Recently I spent a little bit of time hardening some of my Mikrotik network devices (I was bored).
As I figure some of you might benefit from doing some of the same things, I have decided to post my notes.
Note #0: I take no responsibility for whatever possible problems may happen from this. I have tried to list only things that might be generally useful and "safe" in terms of general use, but your use case may differ from mine, and as always you should verify on your own that you are not breaking something.
Note #1: This is by no means a complete listing of all the things you can do to harden their devices, just what I felt wasn't posted on their wiki. I may be forgetting something, so please comment if you know some other cool tricks.
Note #2: Everything is performed using SSH, primarily because you can do more things with that than the webinterface.
Without further ado here are the things I did, I hope it helps some of you
Improve SSH encryption
Reason:
Apparently Mikrotik allows the use of some pretty weak ciphers, including null ciphers (no encryption), having these ciphers enabled could be used when combined with a downgrade attack.
Commands:
[Enable strong crypto on SSH]
ip ssh set strong-crypto=yes
[Regenerate SSH key]
ip ssh regenerate-host-key
Note: You may have to reboot the device.
Disable neighbor protocol
Reason:
This features broadcasts the version of the firmware on the device as well as management IP, for many this is not a useful feature, and if you are using an old firmware you are essentially informing attackers of what exploits might work.
Commands:
[Set discovery default to no on new "interfaces"]
ip neighbor discovery settings set default=no
[Disable discovery on interfaces that have already been created]
<print list of interfaces that have it enabled with "ip neighbor discovery print" >
<for each entry disable it, like so>
ip neighbor discovery set INTERFACE discover=no
Disable MAC telnet
Reason:
MAC telnet is apparently a layer two service that allows you to telnet into the router, even if you do not have access on layer 3. The primary reason to disable this is that you should disable anything you don't use/need, however it could also be used to gain access/control over your devices, so I would consider this an important thing to disable.
Commands:
<print all interfaces that allow mac telnet to be enabled>
tool mac-server print
<disable each mac telnet on each interface>
tool mac-server disable numbers=INTERFACE_NO
Note: you can chose to use remove rather than disable, however it will not allow you to delete no. 0 and you might have to print after each deletion
Disable MAC winbox
Reason:
Winbox is Mikrotik tool to configure their devices, this appears to be a layer 2 interface for this tool. The reason for disabling this is the same as for MAC telnet.
Commands:
<print all interfaces that allow mac winbox to be enabled>
tool mac-server mac-winbox print
<disable each mac winbox on each interface>
tool mac-server mac-winbox disable numbers=INTERFACE_NO
Note: Like with MAC telnet you can use remove, with the same "print trick"
Disable bandwidth test server
Reason:
Disable stuff you don't need.
Commands:
tool bandwidth-server set enabled=no
Disable layer 3 services
Reason:
As mentioned earlier, you should disable stuff you don't need, as they could be used as attack vectors against your devices. An example would be to disable winbox if you don't need that, I personally disable everything but http-ssl and ssh (I will probably disable http-ssl, and move to a setup where I enable it with SSH when needed).
Commands:
< print services >
ip service print
< disable services that you don't need >
ip service disable SERVICE_NAME
As I figure some of you might benefit from doing some of the same things, I have decided to post my notes.
Note #0: I take no responsibility for whatever possible problems may happen from this. I have tried to list only things that might be generally useful and "safe" in terms of general use, but your use case may differ from mine, and as always you should verify on your own that you are not breaking something.
Note #1: This is by no means a complete listing of all the things you can do to harden their devices, just what I felt wasn't posted on their wiki. I may be forgetting something, so please comment if you know some other cool tricks.
Note #2: Everything is performed using SSH, primarily because you can do more things with that than the webinterface.
Without further ado here are the things I did, I hope it helps some of you
Improve SSH encryption
Reason:
Apparently Mikrotik allows the use of some pretty weak ciphers, including null ciphers (no encryption), having these ciphers enabled could be used when combined with a downgrade attack.
Commands:
[Enable strong crypto on SSH]
ip ssh set strong-crypto=yes
[Regenerate SSH key]
ip ssh regenerate-host-key
Note: You may have to reboot the device.
Disable neighbor protocol
Reason:
This features broadcasts the version of the firmware on the device as well as management IP, for many this is not a useful feature, and if you are using an old firmware you are essentially informing attackers of what exploits might work.
Commands:
[Set discovery default to no on new "interfaces"]
ip neighbor discovery settings set default=no
[Disable discovery on interfaces that have already been created]
<print list of interfaces that have it enabled with "ip neighbor discovery print" >
<for each entry disable it, like so>
ip neighbor discovery set INTERFACE discover=no
Disable MAC telnet
Reason:
MAC telnet is apparently a layer two service that allows you to telnet into the router, even if you do not have access on layer 3. The primary reason to disable this is that you should disable anything you don't use/need, however it could also be used to gain access/control over your devices, so I would consider this an important thing to disable.
Commands:
<print all interfaces that allow mac telnet to be enabled>
tool mac-server print
<disable each mac telnet on each interface>
tool mac-server disable numbers=INTERFACE_NO
Note: you can chose to use remove rather than disable, however it will not allow you to delete no. 0 and you might have to print after each deletion
Disable MAC winbox
Reason:
Winbox is Mikrotik tool to configure their devices, this appears to be a layer 2 interface for this tool. The reason for disabling this is the same as for MAC telnet.
Commands:
<print all interfaces that allow mac winbox to be enabled>
tool mac-server mac-winbox print
<disable each mac winbox on each interface>
tool mac-server mac-winbox disable numbers=INTERFACE_NO
Note: Like with MAC telnet you can use remove, with the same "print trick"
Disable bandwidth test server
Reason:
Disable stuff you don't need.
Commands:
tool bandwidth-server set enabled=no
Disable layer 3 services
Reason:
As mentioned earlier, you should disable stuff you don't need, as they could be used as attack vectors against your devices. An example would be to disable winbox if you don't need that, I personally disable everything but http-ssl and ssh (I will probably disable http-ssl, and move to a setup where I enable it with SSH when needed).
Commands:
< print services >
ip service print
< disable services that you don't need >
ip service disable SERVICE_NAME