Final (at this moment) polishing of an article Hardening Mikrotik.

This commit is contained in:
Alexander Andreev 2022-05-20 23:07:23 +04:00
parent 3f3e918530
commit 4ab5751d6d
Signed by: Arav
GPG Key ID: 0388CC8FAA51063F

View File

@ -27,14 +27,13 @@ block article
h3#art-1 #[a(href='#art-1') 1. Introduction]
p I always wandered, since I #[s joined a cult] got mine, why almost no one can properly secure them. Looks like people just don't bother to do that, and leave it as it is barely configured, and only whine when get hacked. But, holy shit, even through #[code Quick Set] you get a proper secure firewall, yet there are thousands of routers sticking out with a #[s naked ass] acessible WebFig (I bet alongside with it Winbox comes as well, didn't check).
p In this article I'll show you how to harden your router's security. There's nothing difficult and could be find just by learning available features. Considering the firewall, I will just copy-paste a default set of rules, yeah, that feels no good, but what can I do if many doesn't have even a basic one.
p If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to reset a configuration to clear a router. For that in Winbox go to #[code System->Reset Configuration] and check an option #[code No Default Configuration]. In teminal #[code > system/reset-configuration no-defaults=yes]. And then using #[code Quick Set] configure basic access to the Internet and a LAN. We need #[code No Default Configuration] because these defaults doesn't include a firewall (if I recall correctly of course, I did that last time in 2019).
p In this article I'll show you how to harden your router's security. There's nothing difficult and could be find just by learning available features. Considering the firewall, I will just copy-paste a default set of rules, yeah, that feels no good, but what can I do if many haven't done even that.
p If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to reset a configuration to clear a router. For that in Winbox go to #[code System->Reset Configuration] and check an option #[code No Default Configuration]. In teminal #[code > system/reset-configuration no-defaults=yes]. And then using #[code Quick Set] configure basic access to the Internet and a LAN. We need #[code No Default Configuration] because these defaults doesn't include a firewall (if I recall correctly, I did that in 2019 for the last time).
h3#art-2 #[a(href='#art-2') Ways to harden your router]
p Vital thing to do is to keep a firmware up to date. That's another major reason why routers becomes a part of a botnet — vulnerabilities.
p To do it in Winbox go to #[code System->Packages] and click a #[code Check For Updates] button. Or using teminal: #[code > system/package/update/check-for-updates].
p First thing is setting a password for your admin account. Many other articles recommend to rename it, but I never do that, because there's no access from outside anyway. Also we restrict from what addresses we can login.
p inb4 muh remote access. Use VPN for it, dude.
p Second, restrict access to router's configuration by IP, and disable not used services.
p And here comes a firewall.
p And before we start I want to give you a vital tip that will save your time, and, maybe, money — use Safe Mode! To toggle it in Winbox click button #[code Safe Mode] that you can find at the top left corner. In teminal press #[code Ctrl-X]. And when you're done, don't forget to disable this mode to save all applied changes or they will revert. Winbox will warn you about activated Safe Mode, but teminal not. :)
@ -62,7 +61,7 @@ block article
p As I previously stated, default firewall we get using #[code Quick Set] is pretty much sufficient.
p Go to #[code IP->Firewall] in Winbox or #[code > ip/firewall/filter] in teminal. For IPv6 sections called #[code IPv6] for Winbox, and #[code ipv6] for teminal.
p In terminal you can switch to a needed section instead of typing it every time. To add a rule there is a command called #[code add], and #[code remove] to remove a rule by its number. To see all rules and theirs numbers type #[code print] command.
p Next I will give you set of rules for input and forward chains for IPv4 and IPv6.
p Next I will give you set of rules for input and forward chains for IPv4 and IPv6. Those are very basic rules that allows already established connections in, allows ping our router from the Internet, and drops any other traffic that comes from anywhere else but not our LAN. Allows new connections from Internet only if there is a #[code dstnat] rule in a NAT table for that port.
h4#art-5-1 #[a(href='#art-5-1') Input chain]
p A basic input chain for IPv4:
@ -91,7 +90,7 @@ block article
| 2 chain=forward action=accept connection-state=established,related,untracked
| 3 chain=forward action=drop connection-state=invalid
| 4 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
p Exactly as for input chain, except for the first and last rules. This rule makes use of fasttrack mechanism that sends traffic via short path past the CPU. While it drastically reduce load on a CPU, we lose ability to work with traffic allowed in this rule, like mark packets, and other things in a mangle section. But, since I don't do anything special with traffic I offload everything. If you need to do something then you can fasttrack only some traffic like the one going in and out the Internet.
p First rule makes use of fasttrack mechanism that sends traffic via short path past the CPU, so called hardware offload to a switch chip. While it drastically reduce load on a CPU, we lose ability to work with traffic allowed by this rule, like mark packets, and other things in a mangle section. But, since I don't do anything special with traffic I offload everything. If you need to do something then you can fasttrack only some traffic like the one going in and out the Internet.
p In the last rule we deny establishing connections from outside if there is no destination NAT rule specified.
p So, here is a forward chain for IPv6:
pre
@ -104,3 +103,4 @@ block article
| 6 chain=forward action=drop protocol=icmpv6 hop-limit=equal:1
| 7 chain=forward action=drop in-interface-list=!LAN
p As for rules 3 and 4 bad_ipv6 address list contains all reserved and special ranges that I won't provide here, these rules are here just to show off. And as you can see there is no #[code fasttrack-connection] rule since it is not implemented yet for IPv6.
p If you don't use NATv6 then all you need to allow connections to your machine from outside is to create a corresponding rule: #[code chain=forward action=accept dst-address= dst-port= connection-state=new]. Don't think that #[code in-interface-list=WAN] is necessary here, we allow establishing a connection, so if we access that service from inside then just immediately leave a chain with accept action. And if you do use of NATv6 then use a last rule from IPv4 firewall instead.