IP Services Hardening
IP Services Hardening
Section titled “IP Services Hardening”RouterOS exposes management interfaces through /ip service. By default several are enabled — some insecure by design. Hardening means disabling what you don’t need, restricting what you keep, and enabling encrypted alternatives where available.
Sub-menu
Section titled “Sub-menu”/ip serviceService Defaults
Section titled “Service Defaults”| Service | Default Port | Protocol | Encrypted |
|---|---|---|---|
telnet | 23 | TCP | No |
ftp | 21 | TCP | No |
www | 80 | HTTP | No |
www-ssl | 443 | HTTPS | Yes |
ssh | 22 | TCP | Yes |
winbox | 8291 | TCP | Partial (v6.49+) |
api | 8728 | TCP | No |
api-ssl | 8729 | TCP | Yes |
Parameters
Section titled “Parameters”| Parameter | Description |
|---|---|
disabled | yes to disable the service entirely |
port | TCP port the service listens on |
address | Comma-separated list of IP/prefix ranges allowed to connect (0.0.0.0/0 = any) |
certificate | Certificate name to use for TLS (www-ssl, api-ssl only) |
tls-version | Minimum TLS version: any, only-1.2, only-1.3 |
invalid-client-timeout | Time before disconnecting an idle unauthenticated client |
Step 1 — Disable Unused Services
Section titled “Step 1 — Disable Unused Services”Telnet, FTP, and plain HTTP transmit credentials in cleartext. Disable them unless you have a specific operational need.
/ip servicedisable telnetdisable ftpdisable wwwdisable apiOr in one command:
/ip service disable telnet,ftp,www,apiVerify what is running:
/ip service printKeep only the services your workflow requires. A typical hardened router running SSH and Winbox management needs only ssh and winbox (plus www-ssl if using WebFig over HTTPS).
Step 2 — Restrict Services to Management IPs
Section titled “Step 2 — Restrict Services to Management IPs”The address field acts as an allowlist. Connections from addresses outside this list are dropped before authentication is attempted.
# Restrict SSH to a single management subnet/ip service set ssh address=192.168.100.0/24
# Restrict Winbox to two ranges/ip service set winbox address=192.168.100.0/24,10.10.0.0/16
# Restrict HTTPS WebFig/ip service set www-ssl address=192.168.100.0/24To allow access from anywhere (remove the restriction):
/ip service set ssh address=0.0.0.0/0Step 3 — Change Default Ports
Section titled “Step 3 — Change Default Ports”Moving services off well-known ports reduces noise from automated scanners. It is not a security control on its own, but it reduces log clutter and buys time.
# Move SSH off port 22/ip service set ssh port=2222
# Move Winbox off 8291/ip service set winbox port=9291Update your firewall rules and client configurations before changing ports or you will lock yourself out.
Step 4 — Enable HTTPS (www-ssl)
Section titled “Step 4 — Enable HTTPS (www-ssl)”Replace plain HTTP WebFig access with HTTPS. You need a certificate in the RouterOS certificate store first — see the Certificate Management guide for how to create a self-signed or Let’s Encrypt certificate.
Once a certificate with a local private key (L flag) is in the store:
# Assign certificate and enable www-ssl/ip service set www-ssl certificate=router-tls tls-version=only-1.2 disabled=no
# Disable the plain HTTP service/ip service disable wwwEnforce a minimum TLS version:
tls-version value | Behaviour |
|---|---|
any | Accepts TLS 1.0 and above |
only-1.2 | Rejects anything below TLS 1.2 |
only-1.3 | Requires TLS 1.3 (RouterOS 7.x) |
The same certificate approach applies to api-ssl:
/ip service set api-ssl certificate=router-tls tls-version=only-1.2 disabled=no/ip service disable apiStep 5 — SSH Hardening
Section titled “Step 5 — SSH Hardening”Strong Cryptography
Section titled “Strong Cryptography”RouterOS SSH supports a range of cipher suites. Enable strong crypto to disable weak algorithms:
/ip ssh set strong-crypto=yesWith strong-crypto=yes RouterOS disables:
3desandblowfishciphershmac-sha1andhmac-md5MACsdiffie-hellman-group1-sha1anddiffie-hellman-group14-sha1key exchange
And enables only:
aes128-ctr,aes192-ctr,aes256-ctr(or GCM variants on ROS 7)hmac-sha2-256,hmac-sha2-512diffie-hellman-group14-sha256andcurve25519-sha256(ROS 7)
Increase Host Key Size
Section titled “Increase Host Key Size”/ip ssh set host-key-size=4096Regenerate the host key after changing the size:
/ip ssh regenerate-host-keyExisting SSH clients that have cached the old host key will see a host key mismatch warning after regeneration. Update ~/.ssh/known_hosts on management workstations.
Public Key Authentication
Section titled “Public Key Authentication”Public key auth eliminates password-based brute force against SSH. Import an authorized public key for a RouterOS user:
# Upload the public key file to the router first (e.g. via SCP or paste)/ip ssh import-public-key user=admin public-key-file=id_ed25519.pubVerify imported keys:
/ip ssh print/ip ssh export-public-key-ssh user=adminOnce key-based auth is confirmed working, you can optionally disable password auth:
/ip ssh set always-allow-password-login=noConfirm key-based login works in a separate session before setting always-allow-password-login=no. Locking out password auth with no valid key leaves you relying on serial console recovery.
Forwarding
Section titled “Forwarding”Disable SSH forwarding if not needed:
/ip ssh set forwarding-enabled=noStep 6 — Disable Neighbor Discovery on Untrusted Interfaces
Section titled “Step 6 — Disable Neighbor Discovery on Untrusted Interfaces”RouterOS broadcasts MNDP (MikroTik Neighbor Discovery Protocol) and optionally CDP/LLDP frames on all interfaces by default. These frames expose the router’s identity, IP addresses, and software version to adjacent hosts.
Restrict discovery to a trusted interface list:
/ip neighbor discovery-settings set discover-interface-list=LANTo disable neighbor discovery entirely:
/ip neighbor discovery-settings set discover-interface-list=noneVerify:
/ip neighbor discovery-settings printStep 7 — Disable Bandwidth Test Server
Section titled “Step 7 — Disable Bandwidth Test Server”The bandwidth test server (/tool bandwidth-server) allows any authenticated user to run throughput tests against the router. In production this is an unnecessary attack surface.
/tool bandwidth-server set enabled=noVerify:
/tool bandwidth-server printStep 8 — Restrict DNS to Trusted Clients
Section titled “Step 8 — Restrict DNS to Trusted Clients”If the RouterOS DNS resolver is not used as a LAN resolver, disable remote requests:
/ip dns set allow-remote-requests=noIf the router must serve DNS to LAN clients, allow only from trusted subnets using firewall rules and leave remote requests enabled:
/ip dns set allow-remote-requests=yes
# Accept DNS from LAN/ip firewall filteradd chain=input protocol=udp dst-port=53 src-address=192.168.100.0/24 action=accept comment="DNS from LAN"add chain=input protocol=tcp dst-port=53 src-address=192.168.100.0/24 action=accept comment="DNS from LAN TCP"# Drop DNS from WAN (add before the default drop rule)add chain=input protocol=udp dst-port=53 in-interface-list=WAN action=drop comment="Block DNS from WAN"add chain=input protocol=tcp dst-port=53 in-interface-list=WAN action=drop comment="Block DNS from WAN TCP"An open DNS resolver reachable from the internet can be used in amplification attacks. Always verify allow-remote-requests is no on internet-facing routers not intended to serve DNS.
Step 9 — Disable HTTP Proxy and SOCKS
Section titled “Step 9 — Disable HTTP Proxy and SOCKS”RouterOS includes an HTTP proxy and SOCKS proxy that are disabled by default but should be explicitly confirmed off:
/ip proxy set enabled=no/ip socks set enabled=noVerify:
/ip proxy print/ip socks printAn open proxy reachable from untrusted networks allows traffic forwarding through the router, bypassing firewall policies.
Verification
Section titled “Verification”Check the current state of all services:
/ip service printCheck SSH settings:
/ip ssh printScan from an external host to confirm only expected ports respond:
/tool port-scan address=<router-ip> port-range=1-65535Recommended Baseline
Section titled “Recommended Baseline”A typical hardened configuration for a router managed over SSH and Winbox:
# Disable unused services/ip service disable telnet,ftp,www,api
# Restrict active services to management subnet/ip serviceset ssh address=192.168.100.0/24 port=22set winbox address=192.168.100.0/24 port=8291set www-ssl address=192.168.100.0/24 certificate=router-tls tls-version=only-1.2 disabled=no
# SSH hardening/ip sshset strong-crypto=yes host-key-size=4096 forwarding-enabled=no
# Restrict neighbor discovery to LAN/ip neighbor discovery-settings set discover-interface-list=LAN
# Disable bandwidth test server/tool bandwidth-server set enabled=no
# Disable DNS remote requests (if router is not a LAN resolver)/ip dns set allow-remote-requests=no
# Disable proxy services/ip proxy set enabled=no/ip socks set enabled=noAdjust address ranges and interface lists to match your management network topology.
See also: MAC Server Security for hardening MAC-Telnet, MAC-Winbox, and MAC-Ping.