Harden Internet Facing RouterOS Routers

My Notes on Hardening Internet Facing RouterOS powered Routers.

Disable The Bandwidth Test Server.
Some folks leave it on and many folks are enabling authentication.
If the Router is of any importance shut down the BTest daemon and if you ever need it enable it for-as-long-as-you-use-it with authentication on.
/tool bandwidth-server print 
                  enabled: yes
             authenticate: no
  allocate-udp-ports-from: 2000
             max-sessions: 100


/tool bandwidth-server set enabled=no


Add two users with full rights, delete or disable the admin account.
Optionally, constrict the ip space the administrators can login from.
/user add name=dadmin0 password=somepassword group=full address=10.0.0.0/8
/user add name=dadmin1 password=somepassword group=full address=10.0.0.0/8
/user disable admin


Disable telnet and www access.
You may need ftp for getting your backups,
when you need it enable it or constrict access to it.
/ip service disable telnet
/ip service disable www
/ip service disable ftp
If you don't use the api and www-ssl disable them.
/ip service disable www-ssl
/ip service disable api


You could constrict access to the ssh and winbox daemons.
You could add some port knocking rules. However, a firewall will reduce your router's pps rate --it should not matter for low capacity links eg. an ADSL connection. If you are absolutely paranoid about security and access to a router; disable winbox, enable port knocking and import ssh keys for the router administrators.

Change the port in which the ssh daemon listens.
/ip service set ssh port=666


Configure NTP clock synchronization.
/system clock set time-zone-name=Etc/GMT+2
/system ntp client set enabled=yes primary-ntp=10.21.241.4 secondary-ntp=10.3.57.3 mode=unicast


Send info,critical,warning,error logs to the 'memory` and a `remote` syslog server.
/system logging set 0 topics=info,critical,warning,error action=remote
/system logging set 1 topics=info,critical,error action=memory
It would be nice, but it does not work --at least not for me. Even though it looks like it worked on winbox it does not. I had to add a topic per rule. ( version-5.20 ). These categories may overlap ... hmm anyways ...

So ... Send info logs to the 'memory` and a `remote` syslog server.

/system logging action> set 3 bsd-syslog=yes name=remote remote=10.21.241.4 remote-port=514 src-address=0.0.0.0 syslog-facility=local0 syslog-severity=auto target=remote
3 above refers to the logging action number and the 0 refers to the logging rule number.


List the logging actions.
/system logging action print 
Flags: * - default 
 #   NAME                                                                                        TARGET REMOTE                                                                                                                       
 0 * memory                                                                                      memory
 1 * disk                                                                                        disk  
 2 * echo                                                                                        echo  
 3 * remote                                                                                      remote 10.21.241.4           


List the logging rules
/system logging print 
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                                                             ACTION                                                             PREFIX    
 0  * info                                                               remote                                                                       
 1  * info                                                               memory                                                                       
 2  * warning                                                            memory                                                                       
 3  * critical                                                           echo                                                                                                                  echo          


Increase the number of logging lines kept in memory.
/system logging action set 0 memory-lines=400 memory-stop-on-full=no name=memory target=memory


Disable remote requests to the DNS forwarder-cache.
/ip dns set allow-remote-requests=no


Good Enough Computer Security is equal to life-experience + CS-skills + imagination + common-sense + a bit of paranoia.

Add hard work, commitment , and discomfort to the list above and you may get Good Security.



Harden Internet Facing RouterOS Routers