In the previous blog, we did the basic configuration of Mikrotik with WinBox, using the Quick Set option. All we did, is setup the internet connection and configured the SSID and WiFi security and changing the default administrator user and password. But that is not enough if your router is facing the Wild, Wild West of the Internet.
If we did an Nmap port scan on the router, you will see, that there are many open ports on it. Like 21, 22, 23, 8291, 443… etc. I, on my home router don’t want to have open ports, unless I need them and even then I limit them to certain IP addresses or even specific MAC addresses.
So in this blog we will “harden” your router by disabling all unwanted services and close all unneeded ports, so the various port scanners, that constantly scan my and your router from all over the world, will have nothing interesting to see. YES, if you by now didn’t have any means to detect port scanning attempts on your external IP, you will be surprised, how often that happens. But that is a theme for another blog, where we will setup firewall, to detect port scanning and block such attempts.
So, by default Mikrotik has these services enabled (that you can find in WinBox under IP\SERVICES or just type: ip service print in the console)
Most of them are just services to administer the router except the FTP. I only use Winbox as my administrative option, so I set all others on disabled. If you are a novice user I doubt you will configure it through SSH. So, all you need to do, is to hold CTRL and select all the services you don’t need, and then just click the RED X to disable them. Once disabled the ports will be closed. If you have an own FTP server behind Mikrotik, you will need to disable FTP service in this list. If you don’t all your requests for FTP will go to Mikrotik even if you have all your NAT set up correctly. FTP must be disabled.
When disabling all those services you would think everything is closed. Nope. There is still port 2000 open on the router. That is the port for BTest Server found under TOOLS\Btest Server to disable that open UDP port you just need to uncheck the enabled checkbox.
If you would do another port scan on the router now, you would see only 1 open port, and that is 8291 for WinBox access.
If you want to sleep tight you need to limit the access to that port from specific IP addresses, or just internal network. If this is your home router I recommend the second, if this is a router used in a company that you support, then you maybe need to setup some other external IP addresses to have access to it. But we will talk about that in our next blogs.
In the next blog we will take a look at the firewall and its basic configuration. And discuss the basic terminology that MikroTik uses for its rules.
I hope this has been informative to you all.
May the force be with you all :D