GUIDE / IP SERVICES

IP services.

RouterOS exposes a fixed list of management services through /ip service. This page explains what each one does so you can make informed decisions about which to leave on. For the rules that lock them down, see services hardening in the firewall section.

The eight services

  • telnet (port 23) — cleartext shell. Disable on principle. RouterOS includes it for legacy reasons; nothing you do today should need it.
  • ftp (port 21) — cleartext file transfer. Used for uploading firmware images / backups. Disable — use SCP via SSH instead.
  • www (port 80) — Webfig over HTTP (cleartext). Disable; use www-ssl below.
  • ssh (port 22) — encrypted shell. Keep on. Restrict by source IP and prefer key-only auth — see Winbox / SSH hardening.
  • www-ssl (port 443) — Webfig over HTTPS. Keep on if you use Webfig. Put a real cert on it (default is self-signed) — see services hardening §4.
  • api (port 8728) — cleartext binary management API. Disable unless an automation tool needs it; prefer api-ssl.
  • api-ssl (port 8729) — TLS-wrapped binary API. Used by tools like librouteros, routeros-api, and MikroTik's own The Dude. Enable only if something is talking to it.
  • winbox (port 8291) — RouterOS's native binary management protocol. Keep on; restrict by source IP and consider moving the port.

Auditing what's on

The print column you care about is the X (disabled) flag. Anything not marked disabled is reachable from any interface that doesn't have a firewall rule blocking it.

v6 1 lines · 17 bytes
/ip service print
v7 1 lines · 17 bytes
/ip/service print

Most homelab / SOHO routers want this set on:

  • ssh — restricted by source IP, keys only
  • winbox — restricted by source IP, custom port
  • www-ssl — restricted by source IP, real certificate (only if you use Webfig)

Everything else off:

v6 1 lines · 46 bytes
/ip service disable telnet,ftp,www,api,api-ssl
v7 1 lines · 46 bytes
/ip/service disable telnet,ftp,www,api,api-ssl

Restricting source IPs

The address= parameter on each service accepts a comma-separated list of CIDRs and individual IPs. Anything not on the list is silently refused — even reaches the router but never gets a response.

v6 2 lines · 133 bytes
/ip service set ssh    address=192.0.2.0/24,198.51.100.42 port=22
/ip service set winbox address=192.0.2.0/24,198.51.100.42 port=8291
v7 2 lines · 133 bytes
/ip/service set ssh    address=192.0.2.0/24,198.51.100.42 port=22
/ip/service set winbox address=192.0.2.0/24,198.51.100.42 port=8291

Two layers are better than one — the /ip service binding plus a redundant chain=input firewall rule using an address-list. See Winbox / SSH hardening for the layered pattern.