Hardening MikroTik RouterOS by Limiting Login Services
MikroTik RouterOS is usually used as a bridge between WAN and LAN network. WAN network is always an insecure network because attackers always try to hack your RouterOS so that they can compromise it for their own benefit. As a network administrator of MikroTik RouterOS, we should always take anti hacking steps to secure our MikroTik RouterOS. There are a lot of security tasks those we should take care to secure our MikroTik RouterOS. Among these security tasks, we will see how to harden MikroTik RouterOS by limiting login services which are enabled in MikroTik RouterOS by default.
Default Login Services in MikroTik RouterOS and Its Security
By default MikroTik RouterOS enables some login services to access Router RouterOS for administration purpose. These services are api, ftp, ssh, telnet, winbox and www. We don’t usually use all these services. So, we should always disable all the unused services because hackers usually do brute forcing using these services to compromise MikroTik RouterOS.
Among these login services, some services (api and www) use both SSL and Non-SSL port. Never use Non-SSL port from the WAN because Non-SSL port sends plain text data. So, it has a good chance to leak your login credentials by the middle-man attackers. It is also better not to use Non-SSL ports from the LAN.
MikroTik RouterOS by default enable Telnet but telnet is a so insecure protocol. So, it is a good practice to disable telnet as soon as possible and never use telnet from LAN or WAN. But if we wish can use telnet from the direct connection to MikroTik Router.
MikroTik RouterOS provides facility to harden login services based on IP address. So, it is always a good practice to enable login service access from any specific IP address. If we apply login service access based on IP address, hackers from the WAN will always be denied to access login services and hence, RouterOS will be more secure.
The following image is an example of good practice to harden MikroTik RouterOS login services.
Some MikroTik RouterOS administrators modify login service ports with any free unused port. But it has disadvantages too because you may forget your modified port number and will be unable to login MikroTik Router until remembering the assigned port number. Again, it is so easy to hackers find modified ports and services using some network and service discovery tools. So, I think it is unnecessary to modify service port to harden MikroTik RouterOS login services rather it will be smart decision to limit login services access from specific IP addresses which will be discussed later in this article.
How to Disable MikroTik RouterOS Login Services
MikroTik RouterOS by default enables all the possible login services. But it is a good practice to disable all the unused login services those we don’t use for login. The following steps will show how to disable any login service in MikroTik RouterOS to make it harden.
- Login MikroTik Router using Winbox with full permission user credential.
- Go to IP > Services menu item. IP Service List window will appear where all the login services will be listed.
- Right click on a service (example: telnet) which you want to disable.
- From the appeared drop down menu, click on disable option. Desired login service will be disabled now.
Similarly we can disable any other login service easily following the above steps properly. So, don’t forget to disable any unused login service in MikroTik RouterOS. In the next section we will learn how to limit login service access from any specific IP address.
Limiting Login Services from Specific IP Addresses
Limiting login services based on IP addresses makes your RouterOS more harder. So, those services which you are keeping enabled must be limited from specific IP addresses. It will keep your MikroTik Router isolated from the rest of the world because RouterOS will only allow login from the assigned IP addresses and deny all other IP addresses. The following steps will show how to limit login service access from specific IP addresses.
- From Winbox, go to IP > Services menu item. IP Services List window will appear where all the services provided by RouterOS will be listed.
- Double click on any desired enabled login service which you want to apply access limit from specific IP address. IP Service window will appear.
- Put IP addresses or network (example: 192.168.10.0/24) from where you want to access RouterOS in Available From input box.
- Click Apply and OK button.
Now your desired login service will only be available from the assigned IP addresses. Similarly we can limit any other login service which is enabled from specific IP address and can make RouterOS more harder.
Hardening MikroTik RouterOS by limiting default login services has been discussed in this article. I hope you will now be able to harden your MikroTik Router by limiting login service access properly. However, if you face any confusion to limit login services following the above steps, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
Why not a Cup of COFFEE if the solution?