{"id":639,"date":"2016-12-11T13:10:34","date_gmt":"2016-12-11T11:10:34","guid":{"rendered":"http:\/\/helia.ee\/koolitus\/?page_id=639"},"modified":"2016-12-11T13:12:09","modified_gmt":"2016-12-11T11:12:09","slug":"mikrotik-securing-your-router","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=639","title":{"rendered":"MikroTik – Securing your router"},"content":{"rendered":"

80To protect your MikroTik RouterOS\u2122, you should do following things:<\/p>\n

Change admin’s password<\/span><\/h2>\n

Just select the Password menu within the winbox GUI, for example:<\/p>\n

\"Password<\/a><\/p>\n

Or, type the following command in the CLI:<\/p>\n

[admin@MikroTik] > \/ password \r\nold password: \r\nnew password: ******\r\nretype new password: ******\r\n<\/pre>\n
This will change your current admin’s password to what you have entered twice. Make sure you remember the password! If you forget it, there is no recovery. You need to reinstall the router!<\/p>\n
Add users to the system<\/span><\/h2>\n
You should add each user that is going to log on to the router as a separate user and specify group of privileges. Add yourself as user of group full<\/b> (same as for admin<\/b>), for example:<\/p>\n
\"New<\/a><\/p>\n
You may create new groups for users with specific tasks.<\/p>\n
Set up packet filtering<\/span><\/h2>\n
All packets with destination to the router are processed against the ip firewall filter’s input<\/b> chain. Note, that the input chain does not affect packets which are being transferred through the router!<\/p>\n
You can add following rules to the input<\/b> chain under \/ip firewall filter<\/b> (just ‘copy and paste’ to the router using Terminal Console or configure the relevant arguments in WinBox):<\/p>\n
\/ ip firewall filter\r\nadd chain=input connection-state=established comment=\"Accept established connections\"\r\nadd chain=input connection-state=related comment=\"Accept related connections\"\r\nadd chain=input connection-state=invalid action=drop comment=\"Drop invalid connections\" \r\nadd chain=input protocol=udp action=accept comment=\"UDP\" disabled=no \r\nadd chain=input protocol=icmp limit=50\/5s,2 comment=\"Allow limited pings\" \r\nadd chain=input protocol=icmp action=drop comment=\"Drop excess pings\" \r\nadd chain=input protocol=tcp dst-port=22 comment=\"SSH for secure shell\"\r\nadd chain=input protocol=tcp dst-port=8291 comment=\"winbox\" \r\n# Edit these rules to reflect your actual IP addresses! # \r\nadd chain=input src-address=159.148.172.192\/28 comment=\"From Mikrotikls network\" \r\nadd chain=input src-address=10.0.0.0\/8 comment=\"From our private LAN\"\r\n# End of Edit #\r\nadd chain=input action=log log-prefix=\"DROP INPUT\" comment=\"Log everything else\"\r\nadd chain=input action=drop comment=\"Drop everything else\"\r\n<\/pre>\n
Use \/ip firewall filter print input stats<\/b> command to see how many packets have been processed against these rules. Use reset-counters-all<\/b> command to reset the counters. Examine the system log file \/log print<\/b> to see the packets which have been dropped.<\/p>\n
You may need to include additional rules to allow access from certain hosts, etc. Remember that firewall rules are processed in the order they appear on the list! After a rule matches the packet, no more rules are processed for it. After adding new rules, move them up using the move<\/b> command.<\/p>\n
Note, if you mis-configured the firewall and have locked yourselves out from the router, you may use MAC telnet<\/b> from another router or workstation on the same LAN to connect to your router and correct the problem.<\/p>\n","protected":false},"excerpt":{"rendered":"
80To protect your MikroTik RouterOS\u2122, you should do following things: Change admin’s password Just select the Password menu within the winbox GUI, for example: Or, type the following command in the CLI: [admin@MikroTik] > \/ password old password: new password: ****** retype new password: ****** This will change your current admin’s password to what you […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":612,"menu_order":80,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-639","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/639","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=639"}],"version-history":[{"count":2,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/639\/revisions"}],"predecessor-version":[{"id":641,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/639\/revisions\/641"}],"up":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/612"}],"wp:attachment":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}