10 WAYS TO SECURE MIKROTIK ROUTER
In
configuring the router mikrotik for the network we have, it is very important
and need to be considered is about the router security. As a network
administrator do not forget to do the protection or secure the router from an
outside party is not responsible.
 |
| Security Network |
The
steps that need to be done to secure the Mikrotik Router as follows:
1. Replace Mikrotik Router
Username and Password
It's
no secret that Mikrotik Router has a default Username and Password factory
Username: Admin, and Password: (blank). We recommend that Username Default
Password we disable, deleted or we change, so as not used by others. To remove
and disable User Default please create first Users who have Full access (group)
Full. To perform management Users can go to the menu System -> Users disable
user admin. In addition to disable, we can also create a new user with Read
permissions. In granting Read permissions to note is to not forget to disable
(un-check) policies "reboot". Because By default Group Read can still
do Reboot. reboot un cek read
2. Change or Disable Unnecessary
Service
Service
on Mikrotik Router by default is already open, so we have to anticipate some
service that we use to do remote to router. The way we can disable the service,
change the default port or restrict only a few ip address only that can access
using the port. This setting can be done on the IP -> Services menu
3. Non-Enable Neighbors Discovery
Mikrotik
has a protocol that can broadcast domains through layer 2 so as to make
Mikrotik devices can find each other in the same layer 2 network, the name is
Mikrotik Neighbor Discovery Protocol (MNDP). Tools that support MNDP and CDP
can find or know other router information such as Router, MAC-Address, and IP-Address
identity information. The easiest example when we will do winbox in Neighbors
tab will be seen some information Router that connected layer 2 with our
laptop. In order for the Router not to provide such information, as the network
admins should do a disable discovery interface. Especially Interface that is
connected directly with the public such as wireless interface for hotspot
network, ethernet interface for PC network cafe client, and so forth. This setting can be done on the IP menu ->
Neighbors Three steps how to secure Router Above in detail has been discussed
in the article First Step Keeping Router Security
4. Non-Enable or Change MAC
Server Features
By
disabling the discovery interface does not mean that the Router can not be
remote using MAC-Address. If you previously saved or know the MAC-Address
Router, can still be on the remote using MAC-Address. If you want the Router
can not be diremote using MAC-Address either via Winbox or via telnet, turn off
the MAC-Server feature on the Router. Tools -> MAC-Server Or you just want
MAC-Winbox from the interface that is connected to your PC just eg Ether2. How
to do it for first MAC-Winbox Interface to Ether2 Direction next disable
interface "all"
5. Enable Firewall Filter For
Access Service Router (DNS and Web Proxy)
The Mikrotik Router that we place
as the Main Gateway, often enables the
Allow-remote-request DNS and web proxy features. Both of these features can be
exploited by outsiders, especially web proxies that sometimes make our
international traffic is often full when there is no local user who uses it. To
overcome this we have to enable filters on the Firewall so that outside parties
can not take advantage of our DNS and Web Proxy us.drop action Do not forget to
also make the action drop for DNS traffic using udp protocol.Filter DNS udp
6. Non-Enable Btest Server
Mikrotik
Router also features Btest Server, which can be used to test connections that
have been formed. But if this feature is suddenly taken advantage of by
outsiders, our Router is forced to generate traffic or receive traffic
bandwidth test could be the bandwidth we have run out or suddenly our CPU load
becomes 100%. Of course as network admins do not want that, better this feature
is turned off. Settings can be done on the Tools menu -> BTest Server btest
server
7. Change the pin or Non-Enable
LCD Feature
Some
Mikrotik Router is equipped with LCD which can also be used to add simple
commands directly from the LCD. If the router that has the LCD is placed in an
affordable place the crowd should do a pin conversion or Non-Enable LCD Feature
so that others are not fraudulently tinkering with our router. Explanation of
the LCD in Mikrotik can be viewed in the article display LCD Display Mikrotik
8. Perform regular Backup as well
as Encryption and Retrieve File backup
To
avoid unnecessary reconfiguration we should do Backup periodically. Especially
after completion of configuration do backup configuration, and do not forget to
move the backup file to your PC or laptop. To maintain the security of backup
files you can do Encryption when going to backup configuration. For details can
be seen in Backup Articles Mikrotik Configuration
9. Enable Bootloader Protector
Bootloader
Protector feature is used to protect against physical disturbances that can
happen on the routerboard, especially protection against the reset button in
the router Mikrotik. Examples of the implementation we've ever discussed
Protected Bootloader article
10.Make a Physical Router
Mikrotik
is an electronic hardware device as other electronic devices that require
Physical care such as:
a.
Power cable protection not to be too often in pull plug
b.
Cooling room to keep the temperature of the device mikrotik
c. Protection against
electric shocks using UPS, or passing POE should use Arrester
Source : Mikrotik Indonesia