Securing the MikroTik RouterBOARD RB751G-2HnD (or any RouterOS device) – the bare minimum

Before you do anything else with the MikroTik RouterBOARD RB751G-2HnD, or any other device running RouterOS with a default configuration I guess, you should configure the device with some bare minumum security features.

Set a password

The first thing to do is changing the password for the default user “admin”. When you are logged in, you can do this two ways (at least), either by setting it directly:

[admin@MikroTik] > user set admin password=somegoodpassword

Or by using the “password” utility to set the password interactively:

[admin@MikroTik] > password
old password: ********
new password: ********
retype new password: ********

Basic wireless security

The default configuration is a completely open wireless network, with the ESSID “MikroTik”:

[admin@MikroTik] > interface wireless print 
Flags: X - disabled, R - running 
 0    name="wlan1" mtu=1500 mac-address=00:0C:42:FC:B9:2B arp=enabled interface-type=Atheros 11N mode=ap-bridge 
      ssid="MikroTik" frequency=2412 band=2ghz-b/g/n channel-width=20/40mhz-ht-above scan-list=default 
      wireless-protocol=any antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=no security-profile=default compression=no 

The first thing we need to do is to configure some wireless security. I choose WPA2-PSK (pre-shared key), because it is easy and simple to setup, and also simple and quick to configure on clients. Here is how you configure it, first take a look at the current wireless security profile, notice that there is a “0” first, this number is used later when configuring the profile, to identify it:

[admin@MikroTik] > interface wireless security-profiles print
0 name="default" mode=none authentication-types="" unicast-ciphers="" group-ciphers="" wpa-pre-shared-key="" 
   wpa2-pre-shared-key="" supplicant-identity="MikroTik" eap-methods=passthrough tls-mode=no-certificates 
   tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none 
   static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none 
   static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no 
   interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled 
   group-key-update=5m management-protection=disabled management-protection-key="" 

You can set each parameter separately, or all that we want to change at once, in one line. Let’s do it by setting them all at once:

[admin@MikroTik] > interface wireless security-profiles set mode=dynamic-keys authentication-types=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm  wpa2-pre-shared-key=longrandomlycreatedkey numbers=0

Notice the “numbers=0” at the end, that means that we are setting the parameters for the number “0”, the first and default wireless security-profile. The “wpa2-pre-shared-key” value “longrandomlycreatedkey” is of course only an example. Create/come up with a long, strong and secure key, and keep it locked in if you write it down on paper, or in a file on a removable storage medium.

Let’s check the configuration we applied:

[admin@MikroTik] > interface wireless security-profiles print 
 0 name="default" mode=dynamic-keys authentication-types=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm 
   wpa-pre-shared-key="" wpa2-pre-shared-key="longrandomlycreatedkey" supplicant-identity="MikroTik" 
   eap-methods=passthrough tls-mode=no-certificates tls-certificate=none static-algo-0=none static-key-0="" 
   static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" 
   static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no 
   radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX 
   radius-mac-mode=as-username radius-mac-caching=disabled group-key-update=5m management-protection=disabled 
   management-protection-key=""

The Security Profiles properties are documented further in the manual.

Disable unnecessary services

There are some services started and running by default:

[admin@MikroTik] > ip service print detail 
Flags: X - disabled, I - invalid 
 0   name="telnet" port=23 

 1   name="ftp" port=21 

 2   name="www" port=80 

 3   name="ssh" port=22 

 4 X name="www-ssl" port=443 certificate=none 

 5 X name="api" port=8728 

 6   name="winbox" port=8291 

SSH is enabled by default, and SFTP works nicely, so we do not need to have telnetd or the ftp-server running, let’s disable them.
Disable the telnet server:

[admin@MikroTik] > ip service disable telnet

Disable the ftp-server:

[admin@MikroTik] > ip service disable ftp

We are also not going to use the Winbox utility, so we disable that service:

[admin@MikroTik] > ip service disable winbox

If you were paying attention and used TAB as you should, you have noticed that the CLI let’s you do as many things as you like on one line, if you separate the commands with semicolon, “;”. The above could have been acomplished with a line like:

[admin@MikroTik] > ip service disable telnet ; ip service disable ftp ; ip service disable winbox

If you remember from the previous post, there is also a bandwidth testing server of some kind running on port 2000, not listed in the IP services, let’s disable that too:

[admin@MikroTik] > tool bandwidth-server set enabled=no

Test and confirm

Check which services are running now:

[admin@MikroTik] > ip service print detail     
Flags: X - disabled, I - invalid 
 0 X name="telnet" port=23 

 1 X name="ftp" port=21 

 2   name="www" port=80 

 3   name="ssh" port=22 

 4 X name="www-ssl" port=443 certificate=none 

 5 X name="api" port=8728 

 6 X name="winbox" port=8291 

and:

[admin@MikroTik] > tool bandwidth-server print 
                  enabled: no
             authenticate: yes
  allocate-udp-ports-from: 2000
             max-sessions: 100

Alright, that looks like we want it. Let’s confirm:

root@messtent:~# nmap -A -p0-65535 192.168.88.1 

Starting Nmap 5.00 ( http://nmap.org ) at 2012-03-26 05:42 CEST
Interesting ports on 192.168.88.1:
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
|_ ssh-hostkey: 1024 [...] (DSA)
53/tcp open  domain?
80/tcp open  http?
|  robots.txt: has 1 disallowed entry 
|_ /
|_ html-title: RouterOS router configuration page
[...]

Nice, the services are really stopped.

Testing wireless

root@messtent:~# iwconfig wlan0 ; ifconfig wlan0 ; wpa_cli status ; echo ; ping -f -c 10000 -s 1500 192.168.88.1
wlan0     IEEE 802.11abgn  ESSID:"MikroTik"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: 00:0C:42:[...]   
          Bit Rate=150 Mb/s   Tx-Power=15 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=70/70  Signal level=-8 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

wlan0     Link encap:Ethernet  HWaddr 00:21:5d:[...]  
          inet addr:192.168.88.252  Bcast:192.168.88.255  Mask:255.255.255.0
          inet6 addr: fe80::221:5d[...]/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7371256 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10303519 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3847289761 (3.5 GiB)  TX bytes:11677149925 (10.8 GiB)

Selected interface 'wlan0'
bssid=00:0c:42:[...]
ssid=MikroTik
id=0
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2-PSK
wpa_state=COMPLETED
ip_address=192.168.88.252

PING 192.168.88.1 (192.168.88.1) 1500(1528) bytes of data.
  
--- 192.168.88.1 ping statistics ---
10000 packets transmitted, 10000 received, 0% packet loss, time 27908ms
rtt min/avg/max/mdev = 2.280/2.686/22.347/0.868 ms, pipe 2, ipg/ewma 2.791/2.788 ms

Our wireless security profile works, and traffic can flow, and quite well too.

Configuration backup

To export the current configuration (with all keys in cleartext):

[admin@MikroTik] > export file=secured_default

Note however, that the user and passwords are not saved with the above. They are however saved with the binary configuration backup:

[admin@MikroTik] > system backup save name=secured_default_bin
[admin@MikroTik] > file print 
 # NAME                                TYPE                                                     SIZE CREATION-TIME       
 0 skins                               directory                                                     jan/01/1970 00:00:53
 1 auto-before-reset.backup            backup                                                 13 178 jan/02/1970 00:00:55
 2 secured_default.rsc                 script                                                 17 695 jan/03/1970 04:43:25
 3 secured_default_bin.backup          backup                                                 21 143 jan/03/1970 04:44:06

Download the files to your computer and examine them. Keep them safe because they contain your keys and passwords.

root@messtent:~/mikrotik# sftp admin@192.168.88.1
admin@192.168.88.1's password: 
Connected to 192.168.88.1.
sftp> ls
auto-before-reset.backup      secured_default.rsc           secured_default_bin.backup    skins                         
sftp> get *.*
Fetching /auto-before-reset.backup to auto-before-reset.backup
/auto-before-reset.backup                                                               100%   13KB  12.9KB/s   00:00    
Fetching /secured_default.rsc to secured_default.rsc
/secured_default.rsc                                                                    100%   17KB  17.3KB/s   00:00    
Fetching /secured_default_bin.backup to secured_default_bin.backup
/secured_default_bin.backup                                                             100%   21KB  20.7KB/s   00:00    

Related articles

I hope this has been informative, and I would like to thank You for reading. Feel free to comment.

One Reply to “Securing the MikroTik RouterBOARD RB751G-2HnD (or any RouterOS device) – the bare minimum”

  1. Great post!, do you check the performance of cpu and memory? seems like this can be the weak point of this device…

Leave a Reply

Your email address will not be published. Required fields are marked *