Read a script before running it.
This script is designed to harden your RouterOS device by disabling unnecessary services, enhancing security settings, and configuring logging. The script follow best practices from the Securing your router section of MikroTik documentation and a Manito Networks blog post.
/tool fetch url="https://raw.githubusercontent.com/MikeHorn-git/RouterOS-Hardening/main/hardening.rsc" mode=https
/import file-name=hardened.rsc- Update System Packages [Optional] (Need a valid license)
- Create new user hardened (Need to change password, the temporary password is hardened)
- Disable admin user
- Disable Unnecessary Services (API, FTP, IP Cloud, Telnet, Proxy, SOCKS, UPNP, WWW, WWW-SSL)
- Disable MAC Server (Ping, Server, Winbox)
- Disable Bandwidth Server
- Disable DNS Cache
- Disable Neighbor Discovery
- Disable IPv6 Neighbor Discovery
- Disable Router Management Overlay Network (ROMON)
- Enable Reverse Path Filtering (RPF)
- Enable Stronger SSH Crypto
- Configure Logging to Disk
- Configure NTP
- Change SSH Port (2200)
- Disable LCD Module [Optional] (Need a compatible RouterBoard)
- Build a Firewall [Partially]
- Create Configuration Backup
This part cannot be done automatically.
- Firewall Configuration [Partially]
- Backup Strategy
- Change credentials
- Monitor Log File Size