GUIDE / IP SERVICES
IP services.
RouterOS exposes a fixed list of management services through
/ip service. This page explains what each one does so you
can make informed decisions about which to leave on. For the
rules that lock them down, see
services hardening in the
firewall section.
The eight services
- telnet (port 23) — cleartext shell. Disable on principle. RouterOS includes it for legacy reasons; nothing you do today should need it.
- ftp (port 21) — cleartext file transfer. Used for uploading firmware images / backups. Disable — use SCP via SSH instead.
- www (port 80) — Webfig over HTTP (cleartext). Disable;
use
www-sslbelow. - ssh (port 22) — encrypted shell. Keep on. Restrict by source IP and prefer key-only auth — see Winbox / SSH hardening.
- www-ssl (port 443) — Webfig over HTTPS. Keep on if you use Webfig. Put a real cert on it (default is self-signed) — see services hardening §4.
- api (port 8728) — cleartext binary management API.
Disable unless an automation tool needs it; prefer
api-ssl. - api-ssl (port 8729) — TLS-wrapped binary API. Used by
tools like
librouteros,routeros-api, and MikroTik's own The Dude. Enable only if something is talking to it. - winbox (port 8291) — RouterOS's native binary management protocol. Keep on; restrict by source IP and consider moving the port.
Auditing what's on
The print column you care about is the X (disabled) flag.
Anything not marked disabled is reachable from any interface that doesn't
have a firewall rule blocking it.
/ip service print /ip/service print Recommended baseline
Most homelab / SOHO routers want this set on:
- ssh — restricted by source IP, keys only
- winbox — restricted by source IP, custom port
- www-ssl — restricted by source IP, real certificate (only if you use Webfig)
Everything else off:
/ip service disable telnet,ftp,www,api,api-ssl /ip/service disable telnet,ftp,www,api,api-ssl Restricting source IPs
The address= parameter on each service accepts a comma-separated
list of CIDRs and individual IPs. Anything not on the list is silently
refused — even reaches the router but never gets a response.
/ip service set ssh address=192.0.2.0/24,198.51.100.42 port=22
/ip service set winbox address=192.0.2.0/24,198.51.100.42 port=8291 /ip/service set ssh address=192.0.2.0/24,198.51.100.42 port=22
/ip/service set winbox address=192.0.2.0/24,198.51.100.42 port=8291
Two layers are better than one — the /ip service binding plus
a redundant chain=input firewall rule using an
address-list. See
Winbox / SSH hardening for the
layered pattern.