Securing MikroTik RouterOS

Having a solid security practise in place is one of the most important things you can do when setting up your router. There are a huge number of things MikroTik RouterOS can do and be scripted to do but this is one of the fundamental things you should take the time to do yourself and be intimate with. Your network security should be a top priority whether you’re a business or home user.

Securing RouterOS isn’t something we can write a script to help you with though, however hopefully the below pointers will help you to secure your RouterOS device and ensure as best as possible security as you can for you, your router and the clients behind it.

Admin Password

  • The first and probably simplest is changing the admin password. Simple things but some people do miss it. This is done through System>Password. Enter your new password in twice for confirmation and you’re good to go!

Admin User (or deletion of)

  • Extending the first pointer a bit, I like to actually remove the default “admin” account. To do this you go into System>Users and add a new user with “Full” access. Close Winbox and then log back in with your new username to ensure it has full write privilege and then either remove or disable the default admin account or you can change it to read only.

Unused services

  • The next pointer is a fairly obvious one again, this is simply turning off any services that you don’t need and also moving to non-standard ports for the things you do want to access. This is done through IP>Services. Ideally don’t have it active if you don’t need it.

Firewall

  • The final point I have when securing your device is by using the built in firewall to protect the router from unauthorised access. If you “need” to have remote access then you can either specify this in the src-address or if there are multiples then you can use the src-address-list. This is done through IP>Firewall using Input rules but make sure you only point it at your WAN interface otherwise you will lose your own LAN IP connectivity.

That is probably some of the lowest hanging fruit you can pick off with regards to router security. If you would like more a more in depth analysis of your security practises or some more pointers on what you could do to improve your security then please do get in touch.

It cannot be stressed enough though. Please ensure your device is secure as if you are locked out, only a reset will regain control and that will mean you lose your config.