diff --git a/homepage/views/articles/hardening_mikrotik.pug b/homepage/views/articles/hardening_mikrotik.pug index 66d00c8..0ea6e9a 100644 --- a/homepage/views/articles/hardening_mikrotik.pug +++ b/homepage/views/articles/hardening_mikrotik.pug @@ -30,7 +30,7 @@ block article p In this article I'll show you how to harden your router's security. There's nothing difficult and could be find just by learning available features. Considering the firewall, I will just copy-paste a default set of rules, yeah, that feels no good, but what can I do if many haven't done even that. p If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to reset a configuration to clear a router. For that in Winbox go to #[code System->Reset Configuration] and check an option #[code No Default Configuration]. In teminal #[code > system/reset-configuration no-defaults=yes]. And then using #[code Quick Set] configure basic access to the Internet and a LAN. We need #[code No Default Configuration] because these defaults doesn't include a firewall (if I recall correctly, I did that in 2019 for the last time). - h3#art-2 #[a(href='#art-2') Ways to harden your router] + h3#art-2 #[a(href='#art-2') 2. Ways to harden your router] p Vital thing to do is to keep a firmware up to date. That's another major reason why routers becomes a part of a botnet — vulnerabilities. p To do it in Winbox go to #[code System->Packages] and click a #[code Check For Updates] button. Or using teminal: #[code > system/package/update/check-for-updates]. p First thing is setting a password for your admin account. Many other articles recommend to rename it, but I never do that, because there's no access from outside anyway. Also we restrict from what addresses we can login. @@ -38,32 +38,32 @@ block article p And here comes a firewall. p And before we start I want to give you a vital tip that will save your time, and, maybe, money — use Safe Mode! To toggle it in Winbox click button #[code Safe Mode] that you can find at the top left corner. In teminal press #[code Ctrl-X]. And when you're done, don't forget to disable this mode to save all applied changes or they will revert. Winbox will warn you about activated Safe Mode, but teminal not. :) - h3#art-3 #[a(href='#art-3') Password protection, SSH and address-based access restriction] + h3#art-3 #[a(href='#art-3') 3. Password protection, SSH and address-based access restriction] - h4#art-3-1 #[a(href='#art-3-1') Password] + h4#art-3-1 #[a(href='#art-3-1') 3.1. Password] p To change a password in Winbox go to #[code System->Users], double-click on your admin account and in an edit dialogue click #[code Password...] button. In teminal type in #[code > user/set admin password=new_password]. - h4#art-3-2 #[a(href='#art-3-2') SSH] + h4#art-3-2 #[a(href='#art-3-2') 3.2. SSH] p Alas, built-in SSH doesn't support modern ciphers and we cannot use keybased authentification. Hope it will change in the future. But now we have only passwords. p To configure SSH go to #[code IP->SSH]. We need there options #[code Always Allow Password Login] and #[code Strong Crypto] to be enabled. You may change #[code Host Key Size] to something more secure and click #[code Regenerate Host Key] button. Using teminal type in #[code > ip/ssh/set always-allow-password-login=yes strong-crypto=yes]. In a terminal works autocompletion, just tap Tab key twice. To regenerate a key type in #[code > ip/ssh/regenerate-host-key] and confirm. - h4#art-3-3 #[a(href='#art-3-3') Allowed Address list] + h4#art-3-3 #[a(href='#art-3-3') 3.3. Allowed Address list] p Every user can be restricted by what addresses he allowed to login from. You may have already noticed a field #[code Allowed Address] when was setting a password. So, again, in Winbox go to #[code System->Users], double-click your user and you will see a field #[code Allowed Address], there could be multiple entries that can be added/removed using arrow buttons at the end of fields. You can type in individual IP-addresses and whole subnets in CIDR (e.g. 192.168.88.0/24) notation. p In teminal type in #[code > user/set admin address=] and type all addresses separated by a comma, e.g. #[code address=192.168.88.3,192.168.89.0/24]. - h3#art-4 #[a(href='#art-4') Configuring service list] + h3#art-4 #[a(href='#art-4') 4. Configuring service list] p There are a bunch of different ways to configure your router: Winbox, SSH, Telnet, WebFig and API. And you can access its filesystem with FTP or SFTP. p Good thing to do first will be disabling all not needed services. Go to #[code IP->Services] in Winbox and then using a button with a red cross disable them, or a blue check mark to enable it. Or in an edit dialogue click #[code Disable] button. In teminal type in #[code > ip/service/set service disabled=yes]. p As for me, I leave only SSH and Winbox services. p Okay, now let's restrict access to our services by IP. It is the same as for a user, just a field called #[code Available From]. In teminal: #[code > ip/service/set service address=192.168.88.2,192.168.89.0/24]. - h3#art-5 #[a(href='#art-5') Basic firewall] + h3#art-5 #[a(href='#art-5') 5. Basic firewall] p As I previously stated, default firewall we get using #[code Quick Set] is pretty much sufficient. p Go to #[code IP->Firewall] in Winbox or #[code > ip/firewall/filter] in teminal. For IPv6 sections called #[code IPv6] for Winbox, and #[code ipv6] for teminal. p In terminal you can switch to a needed section instead of typing it every time. To add a rule there is a command called #[code add], and #[code remove] to remove a rule by its number. To see all rules and theirs numbers type #[code print] command. p Next I will give you set of rules for input and forward chains for IPv4 and IPv6. Those are very basic rules that allows already established connections in, allows ping our router from the Internet, and drops any other traffic that comes from anywhere else but not our LAN. Allows new connections from Internet only if there is a #[code dstnat] rule in a NAT table for that port. - h4#art-5-1 #[a(href='#art-5-1') Input chain] + h4#art-5-1 #[a(href='#art-5-1') 5.1. Input chain] p A basic input chain for IPv4: pre | 1 chain=input action=accept connection-state=established,related,untracked @@ -83,7 +83,7 @@ block article | 6 chain=input action=drop in-interface-list=!LAN p As you can see pretty much the same as for IPv4 except for rules 4 and 5 that are described by their's comments above them. - h4#art-5-2 #[a(href='#art-5-2') Forward chain] + h4#art-5-2 #[a(href='#art-5-2') 5.2. Forward chain] p Here comes a basic forward chain for IPv4: pre | 1 chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related,untracked