VNetLab

Mikrotik Configuration Security Guideline

by · Published · Updated

#Mikrotik Configuration#Security Guideline

#Mikrotik #protection

Guideline for Mikrotik Configuration

Step0 [0 means do it immediately]

/system package update check-for-updates
/system routerboard upgrade

Step1(set complex password with special character and disable default admin user) 
user add name=admin disabled=yes password=@dM!n@*628653()$#& group=full
user add name=noc password=!n@*628653()$# group=full
system note set note=Banner_Information
system identity set name=Client_Name

Step2 (add ACL which will allow)
/ ip firewall address-list
add address=x.x.x.x comment=”” disabled=no list=ACL
/

Setp3
/ ip firewall filter
add action=drop chain=input comment=”Allow Winbox” disabled=no dst-port=8291 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow Winbox” disabled=no dst-port=52333 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow Telnet” disabled=no dst-port=23 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow SSH” disabled=no dst-port=22 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow SSH” disabled=no dst-port=2200 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow Web Port” disabled=no dst-port=80 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 8080″ disabled=no dst-port=8080 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”FTP Block” disabled=no dst-port=21 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 80″ disabled=no dst-port=80 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 8181″ disabled=no dst-port=8181 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 8880″ disabled=no dst-port=8880 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 81″ disabled=no dst-port=81 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 82″ disabled=no dst-port=82 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 8081″ disabled=no dst-port=8081 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 8082″ disabled=no dst-port=8082 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 8089″ disabled=no dst-port=8089 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Allow 8728″ disabled=no dst-port=8728 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Socks Drop” disabled=no dst-port=2008 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Socks Drop” disabled=no dst-port=1080 protocol=tcp src-address-list=!ACL
add action=drop chain=input comment=”Socks Drop” disabled=no dst-port=4153 protocol=tcp src-address-list=!ACL
add action=add-src-to-address-list address-list=Dos_Attack address-list-timeout=5m chain=input comment=”Dos Attack” connection-limit=10,32 protocol=tcp
add action=tarpit chain=input comment=”Dos Attack” connection-limit=10,32 protocol=tcp src-address-list=Dos_Attack
/
/tool bandwidth-server set enabled=no

Step4
ip smb set allow-guests=no
ip smb set enabled=no
ip service disable telnet
ip service disable ftp
ip service disable www
ip service disable api
ip service disable api-ssl
ip service set ssh port=2200
ip dns set allow-remote-requests=no
ip proxy set enabled=no
ip upnp set enabled=no
ip dns set servers=8.8.8.8,1.1.1.1,8.8.4.4
ip socks set enabled=no
ip cloud set ddns-enabled=no
ip service set winbox port=52330

Step6
Dhcp (Lease time check and configured based on client environment, for corporate office 24hrs-72hrs)
Nat Example:
/ip firewall nat
add action=src-nat chain=srcnat dst-address=!192.168.0.0/16 src-address=192.168.1.0/24 to-addresses=116.100.100.34

 

Step7 (protect udp attack)

/ip firewall filter
add action=drop chain=forward comment=UDP-Flood disabled=no src-address-list=UDP-1K time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=UDP-1K address-list-timeout=none-static chain=forward connection-limit=100,32 limit=1k,5:packet in-interface=ether3 protocol=udp [eth3 replace this with LAN interface]
/ip firewall mangle
add action=mark-packet chain=prerouting dst-port=!53 new-packet-mark=udp_packets passthrough=yes protocol=udp
/queue simple
add max-limit=2M/2M name=”ALL UDP Except 53″ packet-marks=udp_packets target=””

You may also like...

Leave a Reply

Your email address will not be published.