Before I got too entrenched in configuring my shiny new MikroTik RB2011UiAS-2HnD I endeavored to lock it down a little more so I could take my time whilst having peace of mind.
When you power the router up for the first time, plug an Ethernet cable from your configuring computer in to eth2 on the MikroTik. You will get a DHCP lease and will be able to access the router on the default gateway IP address listed in the documentation in the box (mine is 192.168.88.1).
Most of the services and capabilities that might allow people access beyond the Ethernet connection (i.e Wireless AP) are off by default.
Note: In the pictures below the URL structure will guide you to the
configuration page i.e
System root menu -> Users -> SSH Keys -> Import SSH Key
The first things we want to do are:
Change admin password
Turn off services and limit access to services
- I turned off everything but web access 80 (which I plan to use only as a backup), 443 and SSH port 22
- I also locked the services to the admin network which only I will have access to (192.168.88.0/24)
Import ssh keys
- This will will allow you to SSH in with a strong key with a strong pass phrase.
You can do this by downloading the packages to the disk of the configuring computer and uploading them or by plugging another cable in to eth1 on the MikroTik and into a LAN port on a router giving out DHCP leases connected to the Internet. The MikroTik WAN interface is configured to DHCP lease by default. This is the way I updated my packages.
- Update will get you supported software plus security fixes
- This makes the LCD on the router read only, stopping people with physical access making changes
I did not have a need for this so I turned it off because it was exposing a a TCP port. The less attack vectors the better.
Testing your alleged security
Once I felt I had a decent initial configuration I lightly tested the theory with some trusty port scans using nmap.
Note: I did do both TCP and UDP scans but the UDP scans turned up nothing.
DNS,HTTP, HTTPS and SSH should only be accessible from inside the internal admin network. The integrity of the services at this point rely on you having strong user/password and pass phrase combinations (naturally aside from potential flaws in the code of them all which is beyond the scope of this post) for security. It is worth mentioning that I have set internal DNS up after the initial configuration which you can see in the scan below so just ignore that for now.
$ nmap -sT -sV -T5 -p1-65535 192.168.88.1 Starting Nmap 6.45 ( http://nmap.org ) at 2015-04-11 15:02 AEST Nmap scan report for router (192.168.88.1) Host is up (0.011s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh MikroTik RouterOS sshd (protocol 2.0) 53/tcp open domain MikroTik RouterOS named or OpenDNS Updater 80/tcp open http MikroTik router config httpd 443/tcp open ssl/http MikroTik router config httpd MAC Address: 11:22:33:44:55:66 (Routerboard.com) Service Info: OSs: Linux, RouterOS; Device: router; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 22.39 seconds
I then plugged the WAN port (eth1) of the MikroTik in to a LAN port of another router device with a laptop connected to that same secondary router and scanned the "external" interface that got the DHCP lease which as per below has nothing exposed.
$ nmap -sT -sV -T5 -p1-65535 192.168.1.110 Starting Nmap 6.45 ( http://nmap.org ) at 2015-04-11 15:14 AEST Nmap scan report for 192.168.1.110 Host is up (0.0057s latency). All 65535 scanned ports on 192.168.1.110 are filtered MAC Address: 11:22:33:44:55:66 (Routerboard.com) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 657.51 seconds
At the moment only the default network exists which is 192.168.88.0/24 (my admin network) but once I create more then I intend to try and access the administrative interfaces from them and try and get on to the admin network segment to validate the expected security of limited user/device access.