Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mikehorn-git/routeros-hardening

Secure and Harden your MikroTik RouterBoard / RouterOS.
https://github.com/mikehorn-git/routeros-hardening

hardening mikrotik routerboard routeros script security

Last synced: about 11 hours ago
JSON representation

Secure and Harden your MikroTik RouterBoard / RouterOS.

Host: GitHub
URL: https://github.com/mikehorn-git/routeros-hardening
Owner: MikeHorn-git
License: mit
Created: 2024-05-19T17:29:31.000Z (6 months ago)
Default Branch: main
Last Pushed: 2024-05-22T16:29:24.000Z (6 months ago)
Last Synced: 2024-05-22T22:09:15.223Z (6 months ago)
Topics: hardening, mikrotik, routerboard, routeros, script, security
Language: RouterOS Script
Homepage:
Size: 51.8 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

![image](https://github.com/MikeHorn-git/RouterOS-Hardening/assets/123373126/fec74d01-aa82-46ff-85dd-4059cb4ba272)

# Warning
Read a script before running it.

# Description
This script is designed to harden your RouterOS device by disabling unnecessary services, enhancing security settings, and configuring logging. The script follow best practices from the [Securing your router](https://help.mikrotik.com/docs/display/ROS/Securing+your+router) section of MikroTik documentation and a [Manito Networks blog](https://www.manitonetworks.com/networking/2017/7/25/mikrotik-router-hardening) post.

# Installation
```bash
/tool fetch url="https://raw.githubusercontent.com/MikeHorn-git/RouterOS-Hardening/main/hardening.rsc" mode=https
/import file-name=hardened.rsc
```

# Features
* Update System Packages [Optional] (Need a valid license)
* Create new user hardened (Need to change password, the temporary password is hardened)
* Disable admin user
* Disable Unnecessary Services (API, FTP, IP Cloud, Telnet, Proxy, SOCKS, UPNP, WWW, WWW-SSL)
* Disable MAC Server (Ping, Server, Winbox)
* Disable Bandwidth Server
* Disable DNS Cache
* Disable Neighbor Discovery
* Disable IPv6 Neighbor Discovery
* Disable Router Management Overlay Network (ROMON)
* Enable Reverse Path Filtering (RPF)
* Enable Stronger SSH Crypto
* Configure Logging to Disk
* Configure NTP
* Change SSH Port (2200)
* Disable LCD Module [Optional] (Need a compatible RouterBoard)
* Build a Firewall [Partially]
* Create Configuration Backup

# Recommendations
This part cannot be done automatically.
* Firewall Configuration [Partially]
* Backup Strategy
* Change credentials
* Monitor Log File Size