RouterOS Howto (1) - Part 2

This is Part 2 of the RouterOS Howto for MikroTik hEX S.

Disable unused services

Documentation:

RouterOS Documentation [EN]
- Bandwidth Test
- IP Settings
- Kid Control
- MAC server
- Neighbor discovery
- Proxy
- RoMON
- Services
- SOCKS
- UPnP

[RouterOS CLI]: Disable IPv6

/ipv6/settings
    set disable-ipv6="yes"
    print

[RouterOS CLI]: Disable all base services except ssh and www

/ip/service
    enable "ssh,www"
    disable [find name!="ssh" and name!="www"]
    print

[RouterOS CLI]: Disable additional services

/ip/kid-control
    remove [find]
    print

/ip/neighbor/discovery-settings
    set discover-interface-list="none"
    print

/ip/proxy
    set enabled="no"
    print

/ip/socks
    set enabled="no"
    print

/ip/upnp
    set enabled="no"
    print

/tool/bandwidth-server
    set enabled="no"
    print

/tool/mac-server
    set allowed-interface-list="none"
    print

/tool/mac-server/mac-winbox
    set allowed-interface-list="none"
    print

/tool/mac-server/ping
    set enabled="no"
    print

/tool/romon
    set enabled="no"
    print

Configure email forwarder

Documentation:

RouterOS Documentation [EN]
- E-mail

[RouterOS CLI]: Configure email forwarder to GMail

/tool/e-mail
    set server=[:resolve "smtp.gmail.com"] port=587 tls="starttls" \
        user="alex.the.lion@gmail.com" password="**********" \
        from="alex.the.lion@gmail.com"
    print

[RouterOS CLI]: Send a test email

/tool/e-mail send to="alex.the.lion@gmail.com" subject="Email test" \
    body="email test"

[RouterOS CLI]: Monitor the email logs

/log print follow where message~"e-mail"

Configure microSD card

Documentation:

RouterOS Documentation [EN]
- Disks
- Files

[Device]: Insert the card into the microSD slot

[RouterOS CLI]: Define environment

:global cardName "mircosd1"

[RouterOS CLI]: Show the card

/disk print

[RouterOS CLI]: Format the card & set its name

/disk
    format-drive "sd1" file-system="ext4" label="$cardName"
    set slot="$cardName" [find label="$cardName"]
    print

[RouterOS CLI]: Show the card in the file management

/file print where name~"$cardName"

SSH Hardening

Documentation:

RouterOS Documentation [EN]
- Files
- SSH
- User
Man pages [EN]

[UNIX shell]: Define environment

for tellurium.raysoft.loc

host_name='tellurium'

for palladium.raysoft.loc

host_name='palladium'

[RouterOS CLI]: Harden the SSH server

/ip/ssh
    set allow-none-crypto="no" always-allow-password-login="yes" \
        forwarding-enabled="no" host-key-type="ed25519" strong-crypto="yes"
    print

[RouterOS CLI]: Generate a new ED25519 certificate for the SSH server

/ip/ssh regenerate-host-key

[UNIX shell]: Generate a ED25519 certificate for the SSH client

ssh-keygen -t 'ed25519'

[UNIX shell]: Upload the public key id_ed25519.pub from the ED25519 certificate to the router

scp -F '/dev/null' "${HOME}/.ssh/id_ed25519.pub" \
  "scp://admin@${host_name}.raysoft.loc/"

[RouterOS CLI]: Configure the public key id_ed25519.pub for the user admin

/user/ssh-keys
    import user="admin" public-key-file="id_ed25519.pub"
    print detail

[RouterOS CLI]: Remove unused files

/file
    remove [find type="ssh key"]
    print detail where type="ssh key"

[RouterOS CLI]: Reboot to activate the SSH server settings

/system/reboot

[UNIX shell]: Clean up the list of known SSH servers in the file ~/.ssh/known_hosts

for host in "${host_name}"{,'raysoft.loc'} "${host_ip}"; do
  ssh-keygen -R "${host}"
done

[UNIX shell]: Harden the SSH client in the file ~/.ssh/config

Host 192.168.1.5 tellurium tellurium.raysoft.loc 192.168.1.6 palladium palladium.raysoft.loc
    User admin
    HashKnownHosts yes
    KexAlgorithms diffie-hellman-group-exchange-sha256
    Ciphers aes256-ctr
    MACs hmac-sha2-256

[UNIX shell]: Log in with the user admin using SSH

ssh "${host_name}"

WebGUI Hardening

Documentation:

RouterOS Documentation [EN]
Man pages [EN]
- man 1 'scp'

[UNIX shell]: Define environment

for tellurium.raysoft.loc

host_name='tellurium'

for palladium.raysoft.loc

host_name='palladium'

[RouterOS CLI]: Define environment

for tellurium.raysoft.loc

:global hostName "tellurium"

for palladium.raysoft.loc

:global hostName "palladium"

[RouterOS CLI]: Disable the service www

/ip/service
    disable "www"
    print detail

[RouterOS CLI]: Generate a CSR (takes time!)

/certificate
    add name="$hostName" common-name="$hostName.raysoft.loc" key-size="2048"
    create-certificate-request template="$hostName" \
        key-passphrase="************"
    print detail

[UNIX shell]: Download the CSR

scp "scp://admin@${host_name}.raysoft.loc/certificate-request.pem" \
    "/Volumes/CA-RaySoft/certs/${host_name}.raysoft.loc.csr.pem"

[Anywhere]: Sign the CSR

[UNIX shell]: Upload the signed certificate

scp "/Volumes/CA-RaySoft/certs/${host_name}.raysoft.loc.cert.pem" \
    "scp://admin@${host_name}.raysoft.loc/${host_name}.pem"

[RouterOS CLI]: Import the signed certificate & its private key

/certificate
    import file-name="$hostName.pem" passphrase=""
    import file-name="certificate-request_key.pem" passphrase="************"
    print detail

[RouterOS CLI]: Configure & start the service www-ssl

/ip/service
    set "www-ssl" certificate="$hostName_0" tls-version="only-1.2"
    enable "www-ssl"
    print detail where name="www-ssl"

[RouterOS CLI]: Remove unused files

/file
    remove [find type=".pem file"]
    print detail where type=".pem file"

[UNIX shell]: Test the certificate using OpenSSL

openssl s_client -tls1_2 -connect "${host_name}.raysoft.loc:443" <<<'EXIT'

[macOS shell]: Open the WebGUI using Firefox

open -a 'Firefox' "https://${host_name}.raysoft.loc/"