RouterOS Howto (1) - Part 2
This is Part 2 of the RouterOS Howto for MikroTik hEX S.
Update
Documentation:
- RouterOS manual [EN]
Available RouterOS Update Channels:
- development
- long-term
- stable
- testing
[RouterOS CLI]: Configure the RouterOS Update Channel
/system package update
set channel="stable"
print
[RouterOS CLI]: Check if updates are available. If so, download them
/system package update
check-for-updates
download
[RouterOS CLI]: Reboot to install the updates
/system reboot
[RouterOS CLI]: Verify the boot loader version. If current-firmware != upgrade-firmware, upgrade it
/system routerboard
print
upgrade
[RouterOS CLI]: Reboot to install the boot loader
/system reboot
Disable unused services
Documentation:
- RouterOS manual [EN]
[RouterOS CLI]: Disable all base services except ssh and www-ssl
/ip service
enable "ssh,www-ssl"
disable [find name!="ssh" and name!="www-ssl"]
print
[RouterOS CLI]: Disable additional services
/ip cloud
set ddns-enabled="no" update-time="no"
print
/ip neighbor discovery-settings
set discover-interface-list="none"
print
/ip proxy
set enabled="no"
print
/ip socks
set enabled="no"
print
/ip tftp
remove [find]
print detail
/ip upnp
set enabled="no"
print
/tool bandwidth-server
set enabled="no"
print
/tool mac-server
set allowed-interface-list="none"
print
/tool mac-server mac-winbox
set allowed-interface-list="none"
print
/tool mac-server ping
set enabled="no"
print
/tool romon
set enabled="no"
print
SSH Hardening
Documentation:
- RouterOS manual [EN]
- Man pages [EN]
[UNIX shell]: Define environment
- for tellurium.raysoft.loc
host_name='tellurium'
- for palladium.raysoft.loc
host_name='palladium'
[RouterOS CLI]: Harden the SSH server
/ip ssh
set forwarding-enabled="no" always-allow-password-login="yes" \
strong-crypto="yes" allow-none-crypto="no" host-key-size="2048"
print
[RouterOS CLI]: Generate a new RSA certificate for the SSH server (takes time!)
/ip ssh regenerate-host-key
[UNIX shell]: Generate a RSA certificate for the SSH client
ssh-keygen -t 'rsa' -b 2048
[UNIX shell]: Upload the public key id_rsa.pub from the RSA certificate to the router
scp -F '/dev/null' "${HOME}/.ssh/id_rsa.pub" "admin@${host_name}.raysoft.loc:/"
[RouterOS CLI]: Configure the public key id_rsa.pub for the user admin
/user ssh-keys
import user="admin" public-key-file="id_rsa.pub"
print detail
[RouterOS CLI]: Remove unused files
/file
remove [find type="ssh key"]
print detail where type="ssh key"
[RouterOS CLI]: Reboot to activate the SSH server settings
/system reboot
[UNIX shell]: Clean up the list of known SSH servers in the file ~/.ssh/known_hosts
[UNIX shell]: Harden the SSH client in the file ~/.ssh/config
Host 192.168.1.5 192.168.1.6 tellurium tellurium.raysoft.loc palladium palladium.raysoft.loc
User admin
HashKnownHosts yes
KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr
MACs hmac-sha2-256
[UNIX shell]: Log in with the user admin using SSH
ssh 'admin@palladium.raysoft.loc'
WebGUI Hardening
Documentation:
- RouterOS manual [EN]
[UNIX shell]: Define environment
- for tellurium.raysoft.loc
host_name='tellurium'
- for palladium.raysoft.loc
host_name='palladium'
[RouterOS CLI]: Define environment
- for tellurium.raysoft.loc
:global hostName "tellurium"
- for palladium.raysoft.loc
:global hostName "palladium"
[RouterOS CLI]: Disable the service www-ssl
/ip service disable "www-ssl"
[RouterOS CLI]: Generate a CSR (takes time!)
/certificate
add name="$hostName" common-name="$hostName.raysoft.loc" key-size="2048"
create-certificate-request template="$hostName" \
key-passphrase="************"
print detail
[UNIX shell]: Download the CSR
scp "admin@${host_name}.raysoft.loc:/certificate-request.pem" \
"/Volumes/CA-RaySoft/certs/${host_name}.raysoft.loc.csr.pem"
[Anywhere]: Sign the CSR
[UNIX shell]: Upload the signed certificate
scp "/Volumes/CA-RaySoft/certs/${host_name}.raysoft.loc.cert.pem" \
"admin@${host_name}.raysoft.loc:/${host_name}.pem"
[RouterOS CLI]: Import the signed certificate & its private key
/certificate
import file-name="$hostName.pem" passphrase=""
import file-name="certificate-request_key.pem" passphrase="************"
print detail
[RouterOS CLI]: Configure & start the service www-ssl
/ip service
set "www-ssl" certificate="$hostName_0" tls-version="only-1.2"
enable "www-ssl"
print detail where name="www-ssl"
[RouterOS CLI]: Remove unused files
/file
remove [find type=".pem file"]
print detail where type=".pem file"
[UNIX shell]: Test the certificate using OpenSSL
openssl s_client -tls1_2 -connect "${host_name}.raysoft.loc:443" <<<'EXIT'
[UNIX shell]: Open the WebGUI using Firefox
open -a 'Firefox' "https://${host_name}.raysoft.loc/"