Skip to main content

Securing of MikroTik Router.

Why?

  • Prevent un-authorized people to access to the system.
  • Intruder can steal information from you, or even deny you access to your resources.
  • Intruder can use your resources to access to the other system.

How?

  • Keeping router up-to-date.
  • Securing user & password.
  • Securing physical access.
  • Configuring packages.
  • Hardening services.

01. Keeping router up-to-date firmware.

  • Use current version
  • Check Changelog before upgrade to newer version
  • Download from trusted source
  • Check file (MD5) when download from third party site
  • https://mikrotik.com/download

02. Securing user & password.

  • System> Users
  • Change admin account name.
  • Set complex password.
  • Create separate account for each user.
  • Set allowed address.
  • Put read-only user in “read” group

03. Securing physical access.

  • Interfaces> Interface List
  • Disable Console (optional).
  • Always logout console session.
  • Disable Unused interface.
  • Don’t configunused interface (optional).

04. Configuring packages.
System> Package> Check For Update> Update and Installation> Ok.

  • Disable unused packages
  • Check packages installed
  • Check version of each package

05. Hardening services.
IP> Services> IP Service List

  • Disable unsecured service (Ex. Telnet)
  • Change service port (optional)
  • Disable unused service
  • Define access lists for each service

06. Loading firewall.

  • Loading up a firewall will add layer of security.
  • Setup port knocking (optional).

07. Logging

  • Monitor log
  • Log to disk (Default RouterOS log to memory)
  • Send log to syslog server

08. NTP sync

  • Set time zone
  • Sync time with NTP server or IP cloud service

09. Misc

  • Static DHCP lease
  • Wi-Fi security
  • Backup configwith password encrypted
  • Block Winbox Discovery
  • Disable Network Neighbor Discovery

10. Secure mode for Winbox.

  • Newest Winbox versions, Secure mode" is ON by default, and can't be turned off anymore.

11. MAC-access restriction.
Tools> Winbox Interfaces>

  • Disable 'all'

12. Site restriction
IP> Firewall> Layer7 Protocols>

  • Name: Facebook
  • Regexp: ^.+(facebook.com).*$
  • Click Apply and OK button.

IP> Firewall> Filter Rules> (+)
General

  • Chain: forward
  • Src. Address: 192.168.1.10

Advanced

  • Layer7 Protocol: Facebook

Action

  • Action: Drop
  • Click Apply and OK button.

13. Virus port filtering
IP> Firewall> (+)

14. Log server
System> Logging> Actions

Comments

Post a Comment

Popular posts from this blog

MikroTik L2TP/IPsec VPN Configuration.

01. L2TP Server Bonding. PPP> Interface> L2TP Server Bonding. Name: L2TP-VPN Click Apply and OK button. 02. Enable L2TP Server. PPP> Interface> L2TP Server> Enable: Yes Authentication: Yes (pap, chap, mschap1, mschap2) Use IPSec: Yes IPsec Secret: 12345 Caller IP Type: IP address Click Apply and OK button. 03. Create IP Pool. IP> Pool> (+) Name: L2TP-Poll Address: 30.30.30.30.10-30.30.30.40 Next Pool: None Click Apply and OK button. 04. Create PPP Profile. PPP> Profile> (+) Name: L2TP-VPN Local Address: 30.30.30.1 Remote Address: L2TP-Pool Click Apply and OK button. 05. Create PPP account for each users. PPP> Secret> (+) Name: abc Password: 123 Service: L2TP Profile: L2TP-VPN Click Apply and OK button. Client Portion 01. Network and Sharing Center Set up a new connection or network Connect to a workplace (Set up a dial-up or VPN) Next Use my Internet connection (VPN) Internet address: 103.X.XX.224 Destination name: L2TP-VPN
Post a Comment
Read more

MikroTik Firewall Rules.

01. How to change default MikroTik ip services. IP> Services> IP Service List Default ip services SSH: 22 --> 62222 ftp: 21 --> 62121 telnet: 23 --> 62223 www: 80 --> 62880 winbox: 8291 --> 68291 02. Firewall Rules Allow. IP> Firewall> Filter Rules (+) General Chain: input Protocol: 6(tcp) Dst. Port: 8291 Action Action: accept Click Apply and OK button. 03. Test Verification. cmd telnet 192.168.1.1 62223 Login: admin Password: *****
Post a Comment
Read more