Dwelling/homepage/views/articles/hardening_mikrotik.pug

107 lines
10 KiB
Plaintext
Raw Permalink Normal View History

extends article.pug
block append head
link(rel='canonical' href='https://arav.top/stuff/article/hardening_mikrotik')
block article
header
h2 Hardening Mikrotik
div.menu
a(href='/stuff#articles') Go back to articles list
time(datetime='2022-05-20') 20 May 2022
nav
h3 Contents
ol
li #[a(href='#art-1') Introduction]
li #[a(href='#art-2') Ways to harden your router]
li #[a(href='#art-3') Password protection, SSH and address-based access restriction]
ol
li #[a(href='#art-3-1') Password]
li #[a(href='#art-3-2') SSH]
li #[a(href='#art-3-3') Allowed Address list]
li #[a(href='#art-4') Configuring service list]
li #[a(href='#art-5') Basic firewall]
ol
li #[a(href='#art-5-1') Input chain]
li #[a(href='#art-5-2') Forward chain]
h3#art-1 #[a(href='#art-1') 1. Introduction]
p I always wandered, since I #[s joined a cult] got mine, why almost no one can properly secure them. Looks like people just don't bother to do that, and leave it as it is barely configured, and only whine when get hacked. But, holy shit, even through #[code Quick Set] you get a proper secure firewall, yet there are thousands of routers sticking out with a #[s naked ass] acessible WebFig (I bet alongside with it Winbox comes as well, didn't check).
p In this article I'll show you how to harden your router's security. There's nothing difficult and could be find just by learning available features. Considering the firewall, I will just copy-paste a default set of rules, yeah, that feels no good, but what can I do if many haven't done even that.
p If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to reset a configuration to clear a router. For that in Winbox go to #[code System->Reset Configuration] and check an option #[code No Default Configuration]. In teminal #[code > system/reset-configuration no-defaults=yes]. And then using #[code Quick Set] configure basic access to the Internet and a LAN. We need #[code No Default Configuration] because these defaults doesn't include a firewall (if I recall correctly, I did that in 2019 for the last time).
h3#art-2 #[a(href='#art-2') Ways to harden your router]
p Vital thing to do is to keep a firmware up to date. That's another major reason why routers becomes a part of a botnet — vulnerabilities.
p To do it in Winbox go to #[code System->Packages] and click a #[code Check For Updates] button. Or using teminal: #[code > system/package/update/check-for-updates].
p First thing is setting a password for your admin account. Many other articles recommend to rename it, but I never do that, because there's no access from outside anyway. Also we restrict from what addresses we can login.
p Second, restrict access to router's configuration by IP, and disable not used services.
p And here comes a firewall.
p And before we start I want to give you a vital tip that will save your time, and, maybe, money — use Safe Mode! To toggle it in Winbox click button #[code Safe Mode] that you can find at the top left corner. In teminal press #[code Ctrl-X]. And when you're done, don't forget to disable this mode to save all applied changes or they will revert. Winbox will warn you about activated Safe Mode, but teminal not. :)
h3#art-3 #[a(href='#art-3') Password protection, SSH and address-based access restriction]
h4#art-3-1 #[a(href='#art-3-1') Password]
p To change a password in Winbox go to #[code System->Users], double-click on your admin account and in an edit dialogue click #[code Password...] button. In teminal type in #[code > user/set admin password=new_password].
h4#art-3-2 #[a(href='#art-3-2') SSH]
p Alas, built-in SSH doesn't support modern ciphers and we cannot use keybased authentification. Hope it will change in the future. But now we have only passwords.
p To configure SSH go to #[code IP->SSH]. We need there options #[code Always Allow Password Login] and #[code Strong Crypto] to be enabled. You may change #[code Host Key Size] to something more secure and click #[code Regenerate Host Key] button. Using teminal type in #[code > ip/ssh/set always-allow-password-login=yes strong-crypto=yes]. In a terminal works autocompletion, just tap Tab key twice. To regenerate a key type in #[code > ip/ssh/regenerate-host-key] and confirm.
h4#art-3-3 #[a(href='#art-3-3') Allowed Address list]
p Every user can be restricted by what addresses he allowed to login from. You may have already noticed a field #[code Allowed Address] when was setting a password. So, again, in Winbox go to #[code System->Users], double-click your user and you will see a field #[code Allowed Address], there could be multiple entries that can be added/removed using arrow buttons at the end of fields. You can type in individual IP-addresses and whole subnets in CIDR (e.g. 192.168.88.0/24) notation.
p In teminal type in #[code > user/set admin address=] and type all addresses separated by a comma, e.g. #[code address=192.168.88.3,192.168.89.0/24].
h3#art-4 #[a(href='#art-4') Configuring service list]
p There are a bunch of different ways to configure your router: Winbox, SSH, Telnet, WebFig and API. And you can access its filesystem with FTP or SFTP.
p Good thing to do first will be disabling all not needed services. Go to #[code IP->Services] in Winbox and then using a button with a red cross disable them, or a blue check mark to enable it. Or in an edit dialogue click #[code Disable] button. In teminal type in #[code > ip/service/set service disabled=yes].
p As for me, I leave only SSH and Winbox services.
p Okay, now let's restrict access to our services by IP. It is the same as for a user, just a field called #[code Available From]. In teminal: #[code > ip/service/set service address=192.168.88.2,192.168.89.0/24].
h3#art-5 #[a(href='#art-5') Basic firewall]
p As I previously stated, default firewall we get using #[code Quick Set] is pretty much sufficient.
p Go to #[code IP->Firewall] in Winbox or #[code > ip/firewall/filter] in teminal. For IPv6 sections called #[code IPv6] for Winbox, and #[code ipv6] for teminal.
p In terminal you can switch to a needed section instead of typing it every time. To add a rule there is a command called #[code add], and #[code remove] to remove a rule by its number. To see all rules and theirs numbers type #[code print] command.
p Next I will give you set of rules for input and forward chains for IPv4 and IPv6. Those are very basic rules that allows already established connections in, allows ping our router from the Internet, and drops any other traffic that comes from anywhere else but not our LAN. Allows new connections from Internet only if there is a #[code dstnat] rule in a NAT table for that port.
h4#art-5-1 #[a(href='#art-5-1') Input chain]
p A basic input chain for IPv4:
pre
| 1 chain=input action=accept connection-state=established,related,untracked
| 2 chain=input action=drop connection-state=invalid
| 3 chain=input action=accept protocol=icmp
| 4 chain=input action=drop in-interface-list=!LAN
p Here the first rule let already allowed traffic to go in a router. The second one drops packets with invalid state. The third one allows pinging our router. And the fourth one drop all the packets that doesn't originate from interfaces listed in a LAN list.
p And for IPv6:
pre
| 1 chain=input action=accept connection-state=established,related,untracked
| 2 chain=input action=drop connection-state=invalid
| 3 chain=input action=accept protocol=icmpv6
| ;;; defconf: accept UDP traceroute
| 4 chain=input action=accept protocol=udp port=33434-33534
| ;;; defconf: accept DHCPv6-Client prefix delegation.
| 5 chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546
| 6 chain=input action=drop in-interface-list=!LAN
p As you can see pretty much the same as for IPv4 except for rules 4 and 5 that are described by their's comments above them.
h4#art-5-2 #[a(href='#art-5-2') Forward chain]
p Here comes a basic forward chain for IPv4:
pre
| 1 chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related,untracked
| 2 chain=forward action=accept connection-state=established,related,untracked
| 3 chain=forward action=drop connection-state=invalid
| 4 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
p First rule makes use of fasttrack mechanism that sends traffic via short path past the CPU, so called hardware offload to a switch chip. While it drastically reduce load on a CPU, we lose ability to work with traffic allowed by this rule, like mark packets, and other things in a mangle section. But, since I don't do anything special with traffic I offload everything. If you need to do something then you can fasttrack only some traffic like the one going in and out the Internet.
p In the last rule we deny establishing connections from outside if there is no destination NAT rule specified.
p So, here is a forward chain for IPv6:
pre
| 1 chain=forward action=accept connection-state=established,related,untracked
| 2 chain=forward action=drop connection-state=invalid
| 3 chain=forward action=drop src-address-list=bad_ipv6
| 4 chain=forward action=drop dst-address-list=bad_ipv6
| 5 chain=forward action=accept protocol=icmpv6
| ;;; defconf: rfc4890 drop hop-limit=1
| 6 chain=forward action=drop protocol=icmpv6 hop-limit=equal:1
| 7 chain=forward action=drop in-interface-list=!LAN
p As for rules 3 and 4 bad_ipv6 address list contains all reserved and special ranges that I won't provide here, these rules are here just to show off. And as you can see there is no #[code fasttrack-connection] rule since it is not implemented yet for IPv6.
p If you don't use NATv6 then all you need to allow connections to your machine from outside is to create a corresponding rule: #[code chain=forward action=accept dst-address= dst-port= connection-state=new]. Don't think that #[code in-interface-list=WAN] is necessary here, we allow establishing a connection, so if we access that service from inside then just immediately leave a chain with accept action. And if you do use of NATv6 then use a last rule from IPv4 firewall instead.