Essential Mikrotik Security Guide: Protecting Your Network with Basic Steps

The text highlights the importance of security in the use of Mikrotik, offering a guide with basic steps to protect networks. Emphasizes the need to securely configure users and secure service ports, including changing numbering to reinforce security.

Mikrotik, renowned for its powerful RouterOS operating system, plays a crucial role in routing and network management. However, the effectiveness of Mikrotik is directly tied to the security implemented by the network administrator. This guide aims to provide some essential basic security steps in Mikrotik, highlighting fundamental measures to protect your network against potential threats.

Upon entering the Mikrotik realm, it is imperative to understand that, by default, some configurations may pose vulnerabilities. This text explores basic steps to securely manage users, protect service ports, and adopt proactive measures to safeguard your network environment. By following the recommended practices presented here, you will be strengthening Mikrotik’s defenses and contributing to a safer and more reliable network environment.

Managing Users for Mikrotik Security

When accessing Mikrotik, it is crucial to take immediate steps to enhance security. The admin user, which initially has no password, should be configured with a strong password or replaced (strongly recommended) by a new user with full permissions. This creates an additional layer of complexity for potential intruders.

Here is a step-by-step guide for creating a new user with full permission and deleting the admin user.

Creating a New User for Mikrotik Security

Access Mikrotik through Winbox and select the System menu, then the Users option.

User option in Winbox for Mikrotik Security.

In the “User List” window, under the Users tab, click the “+” button to add a new user.

In the “New User” window, enter information in the fields:

  • Name – username;
  • Group – select the “full” option, where the user will have all administrator privileges;
  • Password – enter a strong default password, combining letters, numbers, symbols, and digits;
  • Confirm Password – confirm the password entered in the Password field.

Click the “Ok” button to save in RouterOS.

Creating new user with full permission for Mikrotik Security.

Disconnect from Winbox, and then test connecting with the new username and password.

Deleting Default Admin User

After ensuring access with the new user, return to “User List,” select the admin user, and click the “-” button to delete it.

Delete default admin user for Security Mikrotik.

Managing Service Ports

Access the IP menu and then the Services option; RouterOS provides options for ports accessed via IP.

It is advisable to disable unused ports. In the scenario below, “telnet” (due to lack of encryption in its access) and “www-ssl” are already disabled.

To disable a port, select it with the mouse and click the “X” button. In the example below, the “api-ssl” port is selected.

Service port management for Mikrotik Security.

Changing Port Numbers and Allowing Access for Specific Networks

Changing the default port numbers adds an extra layer of difficulty for an attacker trying to discover access to a particular service using the default port. High port numbers up to 65535 can be used for this purpose.

In “IP Service List,” double-click on the port you want to change, then modify the fields:

  •  Port – enter the port number to change; in this example, the number 41555 is used (note: use a different number for your scenario);
  • Available From – if you want to further restrict access to a port, click the down arrow symbol (Add new value) to enable the field, then add the network or a specific IP that can access this port. In this example, the port is available for the internal network

 Click the “OK” button to confirm the changes.

Changing port numbering and adding IP for access by Mikrotik Security.

Note: If you are an MKController client and enter an IP in the “Available From” field, you will need to add the IP used in the VPN communication to the ports with the changes made. To find the IP for communication with the MKController VPN, access the IP menu and then Firewall; in the rule with the comment “MKController,” note the IP used and add it to the “Available From” field in IP Service.

MKController Port Numbers

MKController clients should ensure the synchronization of information after changing the default port numbers on Mikrotik.

After logging in to “,” access the Devices menu and then click the “View more” button on the device representation.

At the bottom of the screen, under Ports, check if the port information is updated as in Mikrotik. If not, click the pencil symbol (Edit ports).

Provide the port numbers as configured on the Mikrotik device and click the Save button.

Embark on the Mikrotik security journey with confidence, implementing essential steps to strengthen your defenses and contribute to a safer and more reliable network environment.

Did not find the information you were looking for? Have other questions? Want to help us improve the material? Do not hesitate to contact us and seek support from MKController! Click here for any questions

Potencialize o controle, a eficiência e o acesso remoto do seu Mikrotik com a MKController. Clique aqui para experimentar agora e descubra o poder de uma gestão avançada e intuitiva para elevar sua experiência a novos patamares!