RouterOS Howto (1) - Part 2

From RaySoft

This is Part 2 of the RouterOS Howto for MikroTik hEX S.

Update

Documentation:

Available RouterOS Update Channels:

  • development
  • long-term
  • stable
  • testing

[RouterOS CLI]: Configure the RouterOS Update Channel 

/system package update
    set channel="stable"
    print

[RouterOS CLI]: Check if updates are available. If so, download them 

/system package update
    check-for-updates
    download

[RouterOS CLI]: Reboot to install the updates 

/system reboot

[RouterOS CLI]: Verify the boot loader version. If current-firmware != upgrade-firmware, upgrade it 

/system routerboard
    print
    upgrade

[RouterOS CLI]: Reboot to install the boot loader 

/system reboot

Disable unused services

Documentation:

[RouterOS CLI]: Disable all base services except ssh and www-ssl 

/ip service
    enable "ssh,www-ssl"
    disable [find name!="ssh" and name!="www-ssl"]
    print

[RouterOS CLI]: Disable additional services 

/ip cloud
    set ddns-enabled="no" update-time="no"
    print

/ip neighbor discovery-settings
    set discover-interface-list="none"
    print

/ip proxy
    set enabled="no"
    print

/ip socks
    set enabled="no"
    print

/ip tftp
    remove [find]
    print detail

/ip upnp
    set enabled="no"
    print

/tool bandwidth-server
    set enabled="no"
    print

/tool mac-server
    set allowed-interface-list="none"
    print

/tool mac-server mac-winbox
    set allowed-interface-list="none"
    print

/tool mac-server ping
    set enabled="no"
    print

/tool romon
    set enabled="no"
    print

SSH Hardening

Documentation:

[UNIX shell]: Define environment

  • for tellurium.raysoft.loc
host_name='tellurium'
  • for palladium.raysoft.loc
host_name='palladium'

[RouterOS CLI]: Harden the SSH server 

/ip ssh
    set forwarding-enabled="no" always-allow-password-login="yes" \
        strong-crypto="yes" allow-none-crypto="no" host-key-size="2048"
    print

[RouterOS CLI]: Generate a new RSA certificate for the SSH server (takes time!) 

/ip ssh regenerate-host-key

[UNIX shell]: Generate a RSA certificate for the SSH client 

ssh-keygen -t 'rsa' -b 2048

[UNIX shell]: Upload the public key id_rsa.pub from the RSA certificate to the router 

scp -F '/dev/null' "${HOME}/.ssh/id_rsa.pub" "admin@${host_name}.raysoft.loc:/"

[RouterOS CLI]: Configure the public key id_rsa.pub for the user admin 

/user ssh-keys
    import user="admin" public-key-file="id_rsa.pub"
    print detail

[RouterOS CLI]: Remove unused files 

/file
    remove [find type="ssh key"]
    print detail where type="ssh key"

[RouterOS CLI]: Reboot to activate the SSH server settings 

/system reboot

[UNIX shell]: Clean up the list of known SSH servers in the file ~/.ssh/known_hosts

[UNIX shell]: Harden the SSH client in the file ~/.ssh/config 

Host 192.168.1.5 192.168.1.6 tellurium tellurium.raysoft.loc palladium palladium.raysoft.loc
    User admin
    HashKnownHosts yes
    KexAlgorithms diffie-hellman-group-exchange-sha256
    Ciphers aes256-ctr
    MACs hmac-sha2-256

[UNIX shell]: Log in with the user admin using SSH 

ssh 'admin@palladium.raysoft.loc'

WebGUI Hardening

Documentation:

[UNIX shell]: Define environment

  • for tellurium.raysoft.loc
host_name='tellurium'
  • for palladium.raysoft.loc
host_name='palladium'

[RouterOS CLI]: Define environment

  • for tellurium.raysoft.loc
:global hostName "tellurium"
  • for palladium.raysoft.loc
:global hostName "palladium"

[RouterOS CLI]: Disable the service www-ssl 

/ip service disable "www-ssl"

[RouterOS CLI]: Generate a CSR (takes time!) 

/certificate
    add name="$hostName" common-name="$hostName.raysoft.loc" key-size="2048"
    create-certificate-request template="$hostName" \
        key-passphrase="************"
    print detail

[UNIX shell]: Download the CSR 

scp "admin@${host_name}.raysoft.loc:/certificate-request.pem" \
    "/Volumes/CA-RaySoft/certs/${host_name}.raysoft.loc.csr.pem"

[Anywhere]: Sign the CSR

[UNIX shell]: Upload the signed certificate 

scp "/Volumes/CA-RaySoft/certs/${host_name}.raysoft.loc.cert.pem" \
    "admin@${host_name}.raysoft.loc:/${host_name}.pem"

[RouterOS CLI]: Import the signed certificate & its private key 

/certificate
    import file-name="$hostName.pem" passphrase=""
    import file-name="certificate-request_key.pem" passphrase="************"
    print detail

[RouterOS CLI]: Configure & start the service www-ssl 

/ip service
    set "www-ssl" certificate="$hostName_0" tls-version="only-1.2"
    enable "www-ssl"
    print detail where name="www-ssl"

[RouterOS CLI]: Remove unused files 

/file
    remove [find type=".pem file"]
    print detail where type=".pem file"

[UNIX shell]: Test the certificate using OpenSSL 

openssl s_client -tls1_2 -connect "${host_name}.raysoft.loc:443" <<<'EXIT'

[UNIX shell]: Open the WebGUI using Firefox 

open -a 'Firefox' "https://${host_name}.raysoft.loc/"
Back to Part 1
Forward to Part 3
Retrieved from "https://www.raysoft.ch/w/index.php?title=RouterOS_Howto_(1)_-_Part_2&oldid=43511"