Beginner’s Guide: Securing Your MikroTik Router – Changing Defaults and Hardening Your Setup Print

Hello again! It’s Emmanuel Corels from Emmanuel Corels Creatives, and today we’re focusing on one of the most crucial steps for any network administrator—securing your MikroTik router. Before you dive into advanced configurations, it’s essential to lock down your device by changing default credentials, disabling unnecessary services, and applying basic security best practices. Let’s walk through these steps in a straightforward, beginner-friendly manner.

Why Securing Your Router Is Important

When you first power up a MikroTik router, it comes with default settings that are convenient for initial setup but are widely known—and therefore risky—for malicious actors. By taking a few simple steps, you can prevent unauthorized access, reduce vulnerabilities, and keep your network safe.

Step 1: Change the Default Admin Password

The very first thing you should do is replace the default (or blank) admin password with a strong, unique password.

• In WinBox:
  1. Open System → Users.
  2. Double-click the admin user.
  3. Enter a new, complex password (use a mix of letters, numbers, and symbols).
  4. Click OK.
• CLI Command:

  /user set admin password="YourNewStrongPassword!"
  

Tip: Write your new password down somewhere safe or use a trusted password manager.

Step 2: Create Additional User Accounts (Optional)

For extra security, consider creating a separate admin account and then disabling or renaming the default admin account. This way, if someone tries to guess your username, they won’t hit the well-known default.

• In WinBox:
  1. Navigate to System → Users.
  2. Click the “+” button.
  3. Enter a unique username (e.g., superadmin).
  4. Set a strong password.
  5. Assign it to the full group.
  6. Click OK.
  7. (Optional) Disable the default admin account by selecting it and clicking Disable.
• CLI Commands:

  /user add name=superadmin group=full password="AnotherStrongPassword!"
  /user disable admin
  

Tip: Always keep at least one account with full access, but avoid using easily guessable names like admin.

Step 3: Disable Unnecessary Services

Your MikroTik router runs several services by default, such as Telnet, FTP, and HTTP, which might not be needed—and can expose vulnerabilities if left enabled.

1. Identify Running Services:
   Go to IP → Services in WinBox. You'll see a list of services with their respective ports.

2. Disable Unused Services:

   • Telnet: If you’re not using it, select it and click Disable.
   • FTP: Similarly, disable if you don’t need file transfers.
   • HTTP: If you prefer using WinBox or secure HTTPS, disable HTTP.
   • SSH/WinBox: Keep these enabled but consider restricting them (see next step).

• CLI Commands:

  /ip service disable telnet
  /ip service disable ftp
  /ip service disable www  ; (HTTP)
  

Tip: It’s a good idea to keep secure services like SSH and WinBox enabled—but later we’ll restrict their access.

Step 4: Restrict Management Access

Limiting which IP addresses can access your router for management reduces the risk of unauthorized logins.

1. Set Up Firewall Rules for Management:
   Create rules that allow management access only from trusted IP addresses (e.g., your office or home network) and drop all other attempts.

   • Example Rule for WinBox (TCP Port 8291):

     /ip firewall filter add chain=input protocol=tcp dst-port=8291 src-address=192.168.88.0/24 action=accept comment="Allow WinBox from trusted LAN"
     /ip firewall filter add chain=input protocol=tcp dst-port=8291 action=drop comment="Drop WinBox from other sources"
     

   • Similarly, for SSH (TCP Port 22):

     /ip firewall filter add chain=input protocol=tcp dst-port=22 src-address=192.168.88.0/24 action=accept comment="Allow SSH from trusted LAN"
     /ip firewall filter add chain=input protocol=tcp dst-port=22 action=drop comment="Drop SSH from others"
     

2. Use Secure Protocols:
   If possible, use secure protocols (like HTTPS instead of HTTP) and consider using VPNs for remote management.

Tip: Adjust the trusted IP ranges to match your actual network environment.

Step 5: Regularly Update RouterOS

Keeping your RouterOS updated is essential for security, as updates include patches for vulnerabilities and performance improvements.

• Check for Updates:
  Go to System → Packages → Check For Updates in WinBox.
• Read Release Notes:
  Familiarize yourself with any changes that might affect your configuration.
• Backup Before Upgrading:
  Always create a backup before updating, so you can restore your configuration if something goes wrong.

Tip: Schedule regular update checks and maintain a testing environment if possible.

Final Thoughts

Securing your MikroTik router is the first line of defense for your entire network. By changing default passwords, disabling unused services, restricting management access, and keeping your RouterOS up to date, you’re significantly reducing the risk of unauthorized access and potential security breaches.

Take your time with these steps, and if you have questions or run into issues, don’t hesitate to reach out. A secure network is a happy network—protect your setup and enjoy peace of mind!

Guided with security in mind by
Emmanuel Corels – Admin, Emmanuel Corels Creatives