Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MIKROTIK DEFAULT SETTINGS
- # Configuration reset with skip-defaults=yes
- # Links:
- # [1]: https://www.manitonetworks.com/networking/2017/7/25/mikrotik-router-hardening#reverse-path-filtering
- # [2]: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Bandwidth_server
- # [INTERFACES]
- # 1. ether1,ether2 - EXTERNAL LINKS
- # 2. ether3 - EMERGENCY ACCESS INTERFACE
- # 3. all other interfaces - BRIDGED LOCAL LINKS (lan-bridge)
- # [IFACE-LIST]
- # 1. Lists
- /interface list add comment="userconf: contains external interfaces" name=external
- /interface list add comment="userconf: contains emergency interfaces" name=emergency
- /interface list add comment="userconf: contains internal interfaces" name=internal
- /interface list add comment="userconf: contains mdp interfaces" include=emergency name=mdp
- /interface list add comment="userconf: contains wan interfaces" include=external name=wan
- /interface list add comment="userconf: contains wan interfaces" name=lan
- /interface list add comment="userconf: contains vpn interfaces" name=vpn
- # 2. Members
- # 2.1 External
- /interface list member add interface=ether1 list=external
- /interface list member add interface=ether2 list=external
- # 2.2 Emergency access
- /interface list member add interface=ether3 list=emergency
- # 2.3 Internal (all other ethernet interfaces)
- /interface list member add interface=etherX list=internal
- # 2.5 Wan interfaces (ppp-clients and other)
- /interface list member add interface=wan1 list=wan
- /interface list member add interface=wan2 list=wan
- # 2.6 Lan interfaces (all internal ethernet interfaces & probably wireless)
- /interface list member add interface=lan-bridge list=lan
- # 2.7 Neighbour discovery interfaces (if needed - i'm NOT use command bellow)
- /interface list member add interface=lan-bridge list=mdp
- # 2.8 VPN interfaces
- /interface list member add interface=vpn0 list=vpn
- # [IP SETTINGS]
- # 1. Change default timeouts
- /ip firewall connection tracking set generic-timeout=3m tcp-established-timeout=2h tcp-max-retrans-timeout=2m tcp-unacked-timeout=2m
- # 2. Use rp-filter & disable all icmp redirects
- /ip settings set rp-filter=strict secure-redirects=no send-redirects=no
- # 3. Management (SSH only, WINBOX on emergency)
- # Require:
- # <EMERGENCY-NETWORK>: alias should be configured on emergency port
- /ip ssh set forwarding-enabled=no strong-crypto=yes
- /ip service set ssh address="" disabled=no port=22
- /ip service set winbox address="<EMERGENCY-NETWORK>" disabled=no port=8291
- /ip service set telnet disabled=yes
- /ip service set www disabled=yes
- /ip service set www-ssl disabled=yes
- /ip service set api disabled=yes
- /ip service set api-ssl disabled=yes
- # [SERVICES]
- # 1. SNMP
- # Require:
- # A. <SNMP-COMMUNITY>: min. length 20 symbols
- # B. <SNMP-CONTACT>: should be valid email address
- # C. <SNMP-LOCATION>: should be valid location
- # D. <SNMP-NMS-HOST>: NMS internal host (if any used)
- # 1.1 Disable read-access on default communities
- /snmp community set [ find default=yes ] read-access=no
- # 1.2 SNMPv3 access-only
- /snmp community add addresses=::/0 authentication-password=<SNMP-COMMUNITY> authentication-protocol=SHA1 encryption-password=<SNMP-COMMUNITY> encryption-protocol=AES name=<SNMP-COMMUNITY> security=authorized
- /snmp set contact=<SNMP-CONTACT> location="<SNMP-LOCATION>" trap-community=<SNMP-COMMUNITY> trap-generators=start-trap,interfaces,temp-exception trap-interfaces=all trap-target=<SNMP-NMS-HOST> trap-version=2
- # 1.3 Disable unused services
- /tool mac-server set allowed-interface-list=none
- /tool mac-server mac-winbox set allowed-interface-list=none
- /tool mac-server ping set enabled=no
- /tool romon set secrets=<SNMP-COMMUNITY>
- /tool romon port set [ find default=yes ] forbid=yes
- /tool bandwidth-server set enabled=no max-sessions=2
- /lcd set enabled=no
- /ip cloud set ddns-enabled=no ddns-update-interval=none update-time=no
- /ip upnp set enabled=no
- /ip proxy set enabled=no
- /ip socks set enabled=no
- /ip upnp set enabled=no
- # 1.4 System name
- # Require:
- # A. <HOSTNAME>: router hostname
- /system identity set name=<HOSTNAME>
- # 1.5 System time
- # Require:
- # A. <TIMEZONE>: timezone name
- /system clock set time-zone-autodetect=no time-zone-name=<TIMEZONE>
- /system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
- # 1.6 Sytem logging
- /system logging action set 0 memory-lines=2048
- /system logging set 3 action=memory
- # Custom topics here
- /system logging add topics=ipsec,!debug
- /system logging add topics=stp,!debug
- /system logging add topics=bridge,!debug
- /system logging add topics=wireless,debug
- # 1.7 System upgrade and watchdog
- /system package update set channel=long-term
- /system routerboard settings set auto-upgrade=yes
- /system watchdog set watch-address=127.0.0.1
- # 1.8 Email client (valid setting should be provided)
- /tool e-mail set address=<MAIL-ACCOUNT> from="<MAIL-DESC> <<MAIL-ACCOUNT>>" password=<MAIL-PASSWORD> port=465 start-tls=tls-only user=<MAIL-ACCOUNT>
- # 1.9 Neighbour discovery
- /ip neighbor discovery-settings set discover-interface-list=mdp
- /ipv6 nd set [find] disabled=yes
- # 2. DNS (!! should be filtered on wan interface list !!)
- /ip dns set allow-remote-requests=yes cache-max-ttl=1h cache-size=8192KiB servers=8.8.8.8,8.8.4.4
- /ip dns static add address=192.168.1.1 name=router.local
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement