FIREWALL / WINBOX-SSH
Hardening management access.
Winbox and SSH are the two surfaces that, if reached by an attacker with valid credentials, hand them complete control of the router. The fix is layered: restrict source IPs, change the default port, replace the default admin account, and disable SSH password auth.
⚠ Console access required
Run these from the LAN side, with serial-console fallback ready. The source-IP restriction below will lock you out the second you apply it from the wrong address.
1. Restrict by source IP
Maintain an address-list of the IPs you actually use to manage the router (office subnet, home VPN exit, on-call laptop's static). Two layers enforce it:
-
/ip service— RouterOS's per-service allow-list. This is the cleanest control because it works before the firewall. -
A redundant
chain=inputfirewall rule using the same address-list. This catches anything that bypasses/ip service(rare but cheap to defend against).
# restrict Winbox + SSH to a trusted source list (v6)
/ip firewall address-list
add list=mtkf-mgmt-trusted address=192.0.2.0/24 \
comment="mtkf: trusted office subnet"
add list=mtkf-mgmt-trusted address=198.51.100.42 \
comment="mtkf: home VPN exit"
/ip service
set winbox address=192.0.2.0/24,198.51.100.42 port=8291
set ssh address=192.0.2.0/24,198.51.100.42 port=22
/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=22,8291 \
src-address-list=!mtkf-mgmt-trusted \
place-before=0 \
comment="mtkf: drop mgmt from anywhere not in trusted list" # restrict Winbox + SSH to a trusted source list (v7)
/ip/firewall/address-list
add list=mtkf-mgmt-trusted address=192.0.2.0/24 \
comment="mtkf: trusted office subnet"
add list=mtkf-mgmt-trusted address=198.51.100.42 \
comment="mtkf: home VPN exit"
/ip/service
set winbox address=192.0.2.0/24,198.51.100.42 port=8291
set ssh address=192.0.2.0/24,198.51.100.42 port=22
/ip/firewall/filter
add chain=input action=drop protocol=tcp dst-port=22,8291 \
src-address-list=!mtkf-mgmt-trusted \
place-before=0 \
comment="mtkf: drop mgmt from anywhere not in trusted list" 2. Move Winbox off the default port
Doesn't add real security — anyone with a port scanner finds the new port in seconds — but it cuts the noise floor by an order of magnitude. Default 8291 attracts constant background traffic; an arbitrary high port doesn't. SSH stays on 22 because changing it breaks more tools than it helps.
# move Winbox off the default port (v6)
/ip service set winbox port=18291 # move Winbox off the default port (v7)
/ip/service set winbox port=18291 3. Replace the default admin account
The default admin account is the first thing every credential-
spraying scanner tries. Make a new full-rights user with a long random
password, verify you can log in as that user, then disable
admin. Don't delete it (RouterOS uses it for some internal
flows); disabling is enough.
# (1) make a new admin user with a strong password
/user
add name=ops group=full password="<long-random-string>" \
comment="mtkf: replacement for default admin"
# (2) verify you can log in as the new user before disabling admin
# (use a separate Winbox session — DON'T close your current one yet)
# (3) disable the default admin
/user disable admin 4. SSH: keys only, no passwords
Once you can SSH in with a key, kill password authentication. Same syntax
on v6 and v7. Generate the key on your client (ssh-keygen -t ed25519)
and import the .pub half here.
# disable SSH password auth, accept keys only (v6 + v7 — same syntax)
/ip ssh set always-allow-password-login=no
/user ssh-keys import public-key-file=ops.pub user=ops
# while we're here: turn on strong-crypto. Disables MD5/NULL/SHA-1
# ciphers and forces 256/192-bit encryption + 2048-bit DH groups.
# Default-off on older RouterOS; default-on from RouterOS 7.16+.
/ip ssh set strong-crypto=yes Related
- Services hardening — same approach for the other IP services (Webfig, API, FTP, Telnet).
- Input chain — the catch-all drop rule there picks up anything that slips past the explicit checks here.