Securing the MikroTik RouterBOARD RB751G-2HnD (or any RouterOS device) – the bare minimum
Before you do anything else with the MikroTik RouterBOARD RB751G-2HnD, or any other device running RouterOS with a default configuration I guess, you should configure the device with some bare minumum security features.
Set a password
The first thing to do is changing the password for the default user “admin”. When you are logged in, you can do this two ways (at least), either by setting it directly:
[admin@MikroTik] > user set admin password=somegoodpassword
Or by using the “password” utility to set the password interactively:
[admin@MikroTik] > password old password: ******** new password: ******** retype new password: ********
Basic wireless security
The default configuration is a completely open wireless network, with the ESSID “MikroTik”:
[admin@MikroTik] > interface wireless print 
Flags: X - disabled, R - running 
 0    name="wlan1" mtu=1500 mac-address=00:0C:42:FC:B9:2B arp=enabled interface-type=Atheros 11N mode=ap-bridge 
      ssid="MikroTik" frequency=2412 band=2ghz-b/g/n channel-width=20/40mhz-ht-above scan-list=default 
      wireless-protocol=any antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=no security-profile=default compression=no 
The first thing we need to do is to configure some wireless security. I choose WPA2-PSK (pre-shared key), because it is easy and simple to setup, and also simple and quick to configure on clients. Here is how you configure it, first take a look at the current wireless security profile, notice that there is a “0” first, this number is used later when configuring the profile, to identify it:
[admin@MikroTik] > interface wireless security-profiles print 0 name="default" mode=none authentication-types="" unicast-ciphers="" group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" supplicant-identity="MikroTik" eap-methods=passthrough tls-mode=no-certificates tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group-key-update=5m management-protection=disabled management-protection-key=""
You can set each parameter separately, or all that we want to change at once, in one line. Let’s do it by setting them all at once:
[admin@MikroTik] > interface wireless security-profiles set mode=dynamic-keys authentication-types=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=longrandomlycreatedkey numbers=0
Notice the “numbers=0” at the end, that means that we are setting the parameters for the number “0”, the first and default wireless security-profile. The “wpa2-pre-shared-key” value “longrandomlycreatedkey” is of course only an example. Create/come up with a long, strong and secure key, and keep it locked in if you write it down on paper, or in a file on a removable storage medium.
Let’s check the configuration we applied:
[admin@MikroTik] > interface wireless security-profiles print 0 name="default" mode=dynamic-keys authentication-types=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key="longrandomlycreatedkey" supplicant-identity="MikroTik" eap-methods=passthrough tls-mode=no-certificates tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group-key-update=5m management-protection=disabled management-protection-key=""
The Security Profiles properties are documented further in the manual.
Disable unnecessary services
There are some services started and running by default:
[admin@MikroTik] > ip service print detail Flags: X - disabled, I - invalid 0 name="telnet" port=23 1 name="ftp" port=21 2 name="www" port=80 3 name="ssh" port=22 4 X name="www-ssl" port=443 certificate=none 5 X name="api" port=8728 6 name="winbox" port=8291
SSH is enabled by default, and SFTP works nicely, so we do not need to have telnetd or the ftp-server running, let’s disable them.
Disable the telnet server:
[admin@MikroTik] > ip service disable telnet
Disable the ftp-server:
[admin@MikroTik] > ip service disable ftp
We are also not going to use the Winbox utility, so we disable that service:
[admin@MikroTik] > ip service disable winbox
If you were paying attention and used TAB as you should, you have noticed that the CLI let’s you do as many things as you like on one line, if you separate the commands with semicolon, “;”. The above could have been acomplished with a line like:
[admin@MikroTik] > ip service disable telnet ; ip service disable ftp ; ip service disable winbox
If you remember from the previous post, there is also a bandwidth testing server of some kind running on port 2000, not listed in the IP services, let’s disable that too:
[admin@MikroTik] > tool bandwidth-server set enabled=no
Test and confirm
Check which services are running now:
[admin@MikroTik] > ip service print detail Flags: X - disabled, I - invalid 0 X name="telnet" port=23 1 X name="ftp" port=21 2 name="www" port=80 3 name="ssh" port=22 4 X name="www-ssl" port=443 certificate=none 5 X name="api" port=8728 6 X name="winbox" port=8291
and:
[admin@MikroTik] > tool bandwidth-server print 
                  enabled: no
             authenticate: yes
  allocate-udp-ports-from: 2000
             max-sessions: 100
Alright, that looks like we want it. Let’s confirm:
root@messtent:~# nmap -A -p0-65535 192.168.88.1 Starting Nmap 5.00 ( http://nmap.org ) at 2012-03-26 05:42 CEST Interesting ports on 192.168.88.1: Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) |_ ssh-hostkey: 1024 [...] (DSA) 53/tcp open domain? 80/tcp open http? | robots.txt: has 1 disallowed entry |_ / |_ html-title: RouterOS router configuration page [...]
Nice, the services are really stopped.
Testing wireless
root@messtent:~# iwconfig wlan0 ; ifconfig wlan0 ; wpa_cli status ; echo ; ping -f -c 10000 -s 1500 192.168.88.1
wlan0     IEEE 802.11abgn  ESSID:"MikroTik"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: 00:0C:42:[...]   
          Bit Rate=150 Mb/s   Tx-Power=15 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=70/70  Signal level=-8 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0
wlan0     Link encap:Ethernet  HWaddr 00:21:5d:[...]  
          inet addr:192.168.88.252  Bcast:192.168.88.255  Mask:255.255.255.0
          inet6 addr: fe80::221:5d[...]/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7371256 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10303519 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3847289761 (3.5 GiB)  TX bytes:11677149925 (10.8 GiB)
Selected interface 'wlan0'
bssid=00:0c:42:[...]
ssid=MikroTik
id=0
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2-PSK
wpa_state=COMPLETED
ip_address=192.168.88.252
PING 192.168.88.1 (192.168.88.1) 1500(1528) bytes of data.
  
--- 192.168.88.1 ping statistics ---
10000 packets transmitted, 10000 received, 0% packet loss, time 27908ms
rtt min/avg/max/mdev = 2.280/2.686/22.347/0.868 ms, pipe 2, ipg/ewma 2.791/2.788 ms
Our wireless security profile works, and traffic can flow, and quite well too.
Configuration backup
To export the current configuration (with all keys in cleartext):
[admin@MikroTik] > export file=secured_default
Note however, that the user and passwords are not saved with the above. They are however saved with the binary configuration backup:
[admin@MikroTik] > system backup save name=secured_default_bin
[admin@MikroTik] > file print # NAME TYPE SIZE CREATION-TIME 0 skins directory jan/01/1970 00:00:53 1 auto-before-reset.backup backup 13 178 jan/02/1970 00:00:55 2 secured_default.rsc script 17 695 jan/03/1970 04:43:25 3 secured_default_bin.backup backup 21 143 jan/03/1970 04:44:06
Download the files to your computer and examine them. Keep them safe because they contain your keys and passwords.
root@messtent:~/mikrotik# sftp admin@192.168.88.1 admin@192.168.88.1's password: Connected to 192.168.88.1. sftp> ls auto-before-reset.backup secured_default.rsc secured_default_bin.backup skins sftp> get *.* Fetching /auto-before-reset.backup to auto-before-reset.backup /auto-before-reset.backup 100% 13KB 12.9KB/s 00:00 Fetching /secured_default.rsc to secured_default.rsc /secured_default.rsc 100% 17KB 17.3KB/s 00:00 Fetching /secured_default_bin.backup to secured_default_bin.backup /secured_default_bin.backup 100% 21KB 20.7KB/s 00:00
Related articles
- Examining, configuring and playing with the MikroTik RouterBOARD RB751G-2HnD for the first time
- Securing the MikroTik RouterBOARD RB751G-2HnD (or any RouterOS device) – the bare minimum
I hope this has been informative, and I would like to thank You for reading. Feel free to comment.
3 thoughts on “Securing the MikroTik RouterBOARD RB751G-2HnD (or any RouterOS device) – the bare minimum”
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Filed under: English,routerboard - @ March 26, 2012 07:49
Tags: guide, mikrotik, networking, routerboard, routeros, security, wifi
Great post!, do you check the performance of cpu and memory? seems like this can be the weak point of this device…
Woah! I’m really digging the template/theme of this site.
It’s simple, yet effective. A lot of times it’s very difficult to get that
“perfect balance” between usability and visual appearance.
I must say you’ve done a amazing job with this.
In addition, the blog loads extremely fast for me on Safari.
Excellent Blog!
Hey people!!!!!
Good mood and good luck to everyone!!!!!