Securing RouterOS (Mikrotik Router)

What configuration should be set for Mikrotik RouterOS routers in terms of security against common vulnerabilities?

Security Risks Associated with Routers

Routers are key components of network infrastructure that manage data traffic between local networks and the internet. This leads to the following threats:

  • Unauthorized Access: Access to the router allows manipulation of router settings, monitoring, or redirecting network traffic.
  • Exploitation of Vulnerabilities: Software bugs or vulnerabilities in RouterOS can be exploited by attackers to perform malicious actions such as installing malware, creating backdoors, or executing DoS (Denial of Service) attacks.
  • Weak Encryption: Using outdated or weak encryption standards for Wi-Fi or VPN connections can allow attackers to eavesdrop or manipulate communication.
  • Man-in-the-Middle (MitM) Attacks: Attackers can exploit unsecured or poorly configured routers to perform MitM attacks, where they can intercept, modify, or block data traffic between users and the internet.
  • Firmware Malware: Routers can be targeted by attacks that involve the installation of malicious firmware. This malware can transform the router into part of a botnet, monitor traffic, or initiate other malicious activities.
  • Physical Security Threats: Physical access to the router can allow attackers to reset the device, gain access to settings, or even install malicious hardware.
  • DDoS Attacks: Routers can be utilized as part of DDoS (Distributed Denial of Service) attacks, either as the target to be overloaded or as a tool for conducting attacks on other systems.

Measures to Prevent Security Risks in Mikrotik RouterOS Routers

  1. Protection Against Unauthorized Access

    Even the best possible security configuration of a router is only secure until an attacker gains access to RouterOS.

    • In the System → Users section:
      • Add a new user with full administrative rights and set a very strong password.
      • Disable the default admin user.
    • If remote access is necessary, prefer a VPN variant using strong encryption. Also consider generating an SSL/TLS certificate.
    • If the Wi-Fi network is not needed, disable it.
    • Disable unused services for connecting to RouterOS.
  2. Up-to-date Firmware

    Keep the router's firmware and operating system updated to the latest versions. The OS can be updated within the same version and upgraded to higher versions.

    • Updates are performed in the System → Packages section.

    Regularly update RouterOS and maintain it at its latest stable version.

  3. Wifi Security

    • Choose the Wi-Fi security method WPA2 or WPA3
    • Select encryption aes com
    • set a strong password for Wi-Fi connection.
    • If the Wi-Fi network is not required, disable it.
  4. Secure Protocols

    For remote login and network access, if allowed, use secure management protocols and secure versions of network service protocols.

    Encrypted protocols include / encryption is used for:

    • SSH
    • VPN
    • Winbox
    • Webfig when using SSL
    • Api when using SSL
  5. Setting Router Services

    In the Mikrotik router, a number of services run in the background. You can find them in the IP → Services section.

    • Disable services you do not use.
    • Consider changing default ports. Ports should be chosen in the range of 1 to 65535. After changing, it is necessary to add the port value to the IP address, see IP:Port.
    • Consider modifying access restrictions (allowing only for defined IP addresses).

    If you need to connect from outside, pay attention to settings for secure remote access.

    Do not forget that other services may also be running on the router - DHCP and VPN servers, etc.

  6. Setting the Correct Mode

    Depending on what you require from the device, set the correct operating mode.

  7. Network Segmentation

    Consider network segmentation to limit access to sensitive parts of the network.

  8. Setting Firewall

    The firewall allows setting rules, parameters, and functioning of the network and connected devices.

    • Consider whether the rules serve their function and are in the correct order
  9. Logging and Monitoring

    In System → Logging, consider setting up logging of critical events and suspicious activities.

    Regularly monitor logs and perform security audits of the device.

  10. Physical Access Restrictions

    Secure physical access to the router.