Disable The Bandwidth Test Server.
Some folks leave it on and many folks are enabling authentication.
If the Router is of any importance shut down the BTest daemon and if you ever need it enable it for-as-long-as-you-use-it with authentication on.
/tool bandwidth-server print
enabled: yes
authenticate: no
allocate-udp-ports-from: 2000
max-sessions: 100
/tool bandwidth-server set enabled=no
Add two users with full rights, delete or disable the admin account.
Optionally, constrict the ip space the administrators can login from.
/user add name=dadmin0 password=somepassword group=full address=10.0.0.0/8 /user add name=dadmin1 password=somepassword group=full address=10.0.0.0/8 /user disable admin
Disable telnet and www access.
You may need ftp for getting your backups,
when you need it enable it or constrict access to it.
/ip service disable telnet /ip service disable www /ip service disable ftpIf you don't use the api and www-ssl disable them.
/ip service disable www-ssl /ip service disable api
You could constrict access to the ssh and winbox daemons.
You could add some port knocking rules. However, a firewall will reduce your router's pps rate --it should not matter for low capacity links eg. an ADSL connection. If you are absolutely paranoid about security and access to a router; disable winbox, enable port knocking and import ssh keys for the router administrators.
Change the port in which the ssh daemon listens.
/ip service set ssh port=666
Configure NTP clock synchronization.
/system clock set time-zone-name=Etc/GMT+2 /system ntp client set enabled=yes primary-ntp=10.21.241.4 secondary-ntp=10.3.57.3 mode=unicast
Send info,critical,warning,error logs to the 'memory` and a `remote` syslog server.
/system logging set 0 topics=info,critical,warning,error action=remote /system logging set 1 topics=info,critical,error action=memoryIt would be nice, but it does not work --at least not for me. Even though it looks like it worked on winbox it does not. I had to add a topic per rule. ( version-5.20 ). These categories may overlap ... hmm anyways ...
So ... Send info logs to the 'memory` and a `remote` syslog server.
/system logging action> set 3 bsd-syslog=yes name=remote remote=10.21.241.4 remote-port=514 src-address=0.0.0.0 syslog-facility=local0 syslog-severity=auto target=remote3 above refers to the logging action number and the 0 refers to the logging rule number.
List the logging actions.
/system logging action print Flags: * - default # NAME TARGET REMOTE 0 * memory memory 1 * disk disk 2 * echo echo 3 * remote remote 10.21.241.4
List the logging rules
/system logging print Flags: X - disabled, I - invalid, * - default # TOPICS ACTION PREFIX 0 * info remote 1 * info memory 2 * warning memory 3 * critical echo echo
Increase the number of logging lines kept in memory.
/system logging action set 0 memory-lines=400 memory-stop-on-full=no name=memory target=memory
Disable remote requests to the DNS forwarder-cache.
/ip dns set allow-remote-requests=no
Good Enough Computer Security is equal to life-experience + CS-skills + imagination + common-sense + a bit of paranoia.
Add hard work, commitment , and discomfort to the list above and you may get Good Security.
Harden Internet Facing RouterOS Routers
