Securing New RouterOs Router
Tuesday, November 27, 2007Securing A Fresh v2.9 RouterOs Device
This document is designed for RouterOs devices that have been cleanly loaded and don’t have any configuration, the configuration outlined in this guide may work for routers already configured but caution must be taken that this configuration does not affect the device.
Please read and understand the entire document before applying this to a device, failure to do so may result in you being unable to access the device
The purpose of this document is to take users though the steps needed to secure access to a RouterOs device while maintaining the ability for other devices to communicate and use certain services. This document works on the idea of 'just-enough' access, that is services or people who need to access the router have 'just-enough' privileges on the router to do their job - and no more. There is no reason for another router that only access's BGP on the device to have full access and likewise a user that log's in to monitor wireless connections should have any write access or the ability to reboot/shutdown etc etc. With this in mind you should look at other areas of your network and asses how they are setup/configured - they may need attention in order to fully secure your network as a whole.
The user's going to pick dancing pigs over security every time. — Bruce Schneier
This is VERY true, the end user and even some sys admin’s I know will choose no security if it means they don’t have to think, some of the things we will put in place on the device will require people using or connecting to the router to do some thing differently, on top of this if a router connecting to the device wants to use a new service on the router you may have enable access.
This can be a pain and sometimes it can go too far, it’s your job to figure out where the balance of security vs. usability is, make it too difficult to do anything and your users won’t will give up, make it too easy to do something and you will be compromised. This may be starting to sound a bit much or too difficult but that’s because we aren’t talking about securing RouterOs now, we are talking about whole network security – security that neither starts nor stops with securing a router.
Having said that lets get into the nuts & bolts of securing RouterOs
Configuring Packages & Hardening Services
Some of you may have started this guide having just loaded RouterOs onto the device which is fine but my personal taste when it comes to packages on RouterOs is to use the roueros-x86/rb500.npk file, why? Because I find it easier to upgrade the router with a single file and its easier when it comes to enabling new services if the router’s role is expanded. There is nothing worse than needing to add a service (I.e. DHCP-Server) to a router running an old RouterOs version and finding you don’t have dhcp-2.9.xx.npk, this is more a problem now that Mikrotik don’t allow you to download old versions from their website anymore.
Installing a new router with routeros-xxx.npk is best done via net-install, if you need to install via CD then your only option is to install from an old version, only install the system package and then upload routeros-xxx.npk via mac-winbox. It’s messy but it’s the only way I have found to do a clean load via CD with the single npk. Once again this is comes down to personal preference and is not required in this document
I always install a router with the following packages enable as a minimum:
- Advanced-Tools
- Ntp
- Security
- System
This installs a basic system where you are able to keep the clock in sync with a external source, a suite of tools enabling advanced monitoring and reporting and allows you to talk to the router securely.
You need to think about the exact role the router will have before you start enabling more packages on the router, if it’s a simple wireless relay station then why would it need DHCP enabled? If the router is to be a Ethernet based firewall then why does it need the wireless enabled. Only enable packages the router need to do its job, remember its all about ‘just-enough’ security
Once you have your router loaded up with only the packages it need’s its time to look at the services that are running by default.
By default you can access the router by:
- Telnet
- SSH
- HTTP
- Winbox
- FTP
- Mac-Telnet
Later in the document we will be adding a firewall to control access to the above services but right now you may choose that some services you just wont use ever, on my routers I choose disable all services but Mac-Telnet, Winbox and SSH. All other services I have no need for and disable them. Disabling a service is easy
/ip services print
Will return this on a default load of routeros
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 telnet 23 0.0.0.0/0
1 ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 ssh 22 0.0.0.0/0
4 X www-ssl 443 0.0.0.0/0 none
To disable a service is simple
/ip service disable
Once you have configured the services to your liking it's time to look at other ways to interface with the router, first up is SNMP which is used by a lot of programs to monitor devices (I.e. The Dude)
SNMP is disabled by default and if you have other means of monitoring devices it is safe to leave disabled. I prefer to use The Dude to monitor my network so I will go ahead and enable access and set some helpful fields
/snmp set enabled=yes location=”The Matrix” contact=neo@zion.org
SNMP in RouterOs 2.9 is read only, so the only danger from enabling access to it is that without firewalling to stop access anyone on your network or the rest of the world if the router has a public IP address will be able to look at Wireless signal levels etc.
Now that your router has some basic hardening its time to look at user’s who access the router and the privileges that they have
Users & Passwords
By default your router has 1 user, admin, which has no password set. With RouterOs if you set password for the admin user, add no other users with write/password privileges and forget the password there is ‘’’’’NO’’’’’ way to log in or recover the password, you must do a reinstall.
Before going any further you should check to see if the company you are working has a policy on user’s and passwords.
If your company does have a policy on this you must check to see if this document conflicts with it
If it does seek approval before implementing this document any further
The first thing we will do is give the default admin a password. In my network all user passwords are 32 characters long, I use a password generator here which will create 10 passwords at a time, if you need more just hit refresh and it generate more passwords
/user set admin password=putpasshere
Once you do this its best to exit and reconnect Winbox.
Next up is adding a fail-safe user, this is a user with admin rights and a simple password that is ‘’’’’only’’’’’ allowed to connect from the local terminal. The purpose of this is to prevent you from have to reinstall the router in the event you lose the admin password. I use a simple password such as my driver license number of IRD number as the password, it’s critical that the password is not something you will forget or lose. In my country your drivers license and IRD number are set for life and make for perfect backup user passwords.
In reality I don’t use my driver license or IRD number, I use another document that is just as easy to remember, don’t use something that is easy to get a hold of. If you lose your wallet the last you want to be doing is changing all your router’s passwords.
So lets add this user
/user add name=badmin password=putpasshere group=full address=127.0.0.1/32
At this point your router is password protected and has a fail-safe in case you lose the big password. You may need to add more users for monitoring etc, don’t hand out the admin password to everyone. If someone needs access to the router determine what privileges they need and create a user for them. The rest of this document is useless to you if you don’t keep the usernames and password secure
‘’Amateurs hack systems, professionals hack people.’’ — ‘’’Bruce Schneier’’’
[edit] Port Knocking
In the firewall we will load onto the router in the next section we divide up access into 2 sections
- An address list of devices that have full access to the router
- All other devices that have limited access to the router
One thing that all other devices are limited to is they have no Winbox/SSH/telnet access to the router, which sometimes will mean you can't get into it. One way to temporarily allow full access to a router is port knocking.
Port knocking with RouterOs is a way of adding a dynamic IP address into an address list for a specified amount of time. The way it works is like this
- Client sends packet to router on port 1337
- Router adds client’s IP address to address list “temp” with a timeout of 15 seconds
- Client sends packer to router on port 7331
- Router checks to see if the client’s IP address is on address list “temp”
- If it is then router adds IP address to address list “safe” with a timeout of 15 minutes
- Client has full access to router for 15 minutes
This feature is completely customisable with you able to define how many ports the client has to ‘knock’ before its given access, you can define what port numbers and what protocols you must knock and the timeout values.
A windows knocking client is available here and is used like so
Knock.exeport:protocol port:protocol port:protocol…
So to gain access to the router in the example above we would run
Knock.exe 192.168.0.2 1337:tcp 7331:tcp
While this feature is useful it is another weak point in security, in the firewall rules I show which rules are used to create a port knock, if you leave these rules out there will be no port knocking on the router
Loading A Firewall
Next up is loading up a firewall, right now you router is secure from access by passwords, but passwords are one layer of security – not the only layer. This script is based on the firewall used on the MT demo router but has a few changes to it, it only protects the router and contains no ‘forward’ firewall rules
/ ip firewall filter
add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=knock \
address-list-timeout=15s comment="" disabled=no
add chain=input protocol=tcp dst-port=7331 src-address-list=knock action= add-src-to-address-list \
address-list=safe address-list-timeout=15m comment="" disabled=no
These rules setup port knocking, it set’s up the example we used above and will add the IP address to the ‘safe’ address-list, this is the address-list used in this firewall to permit full unrestricted access to the router
add chain=input connection-state=established action=accept comment="accept established connection packets" disabled=no
add chain=input connection-state=related action=accept comment="accept related connection packets" disabled=no
add chain=input connection-state=invalid action=drop comment="drop invalid packets" disabled=no
These rules make sure only valid connections are going to the router and will drop any that are invalid.
add chain=input src-address-listddress-list=safe action=accept comment="Allow access to router from known network" disabled=no
This rule is the rule that allows full access to the router for certain IP addresses, This list contains static entries for IP’s you want to always have access and also contains the dynamic IP’s of those added by port knocking if used
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and drop port scan connections" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit \
comment="suppress DoS attack" disabled=no
add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list \
address-list=black_list address-list-timeout=1d comment="detect DoS attack" disabled=no
These rule’s are a little reactive to DoS and port scanning attempts, port scanning is dropped but a DoS attack is ‘tarpitted’ in that all connection’s are slowed down to increase the resource usage on the attackers device
add chain=input protocol=icmp action=jump jump-target=ICMP comment="jump to chain ICMP" disabled=no
add chain=input action=jump jump-target=services comment="jump to chain services" disabled=no
These 2 rules jump to chains we are about to create, jumping is handy because it allows you to reuse the same rule in different chains (I.e. Input and Forward can jump to the same chain and run the same rules)
add chain=input dst- address-type=broadcast action=accept comment="Allow Broadcast Traffic" disabled=no
Allow Broadcast traffic to the router, this is needed sometimes by things like NTP
add chain=input action=log log-prefix="Filter:" comment="" disabled=no
add chain=input action=drop comment="drop everything else" disabled=no
And this is the rule that deny’s all access to the router, if traffic hasn’t been accepted by once of the rules above then it will be dropped
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="0:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="3:3 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="3:4 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="8:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="11:0 and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp action=drop comment="Drop everything else" disabled=no
These rules form the ‘ICMP’ chain which we jumped to from input, it limited various ICMP packet to stop people ping flooding you
add chain=services src-address-listddress=127.0.0.1 dst- address=127.0.0.1 action=accept comment="accept localhost" disabled=no
add chain=services protocol=udp dst-port=20561 action=accept comment="allow MACwinbox " disabled=no
add chain=services protocol=tcp dst-port=2000 action=accept comment="Bandwidth server" disabled=no
add chain=services protocol=udp dst-port=5678 action=accept comment=" MT Discovery Protocol" disabled=no
add chain=services protocol=tcp dst-port=161 action=accept comment="allow SNMP" disabled=yes
add chain=services protocol=tcp dst-port=179 action=accept comment="Allow BGP" disabled=yes
add chain=services protocol=udp dst-port=5000-5100 action=accept comment="allow BGP" disabled=yes
add chain=services protocol=udp dst-port=123 action=accept comment="Allow NTP" disabled=yes
add chain=services protocol=tcp dst-port=1723 action=accept comment="Allow PPTP" disabled=yes
add chain=services protocol=gre action=accept comment="allow PPTP and EoIP" disabled=yes
add chain=services protocol=tcp dst-port=53 action=accept comment="allow DNS request" disabled=yes
add chain=services protocol=udp dst-port=53 action=accept comment="Allow DNS request" disabled=yes
add chain=services protocol=udp dst-port=1900 action=accept comment="UPnP" disabled=yes
add chain=services protocol=tcp dst-port=2828 action=accept comment="UPnP" disabled=yes
add chain=services protocol=udp dst-port=67-68 action=accept comment="allow DHCP" disabled=yes
add chain=services protocol=tcp dst-port=8080 action=accept comment="allow Web Proxy" disabled=yes
add chain=services protocol=ipencap action=accept comment="allow IPIP" disabled=yes
add chain=services protocol=tcp dst-port=443 action=accept comment="allow https for Hotspot" disabled=yes
add chain=services protocol=tcp dst-port=1080 action=accept comment="allow Socks for Hotspot" disabled=yes
add chain=services protocol=udp dst-port=500 action=accept comment="allow IPSec connections" disabled=yes
add chain=services protocol=ipsec-esp action=accept comment="allow IPSec" disabled=yes
add chain=services protocol=ipsec-ah action=accept comment="allow IPSec" disabled=yes
add chain=services protocol=udp dst-port=520-521 action=accept comment="allow RIP" disabled=yes
add chain=services protocol=ospf action=accept comment="allow OSPF" disabled=yes
add chain=services action=return comment="" disabled=no
These are the services that we allow ANYone to access, as you can see I’ve disabled most of them by default. The only ones enabled are services I personally feel should always be accessible
- Mac-Telnet
- Bandwidth Test Server
- MT Discovery
All other services should only be enabled if they need to be, running this script on a production router already configured will cause it to drop IPSec, BGP, EOIP and a bunch of other services so I must repeat myself again
Don’t apply this firewall on a production router unmodified – it will break some services
Logging & Syslog
So you’ve got long passwords and a firewall that limit’s access to your router. Everything’s great, you see the “Drop Everything Else” counter rising and you check the logs on the router to make sure nobody’s got in. Trouble is you’re now assuming that the data on your router is accurate and hasn’t been fiddled with, someone could have gotten in somehow, is altering your network and you don’t have a clue because they altered the logs or their access has gone beyond the 100 line storage default of RouterOs logging.
Got you worried yet? I should have, when someone compromises any device on your network you can no longer assume the data it holds is clean. You must assume that everything on that device has been altered or removed. On RouterOs it’s actually very difficult to remove entries in the log without erasing the entire log by default but its not impossible, nothing ever is. We are about to go through RouterOs and change what’s logged and where its logged to, in order to be able to accurately tell what’s going on in your router you need to log some information about changes and login attempts to an outside device
By default RouterOs has the following logging setup
/system logging print
Flags: X - disabled, I - invalid
# TOPICS ACTION PREFIX
0 info memory
1 error memory
2 warning memory
3 critical echo
Which is really bad because if your router suffers a power outage or random reboot you lose all log’s. So the first thing we are going to do is log some things to disk.
Erase all the current logging rules
/system logging print
/system logging remove 0
/system logging remove 1
/system logging remove 2
/system logging remove 3
Setup logging to log some things to disk
/system logging add topics=critical action=disk
/system logging add topics=critical action=echo
/system logging add topics=error action=disk
/system logging add topics=warning action=disk
/system logging add topics=info action=memory
Now the next trouble is that by default RouterOs will only store that last 100 lines in memory or on disk. Depending on the amount of ram and free disk space you should up this, personally I set this to 300 lines in memory and disk for RouterBoards and 1000 for PC routers. You can do this by the following command
/system logging action print
/system logging action set 0 disk-lines=XXX
/system logging action set 1 disk-lines=XXX
Now the router will log something’s to disk, others to memory and you will be able to look back further in the logs on the router
If you look back to the firewall script we put in place you will notice that we set it up to log all the dropped input packets, right now you will see them in memory as they are logged under ‘info’ what we will do now is create another file on the disk to store the firewall hits and alter the logging rules so they get logged to disk but don’t clog up the memory
First we setup the new target
/system logging action add target=disk disk-lines=XXX name=FirewallHits
Then we alter the logging actions to stop the firewall clogging up the log
/system logging print
/system logging set 0 topics=info,!firewall
And now we set it so all the firewall hits get sent to the new target
/system logging add topics=firewall action=FirewallHits
And done, now all the hits your firewall get will be logged to the disk and will no longer clog up your main log files, the last thing left to do with logging is log everything to a remote source, for this you will need a remote server running either windows or *NIX with a Syslog daemon running. I wont go through setting up a Syslog daemon as this is extremely platform specific however it is simple to setup a catchall Syslog daemon.
RouterOs has a built in logging action called ‘remote’ all that you need to do is specify the destination IP address where Syslog is running, we can do this by issuing the following commands
/system logging action print
/system logging action set 3 remote=192.168.0.3:514
Remember to add ‘:514’ to the end of the IP address as this specifies which port to use. Once we have set the IP we can go ahead and add a rule to log everything to the daemon
/system logging add action=remote topics=info,warning,critical,firewall,error prefix="RouterId"
Change the prefix to something that identifies your router and your all done.
With this logging setup in place you are in a better position to know what’s going on in your network and to know that the information you are reading is correct, remember when in doubt check the remote Syslog.
Another thing to remember is that all of this logging setup is useless if you never look at it, get into a routine of looking at the log files everyday. Setting up some advanced traps on your remote Syslog to filter some of the rubbish may make this easier
Under *nix-like OS you should do that (FreeBSD, for example):
1. vi /etc/rc.conf and typed lines below.
syslogd_enable="YES" # Run syslog daemon (or NO).
syslogd_program="/usr/sbin/syslogd" # path to syslogd, if you want a different o
syslogd_flags="" # Flags to syslogd (if enabled).
By default into "syslogd_flags" set "-s" option. Don't forget remove it. The "-a" options are ignored if the "-s" option is also specified. See man syslogd.
2. vi /etc/syslog.conf and typed next:
+@
# syslog settings of current system
+*
#
+
*.* /var/log/mikrotik.log
+*
3. /etc/rc.d/syslogd restart.
It's all.
NTP Sync & Misc.
Time, it’s a funny thing. You may not be aware that your device is running on the wrong time, this can be a real pain when you’re faced with an intrusion and reading the logs you discover they are all out by a few hours. It makes it difficult when your cross checking firewall hits against another device and you have to keep adjusting all the results by a few hours. Also if you place firewall rules or simple queues in place that work only at specific times you will find they will work at strange times
One way of correct this is by use of an external time source via NTP. You can find a list of NTP servers in your region here. Because the RouterOs NTP client works on IP’s directly rather than doing a DNS lookup each time you must enter the NTP server’s in as IP addresses
Before setting up the NTP client you need to make sure your time zone is correct
/system clock set time-zone=+12
Once that’s done you can setup your NTP client
/system ntp client set enabled=yes primary-ntp=192.168.0.2 secondary-ntp=192.168.0.3 mode=unicast
It’s as simple as that! Now you router should always be telling the correct time
Throughout this document I have pushed you to think about security of the entire network even tho this document is for securing a single router. My reasons for this are simple, security is like a chain, we have just secured 1 link in that chain but this is pointless if the link before or after is weak or insecure. You need to look at how you keep your network secure, some questions you might want to ask yourself
- Who has access to our passwords?
- Who has physical access to our hardware?
- Do I know what every device on our network is?
- How can I tell if a new device pops up on our network?
- How long would it take me to notice if a router’s password changed?
There are a lot more questions you should be asking but these should get your thinking. Finally security is not a product nor is it a set of firewall rules and it’s not a 1 time thing either. Good security is an on-going area of managing your network that is often overlooked or neglected, until you are compromised and then you’re under the microscope
Last Words
इ hope you find this useful and not a waste of your time, I like feedback about what I write so feel free to leave some on the talk page Talk:Securing_New_RouterOs_Router These guides aren’t perfect so if you see a flaw or error please feel free to update it and let me know via the talk page