FIREWALL / WINBOX-SSH

Hardening management access.

Winbox and SSH are the two surfaces that, if reached by an attacker with valid credentials, hand them complete control of the router. The fix is layered: restrict source IPs, change the default port, replace the default admin account, and disable SSH password auth.

⚠ Console access required

Run these from the LAN side, with serial-console fallback ready. The source-IP restriction below will lock you out the second you apply it from the wrong address.

1. Restrict by source IP

Maintain an address-list of the IPs you actually use to manage the router (office subnet, home VPN exit, on-call laptop's static). Two layers enforce it:

  • /ip service — RouterOS's per-service allow-list. This is the cleanest control because it works before the firewall.
  • A redundant chain=input firewall rule using the same address-list. This catches anything that bypasses /ip service (rare but cheap to defend against).
winbox-ssh-restrict.rsc v6 16 lines · 577 bytes
# restrict Winbox + SSH to a trusted source list (v6)
/ip firewall address-list
add list=mtkf-mgmt-trusted address=192.0.2.0/24 \
  comment="mtkf: trusted office subnet"
add list=mtkf-mgmt-trusted address=198.51.100.42 \
  comment="mtkf: home VPN exit"

/ip service
set winbox address=192.0.2.0/24,198.51.100.42 port=8291
set ssh    address=192.0.2.0/24,198.51.100.42 port=22

/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=22,8291 \
  src-address-list=!mtkf-mgmt-trusted \
  place-before=0 \
  comment="mtkf: drop mgmt from anywhere not in trusted list"
winbox-ssh-restrict.rsc v7 16 lines · 577 bytes
# restrict Winbox + SSH to a trusted source list (v7)
/ip/firewall/address-list
add list=mtkf-mgmt-trusted address=192.0.2.0/24 \
  comment="mtkf: trusted office subnet"
add list=mtkf-mgmt-trusted address=198.51.100.42 \
  comment="mtkf: home VPN exit"

/ip/service
set winbox address=192.0.2.0/24,198.51.100.42 port=8291
set ssh    address=192.0.2.0/24,198.51.100.42 port=22

/ip/firewall/filter
add chain=input action=drop protocol=tcp dst-port=22,8291 \
  src-address-list=!mtkf-mgmt-trusted \
  place-before=0 \
  comment="mtkf: drop mgmt from anywhere not in trusted list"

2. Move Winbox off the default port

Doesn't add real security — anyone with a port scanner finds the new port in seconds — but it cuts the noise floor by an order of magnitude. Default 8291 attracts constant background traffic; an arbitrary high port doesn't. SSH stays on 22 because changing it breaks more tools than it helps.

v6 2 lines · 73 bytes
# move Winbox off the default port (v6)
/ip service set winbox port=18291
v7 2 lines · 73 bytes
# move Winbox off the default port (v7)
/ip/service set winbox port=18291

3. Replace the default admin account

The default admin account is the first thing every credential- spraying scanner tries. Make a new full-rights user with a long random password, verify you can log in as that user, then disable admin. Don't delete it (RouterOS uses it for some internal flows); disabling is enough.

new-admin.rsc 10 lines · 354 bytes
# (1) make a new admin user with a strong password
/user
add name=ops group=full password="<long-random-string>" \
  comment="mtkf: replacement for default admin"

# (2) verify you can log in as the new user before disabling admin
# (use a separate Winbox session — DON'T close your current one yet)

# (3) disable the default admin
/user disable admin

4. SSH: keys only, no passwords

Once you can SSH in with a key, kill password authentication. Same syntax on v6 and v7. Generate the key on your client (ssh-keygen -t ed25519) and import the .pub half here.

ssh-keys.rsc 8 lines · 398 bytes
# disable SSH password auth, accept keys only (v6 + v7 — same syntax)
/ip ssh set always-allow-password-login=no
/user ssh-keys import public-key-file=ops.pub user=ops

# while we're here: turn on strong-crypto. Disables MD5/NULL/SHA-1
# ciphers and forces 256/192-bit encryption + 2048-bit DH groups.
# Default-off on older RouterOS; default-on from RouterOS 7.16+.
/ip ssh set strong-crypto=yes
  • Services hardening — same approach for the other IP services (Webfig, API, FTP, Telnet).
  • Input chain — the catch-all drop rule there picks up anything that slips past the explicit checks here.