packages
- Check packages installed
- Check version of each package
05. Hardening services.
IP> Services> IP Service List
- Disable unsecured service (Ex. Telnet)
- Change service port (optional)
- Disable unused service
- Define access lists for each service
06. Loading firewall.
- Loading up a firewall will add layer of security.
- Setup port knocking (optional).
07. Logging
- Monitor log
- Log to disk (Default RouterOS log to memory)
- Send log to syslog server
08. NTP sync
- Set time zone
- Sync time with NTP server or IP cloud service
09. Misc
- Static DHCP lease
- Wi-Fi security
- Backup configwith password encrypted
- Block Winbox Discovery
- Disable Network Neighbor Discovery
10. Secure mode for Winbox.
- Newest Winbox versions, Secure mode" is ON by default, and can't be turned off anymore.
11. MAC-access restriction.
Tools> Winbox Interfaces>
- Disable 'all'
12. Site restriction
IP> Firewall> Layer7 Protocols>
- Name: Facebook
- Regexp: ^.+(facebook.com).*$
- Click Apply and OK button.
IP> Firewall> Filter Rules> (+)
General
- Chain: forward
- Src. Address: 192.168.1.10
Advanced
- Layer7 Protocol: Facebook
Action
- Action: Drop
- Click Apply and OK button.
13. Virus port filtering
IP> Firewall> (+)
14. Log server
System> Logging> Actions
Comments
Post a Comment