Wireless Connect Logo
Hello Guest! - Login
Contact Wireless Connect
Securing your MikroTik Router / Firewall
Credit Cards Accepted
Back to Table Of Contents >>

The first step in securing your network is to secure any appliance (managed switch router / firewall / VPN Concentrator) that is directly attached to your network)There are many approaches to securing devices, some are better than others. The Basic concepts of securing your MikroTik Router, or any router for that matter can be summarised as follows;

  1. Stop all Unnecessary Services on the MikroTik Router.
  2. Create Firewall Lists to Deny all un wanted inbound Traffic and only allow wanted /needed inbound trafic.
  3. If you need services on the router to be remotely accessible you should limit the addresses that can connect to the router.
  4. If there are services on the router that cannot be pratically limited to a small number of addresses, then you should try to protect the router by stricty firewalling these services so that the services can only operate strictly to standards suchas RFCs etc.

 Each of the above approaches & their implementations will be outlined  in detail in this article:

 

Stop all Unnecessary Services on the MikroTik Router.

This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded;

 

 Deny all un wanted inbound Traffic

By restricting inbound traffic to the router, one can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router.

 

Remotely Accessible Router Services should be limited to few addresses

This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management netwokrs.

 

 

 PubliclyAccessible Router Services should filtered

to operate strictly to RFC standards

If there is a service open to the world one should create firewall rules that limit access to the service within strict parameters.One should monitor the behavior of the service in normal operation and then create firewall rules that prevent the service being used outside its normal working parameters.

 

A typical example of this type of firewalling is someone wants to be able to ssh into a router from anywhere, however if you leave TCP port 22 (SSH) open to the world you would find that there are alot of morons out there who are only two happy to run a bruteforce dictionary attack on your server. Fortunately SSH servers normally disconnect a user after a number of failed attempts. So we can use this fact to create a firewall rule to prevent someone trying to brute force hack our ssh server by carrying out the following algorithim

  1. Deny any one who is on the ssh_blacklist a new session on any protocol.
  2. Allow anyone who was on the "ssh_Dark grey list" to connect a new session on port 22 and add the address to the "ssh_Blacklist " with a time out of 1 hour
  3. Allow anyone who was on the "ssh_grey list" to connect a new session on port 22 and add the address to the "ssh_dark grey list" with a time out of 1 minute
  4. Allow anyone who was on the "light_grey_list" to connect a new session on port 22 and add the address to the "ssh_grey list" with a time out of 1 minute
  5. Allow anyone who creates a first session on port 22 and add the address to the "ssh_lightgreylist " with a time out of 1 minute

 

/ip firewall filter

add chain=input src-address-list=sshblacklist action=drop \
comment="drop all traffic brute force attack sources" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=sshdarkgreylist action=add-src-to-address-list \
address-list=sshblacklist address-list-timeout=1h \
comment="add new failed sshdarkgreylist to sshblacklist" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=sshgreylist action=add-src-to-address-list \
address-list=sshdarkgreylist address-list-timeout=1m \
comment="add new failed sshgreylist to sshdarkgreylist" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=sshlightgreylist action=add-src-to-address-list \
address-list=sshgreylist address-list-timeout=1m \
comment="add new failed sshlightgreylist to sshgreylist" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list \
address-list=sshlightgreylist address-list-timeout=1m \
comment="new connections to sshlightgreylist" \
disabled=no


 

 References

The SSH brute force mitigation Script is based on some legend's script at the following location;

 http://forum.mikrotik.com/viewtopic.php?f=7&t=19009

Back to Table Of Contents >>