103 lines
8.6 KiB
Plaintext
103 lines
8.6 KiB
Plaintext
extends article.pug
|
|
|
|
block head_ext
|
|
link(rel='canonical' href='https://arav.top/stuff/article/hardening_mikrotik')
|
|
|
|
block article
|
|
header
|
|
h2 Hardening Mikrotik
|
|
div.menu
|
|
a(href='/stuff#articles') Go back to articles list
|
|
time(datetime='2022-05-20') 20 May 2022
|
|
nav
|
|
h3 Contents
|
|
ol
|
|
li #[a(href='#art-1') Introduction]
|
|
li #[a(href='#art-2') Ways to harden your router]
|
|
li #[a(href='#art-3') Password protection, SSH and address-based access restriction]
|
|
ol
|
|
li #[a(href='#art-3-1') Password]
|
|
li #[a(href='#art-3-2') SSH]
|
|
li #[a(href='#art-3-3') Allowed Address list]
|
|
li #[a(href='#art-4') Configuring service list]
|
|
li #[a(href='#art-5') Firewall]
|
|
ol
|
|
li #[a(href='#art-5-1') Basic filter rules / Input]
|
|
li #[a(href='#art-5-2') Basic filter rules / Forward]
|
|
|
|
h3#art-1 #[a(href='#art-1') 1. Introduction]
|
|
p I always wandered, since I #[s joined a cult] got mine, why almost no one can properly secure them. Looks like people just don't bother to do that, and leave it as it is barely configured. But, holy shit, even through #[code Quick Set] you get a proper secure firewall rules, yet there are thousands of routers sticking out with a #[s naked ass] acessible web config interface (I bet alongside with webui winbox comes as well). Every time (pretty rarely, if I have really nothing to do) I scan my ISPs network my IP belongs to and there's always a bunch of Mikrotik routers. Never tried to login with default password tho, so can't say if they are at least have a password.
|
|
p In this article I'll show you how to harden your router's security.
|
|
p If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to completely reset a configuration. For that in Winbox go to #[code System->Reset Configuration] and check an option #[code No Default Configuration]. Or in SSH: #[code system/reset-configuration no-defaults=yes].
|
|
|
|
h3#art-2 #[a(href='#art-2') Ways to harden your router]
|
|
p First and foremost thing is to keep your firmware up to date. That's the main reason why routers becomes a part of a botnet — vulnerabilities.
|
|
p Second thing is setting a password for your admin account. Many other articles recommend to rename it, but I never do that, because there's no access from outside anyway. Also we restrict access to a user with a list of allowed addresses.
|
|
p Third thing to do is to restrict access to router's config interfaces by IP, and disable not used ones.
|
|
p And here comes a firewall, I'll share some parts of mine, that is mostly a default one.
|
|
p Okay, as for keeping a firmware up to date, just don't forget to go to #[code System->Packages] and click a #[code Check For Updates] button in Winbox. Or using SSH: #[code > system/package/update/check-for-updates].
|
|
|
|
h3#art-3 #[a(href='#art-3') Password protection, SSH and address-based access restriction]
|
|
|
|
h4#art-3-1 #[a(href='#art-3-1') Password]
|
|
p To change a password in Winbox go to #[code System->Users], choose your admin account and in a dialogue click #[code Password...] button.
|
|
p To do it using SSH: #[code > user/set admin password=password].
|
|
|
|
h4#art-3-2 #[a(href='#art-3-2') SSH]
|
|
p Alas, built-in SSH doesn't support modern ciphers and we cannot use keybased authentification. Hope it will change in the future.
|
|
p To configure SSH go to #[code IP->SSH]. We need there parameters #[code Always Allow Password Login] and #[code Strong Crypto] enabled. You may change #[code Host Key Size] to something more secure and click #[code Regenerate Host Key] button. Using SSH write #[code ip/ssh/set] and tap Tab key twice and you will see available parameters names. Type in #[code ip/ssh/regenerate-host-key] and hit enter and then confirm.
|
|
|
|
h4#art-3-3 #[a(href='#art-3-3') Allowed Address list]
|
|
p User can be restricted with a list of addresses he allowed to login from. You may noticed it already when was setting a password. So, to do this in Winbox go to #[code System->Users], choose your user and in a popped up dialogue you will see a field #[code Allowed Address], there could be multiple entries that can be added/removed using arrow buttons at the end of fields. You can type individual IP-addresses and whole subnets in CIDR (e.g. 0.0.0.0/0) notation.
|
|
|
|
h3#art-4 #[a(href='#art-4') Configuring service list]
|
|
p There are a bunch of different ways to access and configure your router: Winbox, SSH, Telnet, WebFig and API. And you can access filesystem with FTP or SSH.
|
|
p Good thing to do first will be disabling all not needed services. Go to #[code IP->Services] and then using a button with a red cross disable them. Or by double-clicking click #[code Disable] button in a popped up dialogue.
|
|
p As for me, I leave only SSH and Winbox services.
|
|
p Okay, now let's restrict access to our services. In an edit dialogue there is an #[code Available From] field that is configured the same way as previous #[code Allowed Address] field.
|
|
p To do it from SSH just type #[code ip/service/set service_name disabled=yes] for each service to disable. To set available from addresses: #[code ip/service/set service_name address=192.168.88.2,192.168.89/24].
|
|
|
|
h3#art-5 #[a(href='#art-5') Firewall]
|
|
p As I previously stated, default firewall we get using #[code Quick Set] is pretty much sufficient for home use. Of course I made some changes, like turned off rules for allowing ipsec traffic. So, here I will give you a main part of my firewall.
|
|
p For IPv4 go in a Winbox to #[code IP->Firewall] or #[code ip/firewall/filter] in SSH. For IPv6 in Winbox #[code IPv6->Firewall] or in SSH #[code ipv6/firewall/filter].
|
|
|
|
h4#art-5-1 #[a(href='#art-5-1') Basic filter rules / Input]
|
|
p Here I will give you an Input chain rules with theirs description. First for IPv4, and then for IPv6. And since I don't have an IPv6 rules are purely from default configuration, but I will list them anyway.
|
|
pre
|
|
| 1 chain=input action=accept connection-state=established,related,untracked
|
|
| 2 chain=input action=drop connection-state=invalid
|
|
| 3 chain=input action=accept protocol=icmp
|
|
| 4 chain=input action=drop in-interface-list=!LAN
|
|
p Here the first rule let already allowed traffic to go in a router. The second one drops packets with invalid state. The third one allows pinging our router. And the fourth one drop all the packets that doesn't originate from interfaces listed in a LAN list.
|
|
p Here comes Input chain for IPv6 firewall:
|
|
pre
|
|
| 1 chain=input action=accept connection-state=established,related,untracked
|
|
| 2 chain=input action=drop connection-state=invalid
|
|
| 3 chain=input action=accept protocol=icmpv6
|
|
| ;;; defconf: accept UDP traceroute
|
|
| 4 chain=input action=accept protocol=udp port=33434-33534
|
|
| ;;; defconf: accept DHCPv6-Client prefix delegation.
|
|
| 5 chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546
|
|
| 6 chain=input action=drop in-interface-list=!LAN
|
|
p As you can see pretty much the same as for IPv4 except for rules 4 and 5 that are copied with their's comments to describe what are they allowing.
|
|
|
|
h4#art-5-2 #[a(href='#art-5-2') Basic filter rules / Forward]
|
|
p Okay, here comes Forward chain. For IPv4:
|
|
pre
|
|
| 1 chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related,untracked
|
|
| 2 chain=forward action=accept connection-state=established,related,untracked
|
|
| 3 chain=forward action=drop connection-state=invalid
|
|
| 4 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
|
|
p Exactly as for input chain, except for the first and last rules. Fasttrack sends all already allowed traffic via short path past the CPU. While it drastically reduce load on a CPU, we lose ability to work with such traffic, like mark packets, etc. But, since I don't do anything special with a traffic I offload everything. If you need to do something like mark packets then you can fasttrack only some traffic like the one going in and out the Internet.
|
|
p In the last rule we deny establishing connections from outside if there is no destination NAT rule specified.
|
|
p So, here is a forward chain for IPv6:
|
|
pre
|
|
| 1 chain=forward action=accept connection-state=established,related,untracked
|
|
| 2 chain=forward action=drop connection-state=invalid
|
|
| 3 chain=forward action=drop src-address-list=bad_ipv6
|
|
| 4 chain=forward action=drop dst-address-list=bad_ipv6
|
|
| 5 chain=forward action=accept protocol=icmpv6
|
|
| ;;; defconf: rfc4890 drop hop-limit=1
|
|
| 6 chain=forward action=drop protocol=icmpv6 hop-limit=equal:1
|
|
| 7 chain=forward action=drop in-interface-list=!LAN
|
|
p As for rules 3 and 4 bad_ipv6 address list contains all reserved and special ranges that I won't provide here. |