Mikrotik Sec 27 Oct 2024 mikrotik-sec MikroTik Router Security Guide Introduction

This guide provides a full set of scripts and configurations for securing your MikroTik router against various types of attacks, including DDoS, brute force, unauthorized access, and more. By following these steps, you’ll ensure that your router is well-protected against common security threats.

RouterOS Version: MikroTik RouterOS v6 or higher.

Access: Winbox, WebFig, or SSH access to your router.

Backup: Backup your current configuration before applying these scripts.

Before applying any security settings, backup your router’s current configuration:

/system backup save name=pre_security_backup /export file=pre_security_config

Scripts and Configurations

Secure Firewall Rules

This firewall script protects your router by blocking unwanted traffic, limiting login attempts, and preventing DDoS attacks.

Allow only specific ports: Drops traffic to non-essential ports. Admin Access Control: Allow access only to specified admin IPs (allowed_admins list). Blacklist: Drops any traffic from blacklisted IPs. Drop all else: Drops all other connections as a final rule.

Access Control and Remote Management Restrictions

Restrict access to the router’s management interfaces.

Disable unused services: Disables Telnet, FTP, and Web access for increased security. Limit SSH and Winbox: Restricts access to SSH and Winbox from a specified internal subnet.

Brute Force Protection

This script limits login attempts by dynamically blacklisting IP addresses after several failed attempts.

VPN Configuration for Secure Remote Access

Secure remote management access by using a VPN with L2TP/IPsec.

L2TP/IPsec Setup: Configures the router for VPN access, securing remote management. User Authentication: Sets up a dedicated VPN user.

DNS Security

Securing DNS prevents cache poisoning and DNS spoofing attacks.

Local DNS only: Ensures DNS requests are handled only for internal clients. External DNS requests: Drops DNS requests from outside the router.

Logging and Monitoring

Enable logging to monitor potential security issues.

Firewall Logs: Logs all firewall activity for review. System Logs: Logs errors, warnings, and general information to the disk.

Scheduling Scripts

You can schedule some scripts to run periodically, like updating blacklists or performing security checks.

This schedule clears the blacklist every 24 hours.

block access to Starlink page from a particular port (like port 2) Define IP addresses or DNS names for Starlink’s domains (update as needed) /ip firewall layer7-protocol add name=block_starlink regexp="^.*starlink.*\$" /ip firewall filter add chain=forward src-port=2 protocol=tcp layer7-protocol=block_starlink action=drop comment="Block Starlink access from port 2"

Layer7 Protocol: This uses regular expressions to match Starlink-related DNS names. Filter Rule: Blocks traffic from devices connected to port 2 when attempting to access Starlink. This rule will need to be updated if IPs or domains change, or additional specific domains are necessary for broader blocking.