As a network administrator, the first thing is to Secure the Mikrotik (Proxy Router) that we manage, by closing the gaps that might be taken into “attack loopholes” by irresponsible users.
Here Are Some Ways To Secure MikroTik Router:
- Credentials, change the default admin password username.
- Disable Some Services.
- Disable Bandwidth Test Server.
- Deactivate the MAC Server feature.
- Disable Neighbors Discovery.
- Disable the RoMON feature.
- Update the RouterOS version.
The first thing you can do to secure the Mikrotik Router before your router is discoverable to the internet cloud is to change the default admin username & password Of Mikrotik. You should also replace the default username “admin” to another username.
12 / user set 0 password = passwordgw/ user set 0 name = gwadmin comment = "Admin Account @ https://techsoftcenter.com Networks"
And also add each user administrator so that each of your admin users has their own account to access your router.
1 / user add name = adam password = secret group = full comment = "Adam @ https://techsoftcenter.com Networks"
By default, the proxy router runs several unencrypted protocols (Telnet, FTP, HTTP, SOCKS) and services that are not needed. Which can be used to “Brute-force attack” on some of these services after your router is exposed in the internet cloud.
If your network does not use the basic service, it is better to deactivate it.
12345678 / ip service disable [find name = telnet]/ ip service disable [find name = ftp]/ ip service disable [find name = www]/ ip service disable [find name = www-ssl]/ ip service disable [find name = fire]/ ip service disable [find name = fire-ssl]/ ip service disable [find name = ssh]/ IP socks set enabled = no
The above commands enable basic services Telnet, FTP, HTTP, SSH and SOCK that are active by default.
Disable Bandwidth Test Server
A feature that functions to test connections to generate/receive bandwidth test traffic on the proxy. Which can make network bandwidth run out and spike the CPU load of your routerboard stuck 100%.
1 / bandwidth-server tool set enabled = no
Deactivate the MAC Server feature
It is good to disable MAC Telnet and MAC Winbox Server. That can give the network admin access to the router without an IP Address, by default active on all interfaces – including the WAN / Internet interface. Users in your local network can connect to the router using the MAC Service, and access via the MAC address must be limited to your internal and external networks.
123 / mac-server tool set [find] disabled = yesmac-winbox mac-server tool set [find] disabled = yes/ mac-server ping tool set enabled = no
We can activate only on one interface that is used as “management inferences”
Disable Neighbors Discovery
Mikrotik protocol that can make Mikrotik devices find each other on the same layer network. Like you use “Neighbors” in your winbox that shows router information such as identity router, MAC-Address, IP-Address, and ROS version. It is a good idea to deactivate “Neighbors Discovery” in the interface that is connected to the public user (WAN, hotspot client, internet cafe client)
Disable the RoMON feature
For the RoMON feature, you can also disable the feature if you don’t use “device management” to reduce the attack gap.
1 / romon tool set enabled = no
Update the RouterOS version
By updating your RouterOS version and Routerboard, you can repair bugs and security holes in the previous version.
I hope it has been a useful article.