Now that we’re (relatively) secure from the outside let’s secure a couple things inside the router. First, let’s set a password on the default admin user, then change the admin username to something other than the factory default “admin”. Just like most people rename the Administrator user on Windows servers, it’s a good idea to rename the Mikrotik admin user to something other than a known default:
/user set 0 password=mygreatpassword
/user set 0 name=tikadmin
All router administrators should have their own logins for the purpose of non-repudation, and only use those logins to administer the device. The user we just renamed should only be used for backup purposes if other credentials somehow were lost or forgotten. This also allows another administrator to quickly disable an individual administrator’s access if they leave.
Another best practice is to disable neighbor discovery, which will stop the router from being discovered by other devices running Mikrotik’s Neighbor Discovery Protocol (MNDP) or Cisco’s Discovery Protocol (CDP), or programs capable of snooping on discovery traffic. First we’ll turn it off by default for IPv4, so when new interfaces come online they won’t participate, and we’ll disabled it for IPv6:
/ip neighbor discovery settings set default=no default-for-dynamic=no
/ipv6 nd set [find] disabled=yes
Then we’ll shut it off on each individual IPv4 interface that’s already running, because out of the box it’s enabled on interfaces by default (even the WAN):
/ip neighbor discovery set [find] discover=no
All other ports are turned off, so no discovery is going to happen there. Once that’s done if you have an interface on a management subnet / VLAN it wouldn’t hurt to allow discovery protocols to run just on that interface.
We’ll also turn on Reverse Path Filtering (RPF). This feature drops packet traffic that appears to be spoofed, i.e. a packet coming from an internal LAN subnet heading outbound but with a different source IP address than your LAN’s. This is very common when a workstation has been infected with a virus and is now participating in a DDoS attack. We’ll turn on RPF in the IP > Settings menu:
/ip settings set rp-filter=strict
It has been noted the the Reverse Path Filter feature can cause issues if a router is multi-homed. Unfortunately Mikrotik’s implementation of this feature doesn’t allow Reverse Path Filtering to be enabled on specific interfaces, only for the entire device, so watch out for that if your device is multi-homed. Assuming you can implement RPF please do so – it’s considered part of being a good Internet citizen. This kind of filtering is also documented as Best Common Practice (BCP) #38, as well as RFC #2827.
We should also set a login banner, which is displayed when someone logs into the router, and is required by a number of compliance standards, Depending on the country and jurisdiction this banner statement may or may not be legally relevant, but it certainly doesn’t hurt to have a banner displayed on login. First, set the banner to be displayed at login:
/system note set show-at-login=yes
Then set the contents of the banner message. This should be something that clearly states that access to the router is for authorized administrators only, and that access is monitored.
/system note set note="Authorized administrators only. Access to this device is monitored."
Now when an administrator (or anyone else) logs into the router remotely via SSH or Telnet this banner will appear. It will also appear if a terminal is opened in Winbox.
Last but certainly not least, we’ll create a backup copy of the new config that can be downloaded from the router and stored with other backups in case the router fails and needs to be replaced:
export compact file=backup_config_router01
Long-term device security and risk management means not only putting these settings in place, but also monitoring your devices and auditing the settings that are in place regularly.