Most of RouterOS administrative tools are configured at

 /ip service print

Keep only secure ones,

/ip service disable telnet,ftp,www,api,api-ssl
/ip service print

and also change the default port, this will immediately stop most of the random SSH brute force login attempts:

/ip service set ssh port=2200
/ip service print

Additionally, each /ip service entity might be secured by allowed IP address (the address service will reply to)

/ip service set winbox address=192.168.88.0/24

RouterOS MAC-access

RouterOS has built-in options for easy management access to network devices. The particular services should be shut down on production networks.

MAC-Telnet

Disable mac-telnet services,

/tool mac-server set allowed-interface-list=none
/tool mac-server print

MAC-Winbox

Disable mac-winbox services,

/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server mac-winbox print

MAC-Ping

Disable mac-ping service,

/tool mac-server ping set enabled=no
/tool mac-server ping print

Neighbor Discovery

MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in the network, disable neighbor discovery on all interfaces,

/ip neighbor discovery-settings set discover-interface-list=none

Bandwidth server

Bandwidth server is used to test throughput between two MikroTik routers. Disable it in the production environment.

/tool bandwidth-server set enabled=no

DNS cache

A router might have DNS cache enabled, which decreases resolving time for DNS requests from clients to remote servers. In case DNS cache is not required on your router or another router is used for such purposes, disable it.

/ip dns set allow-remote-requests=no

Other clients services

RouterOS might have other services enabled (they are disabled by default RouterOS configuration). MikroTik caching proxy,

/ip proxy set enabled=no

MikroTik socks proxy,

/ip socks set enabled=no

MikroTik UPNP service,

/ip upnp set enabled=no

MikroTik dynamic name service or IP cloud,

/ip cloud set ddns-enabled=no update-time=no

More Secure SSH access

RouterOS utilizes stronger crypto for SSH, most newer programs use it, to turn on SSH strong crypto:

/ip ssh set strong-crypto=yes

Router interface

Ethernet/SFP interfaces

It is good practice to disable all unused interfaces on your router, in order to decrease unauthorized access to your router.

/interface print
/interface set x disabled=yes
  • x numbers of unused interfaces.

LCD

Some RouterBOARDs have an LCD module for informational purposes, set pin or disable it.

/lcd set enabled=no