IP Services Hardening

IP Services Hardening

RouterOS exposes management interfaces through /ip service. By default several are enabled — some insecure by design. Hardening means disabling what you don’t need, restricting what you keep, and enabling encrypted alternatives where available.

Sub-menu

/ip service

Service Defaults

Service	Default Port	Protocol	Encrypted
telnet	23	TCP	No
ftp	21	TCP	No
www	80	HTTP	No
www-ssl	443	HTTPS	Yes
ssh	22	TCP	Yes
winbox	8291	TCP	Partial (v6.49+)
api	8728	TCP	No
api-ssl	8729	TCP	Yes

Parameters

Parameter	Description
disabled	yes to disable the service entirely
port	TCP port the service listens on
address	Comma-separated list of IP/prefix ranges allowed to connect (0.0.0.0/0 = any)
certificate	Certificate name to use for TLS (www-ssl, api-ssl only)
tls-version	Minimum TLS version: any, only-1.2, only-1.3
invalid-client-timeout	Time before disconnecting an idle unauthenticated client

Step 1 — Disable Unused Services

Telnet, FTP, and plain HTTP transmit credentials in cleartext. Disable them unless you have a specific operational need.

/ip service
disable telnet
disable ftp
disable www
disable api

Or in one command:

/ip service disable telnet,ftp,www,api

Verify what is running:

/ip service print

Keep only the services your workflow requires. A typical hardened router running SSH and Winbox management needs only ssh and winbox (plus www-ssl if using WebFig over HTTPS).

Step 2 — Restrict Services to Management IPs

The address field acts as an allowlist. Connections from addresses outside this list are dropped before authentication is attempted.

# Restrict SSH to a single management subnet
/ip service set ssh address=192.168.100.0/24

# Restrict Winbox to two ranges
/ip service set winbox address=192.168.100.0/24,10.10.0.0/16

# Restrict HTTPS WebFig
/ip service set www-ssl address=192.168.100.0/24

Tip

Set address even for services you think are protected by firewall rules. Defense in depth — if a firewall rule is accidentally removed, the service-level restriction remains.

Unlike port changes, address restrictions take effect immediately — there is no session grace period. If your management station’s IP is not in the allowed range, you will be locked out instantly with no fallback. Verify your management station’s IP is within the allowed range before applying the restriction. If you are locked out, use serial console or ROM monitor recovery to regain access.

To allow access from anywhere (remove the restriction):

/ip service set ssh address=0.0.0.0/0

Step 3 — Change Default Ports

Moving services off well-known ports reduces noise from automated scanners. It is not a security control on its own, but it reduces log clutter and buys time.

# Move SSH off port 22
/ip service set ssh port=2222

# Move Winbox off 8291
/ip service set winbox port=9291

Update your firewall rules and client configurations before changing ports or you will lock yourself out.

Step 4 — Enable HTTPS (www-ssl)

Replace plain HTTP WebFig access with HTTPS. You need a certificate in the RouterOS certificate store first — see the Certificate Management guide for how to create a self-signed or Let’s Encrypt certificate.

Once a certificate with a local private key (L flag) is in the store:

# Assign certificate and enable www-ssl
/ip service set www-ssl certificate=router-tls tls-version=only-1.2 disabled=no

# Disable the plain HTTP service
/ip service disable www

Enforce a minimum TLS version:

tls-version value	Behaviour
any	Accepts TLS 1.0 and above
only-1.2	Rejects anything below TLS 1.2
only-1.3	Requires TLS 1.3 (RouterOS 7.x)

Tip

Use only-1.2 for broad compatibility. Use only-1.3 if all clients support it.

The same certificate approach applies to api-ssl:

/ip service set api-ssl certificate=router-tls tls-version=only-1.2 disabled=no
/ip service disable api

Step 5 — SSH Hardening

Strong Cryptography

RouterOS SSH supports a range of cipher suites. Enable strong crypto to disable weak algorithms:

/ip ssh set strong-crypto=yes

With strong-crypto=yes RouterOS disables:

• 3des and blowfish ciphers
• hmac-sha1 and hmac-md5 MACs
• diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 key exchange

And enables only:

• aes128-ctr, aes192-ctr, aes256-ctr (or GCM variants on ROS 7)
• hmac-sha2-256, hmac-sha2-512
• diffie-hellman-group14-sha256 and curve25519-sha256 (ROS 7)

Increase Host Key Size

/ip ssh set host-key-size=4096

Regenerate the host key after changing the size:

/ip ssh regenerate-host-key

Existing SSH clients that have cached the old host key will see a host key mismatch warning after regeneration. Update ~/.ssh/known_hosts on management workstations.

Public Key Authentication

Public key auth eliminates password-based brute force against SSH. Import an authorized public key for a RouterOS user:

# Upload the public key file to the router first (e.g. via SCP or drag-and-drop in Winbox)
/user ssh-keys import user=admin public-key-file=id_ed25519.pub

Verify imported keys:

/user ssh-keys print

Once key-based auth is confirmed working, you can optionally disable password auth:

/ip ssh set always-allow-password-login=no

Confirm key-based login works in a separate session before setting always-allow-password-login=no. Locking out password auth with no valid key leaves you relying on serial console recovery.

Forwarding

Disable SSH forwarding if not needed:

/ip ssh set forwarding-enabled=no

Step 6 — Disable Neighbor Discovery on Untrusted Interfaces

RouterOS broadcasts MNDP (MikroTik Neighbor Discovery Protocol) and optionally CDP/LLDP frames on all interfaces by default. These frames expose the router’s identity, IP addresses, and software version to adjacent hosts.

Restrict discovery to a trusted interface list. LAN is not a built-in list, and bridge is not guaranteed to exist on a CHR. Create the list if needed, then add your actual LAN-facing interface or bridge:

# Create the LAN interface list (skip if it already exists)
/interface list add name=LAN
/interface list member add interface=ether2 list=LAN

# Restrict discovery to that list
/ip neighbor discovery-settings set discover-interface-list=LAN

To disable neighbor discovery entirely:

/ip neighbor discovery-settings set discover-interface-list=none

Tip

Keep discovery enabled on internal management interfaces so Winbox can discover routers by MAC. Disable it on WAN and transit interfaces.

Verify:

/ip neighbor discovery-settings print

Step 7 — Disable Bandwidth Test Server

The bandwidth test server (/tool bandwidth-server) allows any authenticated user to run throughput tests against the router. In production this is an unnecessary attack surface.

/tool bandwidth-server set enabled=no

Verify:

/tool bandwidth-server print

Step 8 — Restrict DNS to Trusted Clients

If the RouterOS DNS resolver is not used as a LAN resolver, disable remote requests:

/ip dns set allow-remote-requests=no

If the router must serve DNS to LAN clients, allow only from trusted subnets using firewall rules and leave remote requests enabled.

If you want to use in-interface-list=WAN, create the WAN interface list first and add your actual internet-facing interface (for example ether1):

/interface list add name=WAN
/interface list member add interface=ether1 list=WAN

The examples below use WAN and LAN interface lists. Create them first if they do not exist. LAN is covered in Step 6; WAN must also be created before these rules will work:

/ip dns set allow-remote-requests=yes

# Accept DNS from LAN
/ip firewall filter
add chain=input protocol=udp dst-port=53 src-address=192.168.100.0/24 action=accept comment="DNS from LAN"
add chain=input protocol=tcp dst-port=53 src-address=192.168.100.0/24 action=accept comment="DNS from LAN TCP"
# Drop DNS from WAN (add before the default drop rule)
add chain=input protocol=udp dst-port=53 in-interface-list=WAN action=drop comment="Block DNS from WAN"
add chain=input protocol=tcp dst-port=53 in-interface-list=WAN action=drop comment="Block DNS from WAN TCP"

An open DNS resolver reachable from the internet can be used in amplification attacks. Always verify allow-remote-requests is no on internet-facing routers not intended to serve DNS.

Step 9 — Disable HTTP Proxy and SOCKS

RouterOS includes an HTTP proxy and SOCKS proxy that are disabled by default but should be explicitly confirmed off:

/ip proxy set enabled=no
/ip socks set enabled=no

Verify:

/ip proxy print
/ip socks print

An open proxy reachable from untrusted networks allows traffic forwarding through the router, bypassing firewall policies.

Verification

Check the current state of all services:

/ip service print

Check SSH settings:

/ip ssh print

Scan from an external host to confirm only expected ports respond. RouterOS does not include a CLI port scanner — use an external tool such as nmap:

nmap -p 1-65535 <router-ip>

Or for a quick check of the common management ports:

nmap -p 21,22,23,80,443,8291,8728,8729 <router-ip>

Recommended Baseline

The router-tls certificate must exist in the RouterOS certificate store before applying this configuration. On a fresh RouterOS installation, no default certificate with this name exists. Create one following the Certificate Management guide.

A typical hardened configuration for a router managed over SSH and Winbox:

# Disable unused services
/ip service disable telnet,ftp,www,api

# Restrict active services to management subnet
/ip service
set ssh      address=192.168.100.0/24 port=22
set winbox   address=192.168.100.0/24 port=8291
set www-ssl  address=192.168.100.0/24 certificate=router-tls tls-version=only-1.2 disabled=no

# SSH hardening
/ip ssh
set strong-crypto=yes host-key-size=4096 forwarding-enabled=no

# Restrict neighbor discovery to LAN
/ip neighbor discovery-settings set discover-interface-list=LAN

# Disable bandwidth test server
/tool bandwidth-server set enabled=no

# Disable DNS remote requests (if router is not a LAN resolver)
/ip dns set allow-remote-requests=no

# Disable proxy services
/ip proxy set enabled=no
/ip socks set enabled=no

Adjust address ranges and interface lists to match your management network topology.

See also: MAC Server Security for hardening MAC-Telnet, MAC-Winbox, and MAC-Ping.