FIREWALL / SERVICES HARDENING

Services hardening.

RouterOS ships with seven services enabled out of the box: telnet, ftp, www, ssh, www-ssl, api, api-ssl, winbox. Most homelabs use two of those. The fix is mechanical: audit, disable the rest, restrict the remainder by source IP, and put a real certificate on the HTTPS one.

1. Audit what's listening

Print the table and look at the X column — anything not marked disabled is bound to 0.0.0.0 by default and reachable from any interface that doesn't have a firewall rule blocking it.

v6 2 lines · 47 bytes
# audit what's listening (v6)
/ip service print
v7 2 lines · 47 bytes
# audit what's listening (v7)
/ip/service print

2. Disable everything you don't use

Telnet and FTP transmit credentials in plain text — disable them on principle, even on isolated networks. The www service is the cleartext Webfig endpoint; www-ssl is the HTTPS one and is fine to keep if you use Webfig. The two API services are only needed if you have automation talking to RouterOS via the binary API.

disable-services.rsc v6 3 lines · 166 bytes
# disable everything you don't use (v6)
/ip service disable telnet,ftp,www,api,api-ssl
# leave winbox + ssh + www-ssl active (Webfig over HTTPS is fine if you use it)
disable-services.rsc v7 3 lines · 166 bytes
# disable everything you don't use (v7)
/ip/service disable telnet,ftp,www,api,api-ssl
# leave winbox + ssh + www-ssl active (Webfig over HTTPS is fine if you use it)

3. Restrict by source IP

Same idea as winbox-ssh hardening — bind each surviving service to the addresses you actually manage from. The address= parameter accepts comma-separated CIDRs and individual IPs.

restrict-services.rsc v6 4 lines · 238 bytes
# bind every remaining service to a trusted address-list (v6)
/ip service set winbox  address=192.0.2.0/24,198.51.100.42
/ip service set ssh     address=192.0.2.0/24,198.51.100.42
/ip service set www-ssl address=192.0.2.0/24,198.51.100.42
restrict-services.rsc v7 4 lines · 238 bytes
# bind every remaining service to a trusted address-list (v7)
/ip/service set winbox  address=192.0.2.0/24,198.51.100.42
/ip/service set ssh     address=192.0.2.0/24,198.51.100.42
/ip/service set www-ssl address=192.0.2.0/24,198.51.100.42

4. Put a real certificate on Webfig

The default www-ssl service uses a self-signed certificate your browser correctly distrusts. Generate or import a real certificate (Let's Encrypt + DNS-01 works well for routers without a public hostname) and bind it. Same syntax on v6 and v7.

webfig-cert.rsc 6 lines · 216 bytes
# put a real cert on www-ssl (Webfig HTTPS) — v6 + v7 same syntax
/certificate
add name=mtkf-mgmt common-name=router.example.com \
  key-usage=tls-server
sign mtkf-mgmt
/ip service set www-ssl certificate=mtkf-mgmt

5. Turn off the ambient services /ip service doesn't list

Four more reachable surfaces live outside the /ip service table — each one is on by default in stock RouterOS:

  • Bandwidth server (BTest, TCP/UDP 2000) — used for MikroTik's BTest client to measure throughput. Anyone on the network can hammer it and force CPU spikes. Disable unless you actively run bandwidth tests against the router.
  • UPnP / IGD — lets LAN clients punch their own holes in your NAT. Convenient for game consoles and gone-bad in equal measure; if you don't know which devices ask for forwards, you don't want this on.
  • HTTP proxy + SOCKS — RouterOS can act as a forward proxy. Almost no homelab uses this; the off-by-default-only-if-you-touch services-list lets it sit on quietly.
disable-ambient.rsc v6 5 lines · 181 bytes
# (5) disable the four ambient services /ip service doesn't list (v6)
/tool bandwidth-server set enabled=no
/ip upnp set enabled=no
/ip proxy set enabled=no
/ip socks set enabled=no
disable-ambient.rsc v7 5 lines · 181 bytes
# (5) disable the four ambient services /ip service doesn't list (v7)
/tool/bandwidth-server set enabled=no
/ip/upnp set enabled=no
/ip/proxy set enabled=no
/ip/socks set enabled=no

6. Turn off /ip cloud (DDNS + remote time)

/ip cloud is MikroTik's free DDNS — it phones home every minute with the router's public IP so a friendly hostname like 123456789ABC.sn.mynetname.net always points at you. Convenient when you've forgotten the IP; bad when an attacker who learns the hostname has a stable target to scan even after your public IP changes. Also worth knowing: cloud's update-time option syncs the router clock to MikroTik's NTP, which leaks router identity on every update.

If you need DDNS for legitimate reasons, point a self-hosted DNS record at your IP via your own /system scheduler + /tool fetch against your DNS provider's API — keeps the metadata under your control.

ip-cloud.rsc v6 3 lines · 144 bytes
# (6) turn off /ip cloud (DDNS + remote-time leak) (v6)
/ip cloud set ddns-enabled=no update-time=no
/ip cloud advanced set use-local-address=no
ip-cloud.rsc v7 3 lines · 144 bytes
# (6) turn off /ip cloud (DDNS + remote-time leak) (v7)
/ip/cloud set ddns-enabled=no update-time=no
/ip/cloud/advanced set use-local-address=no

Related

  • Winbox / SSH hardening — applies the same approach specifically to the two big admin surfaces.
  • L2 hardening — the link-layer equivalent (MAC-server, neighbor discovery, DHCP snooping, BPDU Guard).
  • Input chain — defense in depth: even if a service binding leaks, the input-chain catch-all still drops non-LAN traffic.