Arav's dwelling Welcome to my sacred place, wanderer

Hardening Mikrotik

Contents

  1. Introduction
  2. Which ways are there?
    1. Updates
    2. Users
    3. Service configuration
    4. SSH
    5. Basic firewall
      1. Input chain
      2. Forward chain

1. Introduction

Just don't!
You don't want to be like this, am I right? :)

I always wandered, since I joined a cult got mine, why almost no one can properly configure them, so it won’t get pwned. Quick Set alone gives you a proper firewall, through which no one from outside can get in. But, I still find a SHIT TON of routers with naked ass facing the Internet. On the picture above you see a typical set of open ports.

In this article I’ll show you how to harden your router’s security. There’s nothing difficult and could be find just by learning available features. Here I work with RouterOS v7. Considering the firewall, I will just copy-paste a default set of rules, and additionally, cover a port scan detection mechanism.

2. Which ways are there?

If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to reset a configuration to clear a router. For that in WinBox go to System->Reset Configuration and check an option No Default Configuration and Do Not Backup. In teminal > system/reset-configuration no-defaults=yes skip-backup=yes. And then using Quick Set configure basic access to the Internet and a LAN. If I recall correctly (last time did that back in 2019, lol), if you reset with a default configuration, then this one won’t include a firewall. Probably this was change since then.

Vital thing to do is to keep a firmware up to date. That’s another major reason why routers becomes a part of a botnet or open proxies — vulnerabilities.

Set a password for your admin account. Many other articles recommend to rename it, but I never do that, because there’s no access from outside anyway. Also we restrict from what addresses we can login later.

Then, we also restrict access to router’s configuration by IP, and disable not used services.

And then here comes a firewall.

But before we start I want to give you a vital tip that will save your time, and, maybe, money — use Safe Mode! To toggle it in WinBox click button Safe Mode that you can find at the top left corner, or since version 4 it became a toggle button in the right corner. In teminal press Ctrl-X. And when you’re done, don’t forget to disable this mode to save all applied changes or they will revert. WinBox will warn you about Safe Mode activated, but teminal won’t. :)

2.1 Updates

To do it in WinBox go to System->Packages and click a Check For Updates button. Or using teminal: > system/package/update/check-for-updates. After a reboot you need to upgrade a RouterBOARD firmware. In WinBox go to System->RouterBOARD and click Upgrade button. After that reboot a router again, go for it in System->Reboot. In a CLI > system/routerboard/upgrade, and then > system/reboot.

2.2. Users

To change a password in WinBox go to System->Users, double-click on your admin account and in a dialogue click Password... button. In teminal type in > user/set admin password=new_password.

As I stated before, each user and part of services could be restricted to have access only from certain addresses.

In WinBox go to System->Users, double-click your user and you will see a field named Allowed Address, there could be multiple entries that can be added/removed. You can type in individual IP-addresses and whole subnets in CIDR (e.g. 192.168.88.0/24) notation. In teminal type in > user/set admin address= and type all addresses separated by a comma, e.g. address=192.168.88.3,192.168.89.0/24.

2.3. Service configuration

There are a bunch of different ways to configure your router: WinBox, SSH, Telnet, WebFig and API. And you can access its filesystem with FTP or SFTP.

Good thing to do first will be disabling all not needed services. Go to IP->Services in WinBox and then using the buttons Disable and Enable activate/disactivate them. In teminal type in > ip/service/set <service> disabled=yes.

As for me, I leave only SSH and WinBox services.

Now let’s restrict access to our services by IP. It is the same as for a user, just a field called Available From. In teminal: > ip/service/set <service> address=192.168.88.2,192.168.89.0/24.

3.2. SSH

Version 7 introduced elliptic curves which I use myself, but RSA is still there and won’t loose its actuality.

To configure SSH go to IP->SSH. I recommend to turn off the options Always Allow Password Login and Forwarding Enabled. Enable Strong Crypto. A Ciphers field to be kept as Auto. Choose Host Key Type to your preference. If RSA, then set Host Key Size to something more secure. Then click Regenerate Host Key button.

Using teminal type in > ip/ssh/set always-allow-password-login=no strong-crypto=yes host-key-type= host-key-size=<if rsa> forwarding-enabled=no. To regenerate a key type in > ip/ssh/regenerate-host-key and confirm.

User’s keys, used to connect to a router, are placed in System->Users on a tab named SSH Keys, click Import SSH Key to add one.

But before, a key should be stored on a router. Go to Files and right there, choose New->Text file in an up left corner. Put a name, and paste a content of a ./.ssh/<cipher>.pub file from your host you use to connect to the router.

In terminal you can do: > file/add type=file name=/flash/keyfile contents="...".

And then import it: > user/ssh-keys/add user=admin key=flash/keyfile.

Now yoy can connect over SSH without password.

2.5. Basic firewall

As I previously stated, default firewall we get using Quick Set is pretty much sufficient.

Go to IP->Firewall in WinBox or > ip/firewall/filter in teminal. For IPv6 sections called IPv6 for WinBox, and ipv6 for teminal.

In terminal you can switch to a needed section instead of typing it every time. To add a rule there is a command called add, and remove to remove a rule by its number. To see all rules and theirs numbers type print command.

Next I will give you set of rules for input and forward chains for IPv4 and IPv6. Those are very basic rules that allows already established connections in, allows ping our router from the Internet, and drops any other traffic that comes from anywhere else but not our LAN. Allows new connections from Internet only if there is a dstnat rule in a NAT table for that port.

2.5.1. Input chain

A basic (default!) input chain for IPv4, that won’t let your router to get pwned:

1 chain=input action=accept connection-state=established,related,untracked
2 chain=input action=drop connection-state=invalid
3 chain=input action=accept protocol=icmp
4 chain=input action=drop in-interface-list=!LAN

Here the first rule let already allowed traffic to go in a router. The second one drops packets with invalid state. The third one allows pinging our router. And the fourth one drop all the packets that doesn’t originate from interfaces listed in a LAN list.

And for IPv6:

1 chain=input action=accept connection-state=established,related,untracked
2 chain=input action=drop connection-state=invalid
3 chain=input action=accept protocol=icmpv6
;;; defconf: accept UDP traceroute
4 chain=input action=accept protocol=udp port=33434-33534
;;; defconf: accept DHCPv6-Client prefix delegation.
5 chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546
6 chain=input action=drop in-interface-list=!LAN

As you can see pretty much the same as for IPv4 except for rules 4 and 5 that are described by their’s comments above them.

2.5.2. Forward chain

Here comes a basic (default again) forward chain for IPv4:

1 chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related,untracked
2 chain=forward action=accept connection-state=established,related,untracked
3 chain=forward action=drop connection-state=invalid
4 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

FastTrack mechanism is described in documentation.

But in short, fasttrack mechanism sends traffic via short path past the CPU, in other words, it offloads traffic to a switch chip. While it drastically reduce load on a CPU, we lose ability to work with traffic allowed by this rule, like packets marking, and other things in a mangle section.

In the last rule we deny establishing connections from outside if there is no destination NAT rule specified.

So, here is a forward chain for IPv6:

1 chain=forward action=fasttrack-connection connection-state=established,related,untracked
2 chain=forward action=accept connection-state=established,related,untracked
3 chain=forward action=drop connection-state=invalid
4 chain=forward action=drop src-address-list=bad_ipv6
5 chain=forward action=drop dst-address-list=bad_ipv6
6 chain=forward action=accept protocol=icmpv6
;;; defconf: rfc4890 drop hop-limit=1
7 chain=forward action=drop protocol=icmpv6 hop-limit=equal:1
8 chain=forward action=drop in-interface-list=!LAN

As for rules 4 and 5 bad_ipv6 address list contains all reserved and special ranges that I won’t provide here, these rules are here just to show off. Now there is a fasttrack-connection for IPv6, but it still is handled by CPU, but still reduces its load.

If you don’t use NATv6 then all you need to allow connections to your machine from outside is to create a corresponding rule: chain=forward action=accept dst-address= dst-port= connection-state=new. Don’t think that in-interface-list=WAN is necessary here, we allow establishing a connection, so if we access that service from inside then just immediately leave a chain with accept action. And if you do use of NATv6 then use a last rule from IPv4 firewall instead.

3. What else can be done?

Here I’ll add what else can be done to harden your router.

I’d like to make a point of a port-knocking mechanism. It is, indeed, a good thing to do, but I personally prefer to have access to my LAN from outside through a VPN. And I recommend that you do the same.

3.1. Port Scan Detection

RouterOS has a mechanism that allows you to detect port scanners.

To do so in WinBox in firewall filter tab add a new rule for an input chain for TCP/UDP protocol and then set in-interface-list=WAN. After go to the Extra tab of a rule and reveal a PSD section. I, again, chose to keep the defaults. So Weight Threshold is 21, Delay Threshold is 3 seconds, Low Port Weight is 3 and High Port Weight is 1. Which means that if in 3 seconds some shmuck reach weight of 21+, then we add him in a list. To do it we go to an Action tab and choose an add src to address list action, in Address List put a name to your taste, and in a Timeout field set for how much it will be restricted. I put a value from drop-down list named none dynamic, so router could decide by itself, and I found, that in a terminal, this actually means 1h.

In a terminal: > ip/firewall/filter/add place-before=<last rule number> chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=whores address-list-timeout=1h in-interface-list=WAN.

And then, to actually restrict access, we need another rule. Go to a Raw tab of the firewall and create a rule for a prerouting chain and set a Src. Address List field to a list you’ve made in PSD rule and then go to an Action tab and set it to drop.

Via terminal: > ip/firewall/raw/add chain=prerouting action=drop src-address-list=whores.