ADVANCED MIKROTIK ROUTER-OS PROTECTIONS

DISCLAIMER: We are not responsible for any error, failure, damage or your router being locked due to intentional or accidental factors. Our Tool works independently, not under the auspices of the MikroTik Company. All problems that occur on your router are your own responsibility and you must be prepared to accept all the risks.

Mikrotik Port Service Protection

Mikrotik Port Service Description
API (8728) Application Programmable Interface (API), a service that allows users to create custom software or applications that communicate with the router. This API port is often attacked using BRUTE FORCE.

# API Port Enable /ip service set api port=8728 address=0.0.0.0/0 disabled=no # API Port Disable /ip service set api port=8728 address=0.0.0.0/0 disabled=yes
API-SSL (8729) Similar to API but more secure with SSL certificate. This SSL API runs on port 8729.

# API-SSL Port Enable /ip service set api-ssl port=8729 address=0.0.0.0/0 disabled=no # API-SSL Port Disable /ip service set api-ssl port=8729 address=0.0.0.0/0 disabled=yes
FTP (21) Mikrotik provides a standard FTP service using ports 20 and 21. FTP is often attacked using BRUTE FORCE.

# FTP Port Enable /ip service set ftp port=21 address=0.0.0.0/0 disabled=no # FTP Port Disable /ip service set ftp port=21 address=0.0.0.0/0 disabled=yes
SSH (22) A secure way to remote router in console. Almost same as telnet but more secure with encryption.

# SSH Port Enable /ip service set ssh port=22 address=0.0.0.0/0 disabled=no # SSH Port Disable /ip service set ssh port=22 address=0.0.0.0/0 disabled=yes
TELNET (23) Similar to SSH but with limited security. Usually used for remote routers in console.

# TELNET Port Enable /ip service set ftp port=23 address=0.0.0.0/0 disabled=no # TELNET Port Disable /ip service set ftp port=23 address=0.0.0.0/0 disabled=yes
WINBOX (8291) Service that allows Winbox application to connect to the router. Some versions can be hacked using exploits.

# WINBOX Port Enable /ip service set winbox port=8291 address=0.0.0.0/0 disabled=no # WINBOX Port Disable /ip service set winbox port=8291 address=0.0.0.0/0 disabled=yes
WWW WEBFIG (80) Mikrotik provides a way to access router via web using browser. Uses standard HTTP port 80.

# WWW (webfig) Port Enable /ip service set www port=80 address=0.0.0.0/0 disabled=no # WWW (webfig) Port Disable /ip service set www port=80 address=0.0.0.0/0 disabled=yes
WWW-SSL WEBFIG (443) More secure web access using SSL certificates. Default port 443.

# WWW-SSL (webfig) Port Enable /ip service set www-ssl port=443 address=0.0.0.0/0 disabled=no # WWW-SSL (webfig) Port Disable /ip service set www-ssl port=443 address=0.0.0.0/0 disabled=yes

Advanced Router Security

Protection Description
Protect Neighbors Discovery Hides Mikrotik devices from being discovered on the same layer 2 network.

# Hide Discover Interface Broadcast /ip neighbor discovery-settings set discover-interface-list=none # Show Discover Interface Broadcast /ip neighbor discovery-settings set discover-interface-list=all
Protect Mac Server Disables MAC-address login through Winbox or telnet.

# Protect login from Mac Address /tool mac-server mac-winbox set allowed-interface-list=none /tool mac-server ping set enabled=no # Unprotect login from Mac Address /tool mac-server mac-winbox set allowed-interface-list=all /tool mac-server ping set enabled=yes
Bootloader Protector Protects access to router system, especially reset button functionality.

# Enable Bootloader Protector /system routerboard settings set protected-routerboot=enabled # Disable Bootloader Protector /system routerboard settings set protected-routerboot=disabled
Protect Btest Server Disables Btest Server feature that could be misused to consume bandwidth.

# Btest Server Enable /tool bandwidth-server set enabled=yes authenticate=yes # Btest Server Disable /tool bandwidth-server set enabled=no authenticate=yes
Protect RoMON Disables RoMON protocol that spreads MAC addresses across networks.

# Enable RoMON /tool romon set enabled=yes secrets=12345 # Disable RoMON /tool romon set enabled=no secrets=12345

Optional Router Security

Protection Description
Protect Port Service from Internet Secures default Mikrotik service ports from internet access.

/interface list add name=WAN /interface list member add list=WAN interface="ether to ISP" /ip firewall filter add action=drop chain=input dst-port=21,22,23,8291,80,8728,8729 in-interface-list=WAN protocol=tcp /ip firewall filter add action=drop chain=input dst-port=21,22,23,8291,80,8728,8729 in-interface-list=WAN protocol=udp
Anti Hack from EXPLOIT Protects against vulnerability in versions 6.30.1 to 6.43rc3.

/ip firewall filter add action=reject chain=input content=user.dat reject-with=icmp-network-unreachable /ip firewall filter add action=drop chain=input content=user.dat
Memcrashed - Amplification Attacks UDP 11211 Prevents DDoS attacks exploiting UDP port 11211.

/ip firewall filter add chain=forward dst-port=11211 protocol=udp action=drop
Block Access Modem Prevents access to ISP router/modem configurations.

/ip firewall address-list add address=192.168.1.1 list=IP-MODEM /ip firewall address-list add address=192.168.2.1 list=IP-MODEM /ip firewall filter add chain=forward dst-address-list=IP-MODEM dst-port=21-23,80,443 protocol=tcp action=drop /ip firewall filter add action=drop chain=output dst-address-list=IP-MODEM dst-port=21-23,80,443 protocol=tcp
Drop TRACEROUTE Hides network path to prevent tracing.

/ip firewall filter add action=drop chain=forward icmp-options=11:0 protocol=icmp /ip firewall filter add action=drop chain=forward icmp-options=3:3 protocol=icmp
Anti NETCUT Prevents ARP broadcast attacks from cutting network.

/ip firewall address-list add list=netcut address=www.arcai.com /ip firewall mangle add action=add-src-to-address-list address-list=NetcutUser address-list-timeout=1h5m chain=prerouting dst-address-list=netcut dst-port=80 protocol=tcp /ip firewall filter add action=drop chain=forward src-address-list=NetcutUser /ip firewall filter add action=drop chain=forward src-address-list=NetcutUser
Block Open Recursive DNS Prevents misuse of router as open DNS server.

/interface list add name=WAN /interface list member add list=WAN interface="ether to ISP" /ip firewall filter add chain=input dst-port=53 in-interface-list=WAN protocol=tcp action=drop /ip firewall filter add chain=input dst-port=53 in-interface-list=WAN protocol=udp action=drop
Block Open PROXY Prevents open proxy misuse.

/interface list add name=WAN /interface list member add list=WAN interface="ether to ISP" /ip firewall filter add action=drop chain=input dst-port=3128,8080 in-interface-list=WAN protocol=tcp /ip firewall filter add action=drop chain=input dst-port=3128,8080 in-interface-list=WAN protocol=udp
Anti DDoS Attacks Limits connections to prevent DDoS attacks.

/ip firewall filter add chain=forward connection-state=new action=jump jump-target=block-ddos /ip firewall filter add chain=forward connection-state=new dst-address-list=ddosed action=drop /ip firewall filter add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return /ip firewall filter add chain=block-ddos action=add-dst-to-address-list address-list=ddosed /ip firewall filter add chain=block-ddos action=add-src-to-address-list address-list=ddoser
Anti PORT SCAN Detects and blocks port scanning attempts.

/ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg /ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w protocol=tcp tcp-flags=fin,syn /ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w protocol=tcp tcp-flags=syn,rst /ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w protocol=tcp tcp-flags=fin,psh,urg /ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg /ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg /ip firewall filter add action=drop chain=input src-address-list="port scanners"
Anti Hack from BruteForce FTP + SSH Prevents brute force attacks on FTP and SSH services.

/ip firewall filter add action=drop chain=input comment="drop ftp BRUTE FORCErs" dst-port=21 protocol=tcp src-address-list=ftp_blacklist /ip firewall filter add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp /ip firewall filter add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp /ip firewall filter add action=drop chain=input comment="drop ssh BRUTE FORCErs" dst-port=22-23 protocol=tcp src-address-list=ssh_blacklist /ip firewall filter add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=ssh_stage3 /ip firewall filter add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=ssh_stage2 /ip firewall filter add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=ssh_stage1 /ip firewall filter add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp /ip firewall filter add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22-23 protocol=tcp src-address-list=ssh_blacklist
Port Knocking Use Icmp + Packet Size Uses ICMP packet size to knock ports for temporary access.

/ip firewall filter add chain=input packet-size="100" protocol=icmp action=add-src-to-address-list address-list="port-knocking-first" /ip firewall filter add chain=input packet-size="200" protocol=icmp src-address-list="port-knocking-first" action=add-src-to-address-list address-list="port-knocking-second" /ip firewall filter add chain=input dst-port="21,22,23" protocol=tcp src-address-list="port-knocking-second" action=accept /ip firewall filter add chain=input dst-port="21,22,23" protocol=tcp src-address-list="!port-knocking-second" action=drop