In this article I will be explaining the simple steps you need to take to secure your Mikrotik router prior to exposing it to the public internet. Once your router is exposed to the “wild” someone will sooner or later try to hack your Mikrotik router by exploiting the weak spots. In this article I will explain how you can secure your Mikrotik router in such a way to reduce the likelyhood of being hacked by simply hardening the weak spots of the default configuration.
This does by the way not mean that the default configuration is bad. It defintily is not. However, the basic configuration is set to fit the needs of most users. Still, some hardening steps must be taken to increase the security of your Mikrotik server by following the below steps.
NMAP: Port and Service scanning
If you would like to check which ports and services are running on your Mikrotik router, the nmap application is a must-have. It enables to do a full port scan on any device within your network. It helps to investigate which ports and services are still exposed to the outside world that might require hardening or even blocking connections.
How to install the Mikrotik router
By default the Mikrotik router can be accessed via the webbrowser, ssh or Winbox. Mikrotik routers run the custom Linux OS called RouterOS developed by Mikrotik. RouterOs is regularly updated to provide new features and fix issues in the software. This brings many benefits in terms of security as problems and bugs that introduce security issues will be resolved quickly.
In order to configure you Mikrotik router you first need to connect it to your PC. The best way is to make sure your existing router is still in place. This to make sure you can configure the Mikrotik router prior to exposing it to the internet.
You connect an ethernet cable from your router (or any other ethernet cable providing internet access) into port 1 of the Mikrotik router. Next, you connect your pc to port 2 on the Mikrotik router.
Then connect the power cable and let the router boot. It will make some beeping sounds as part of the booting process. Once both LEDs representing the ethernet cable connections start blinking, the connection is successfull and the Mikrotik router has booted.
In order to connect to your router, either use an ssh connection, the webbrowser (via 192.168.88.1 which is the default address of the Mikrotik router) or connect via Winbox. Ultimately Winbox and ssh connections have the preference because the webbrowser access uses the insecure port 80. For the initial configuration this is fine, although I would urge you to disable it once the router is exposed to the public internet.
10 Simple methods to secure your Mikrotik router
Below I created a list of security methods for securing your Mikrotik router. At least these methods need to be applied to ensure optimal security of your Mikrotik router.
- Change the port for SSH (or disable service if you do not need it) and Winbox. This will prevent most of the standard attacks.
- Use port knocking to hide open ports. This is explained below in more detail. This will prevent even more attack attempts. Only do this if you need to open Winbox outside of your LAN. By default, Mikrotik firewall configuration blocks all public access.
- Disable Bandwith server to close port 2000.
- Disable ICMP (ping) on your Mikrotik router.
- Use long, unique and random passwords for the “Admin” account.
- Create a new account with admin privileges. Remove the existing Admin account.
- Prevent WAN access to your router. The default firewall configuration of your Minitik router has this already enabled.
- Disable unused packages and services.
- Log all firewall rules to be able to monitor traffic and potential attack attempts that allow you to proactively keep your router secure.
- Regulary update the software on your Mikrotik router.
- Disable MAC ping server, telnet server and winbox server (Tools – MAC Server). This disables access to the router via MAC address which can easily be spoofed (imitated) by hackers.
- Disable “Alowe remote access” on your DNS (IP – DNS). You really do not want to have this enabled to be safe from DNS attacks. In DHCP you can set custom DNS servers that are provisioned automatically to all clients. There is no need to set your router as a DNS server. Also not to allow DoH. Using a separate VPN is safer. If you still want to use it, however, then setup DNS over HTTPS (https://thedummit.com/mikrotik-how-to-use-doh-with-cloudflare/) and make sure external locations cannot use your DNS server.
- Update RouterBOARD firmware.
All above steps will be ecplained in more detail in the remaining sections of this article.
Change port of SSH and Winbox
The main ports that you need to keep open for your Minitik router are SSH and Winbox. You need to these to be able to manage and monitor your router. Opening these ports does not mean you cannot secure and harden them to prevent attacks.
Changing the ports of both SSH and Winbox is relatively easy to do.
Step 1: When you login to the router via the Winbox tool, open the IP menu and select services. In the new window that opens all running services are listed. This can also be seen in the screen below.
Step 2: To change the port of any service, including SSH or Winbox, you double click the entry after which a new window will open. In this new window you can easily change the port of Winbox.
Step 3: Make sure you make a note of it, because when you forget the port number of Winbox or SSH you will not be able to access it anymore. Especially when you also closed the port for direct access via “Port Knocking”. Also do not forget to add the new port to the allowed ports in the firewall. Otherwise you will be fully locked out of your router.
The default configuration of the Mikrotik firewall blocks/drops all connections not coming from the internal LAN. Hence, this is already a very secure default setup which should not be changed. To add additional security layers, it can make sense to hide the Winbox or ssh port initially. Reason being that if a port scan is done against your Mikrotik router, not exposing any ports would hugely contribute to not being hacked. If certain ports are permanently opened and thus can be scanned would pose a higher risk of falling victim to a hack.
Port knocking could play an important role here and is visually represented below.
What port knocking essentially aims to achieve is making a port only available for a certain period of time to an address or source when other ports are requested first. If successful, the address of the source will be added to a secure list making available all open ports of your router.
In the infographic above this would mean that you can only access your router via Winbox if port 8219 is available to you. By default, as part of the port knocking configuration, all ports would be blocked. By first “knocking” port 950 and then “knocking” port 7500, your address (ip address) would be added to the secure list of sources, hence making available port 8219 which allows Winbox access.
While port knocking does not provide 100% security of your router, it does introduce additional hurdles for potential hackers that want to compromise your router. As no open ports can be found with a simple port scan, it would become very complex to find any open ports via port knocking. This additional hurdle that is introduced with port knocking does therefore prevent most of the attacks. It will not fully stop targeted attacks though.
How to setup port knocking in your Mikrotik router
In order to setup port knocking, follow the below steps and change the used ports to your preference. We will use a two layer port knocking method here. This means that you need to knock two ports before the Winbox port will become available for use.
Step 1: open a terminal in your Mikrotik router. This is the easiest way to customize the firewall to enable port knocking.
Step 2: enter the below code section by section to enable port knocking prior to opening ports for the user. In this example I enabled port kocking by first requesting a port kock on port 123 and next on port 345. Also in that order.
/ip firewall filter
add action=add-src-to-address-list address-list="port:123" \
address-list-timeout=1m chain=input dst-port=123 protocol=tcp
add action=add-src-to-address-list address-list="secure" address-list-timeout=1m \
chain=input dst-port=345 protocol=tcp src-address-list="port:123"
add chain=input src-address-list=secure action=accept
add action=drop chain=input
A firewall is used to block or forward packages that go to or go out of the router. This is not different for the firewall in Mikrotik. As RouterOs is Linux based, the firewall is as well. More specifically, it is based on the popular ip tables firewall as used within Linux.
The firewall allows to set different rules for Input, Output and Forward. The usage of each is explained below.
Input rules apply to all packages that are send from different sources to the router itself. These can be packages from the internal network but also from the public internet. Input rules are therefore important to configure to make sure hacking attemps are prevented.
Output rules apply to all packages leaving the router to other destinations, either internally on your local network or to the public internet.
Forward rules can be set to ensure certain requests for a port to the Mikrotik router are forwarded to specific internal network addresses and ports. For example, when you host a webserver on an internal virtual machine, specific requests to the https port should then be forwarded to your local machine that hosts the webserver.