2020年7月

Mikrotik 的 RouterBoard 硬件产品默认都有带有配置良好的防火墙规则,x86/CHR 设备默认不带防火墙规则。 如果你不小心删掉了防火墙规则,或者需要还原默认防火墙规则,可以导入以下配置:

第一部分: Interface List,所有设备均需要导入,请根据自己情况适当修改

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

第二部分:IPv4 防火墙规则,推荐所有设备都导入

/ip firewall filter
add action=accept chain=input comment="accept ping" protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all from WAN" in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

因为各大运营商会不定时的强行中断 PPPoE 连接,为了避免白天连接被断开的情况,可以在半夜不用的时候自己主动重连一次 PPPoE,以避免白天被强行中断。

/system scheduler
add name="restart pppoe" on-event="/interface pppoe-client enable pppoe-telecom" \
start-time=03:00:00 interval=1d 
/interface disable pppoe-wan1
:delay 30
/interface enable pppoe-wan1
只需将上述代码中的 pppoe-wan1 更换为你 PPPoE 连接的名称,start-time 修改为你想重连的时间即可。

RouterBoard路由器出厂默认配置

#| RouterMode:
#|  * WAN port is protected by firewall and enabled DHCP client
#|  * Ethernet interfaces (except WAN port ether1) are part of LAN bridge
#| LAN Configuration:
#|     IP address 192.168.88.1/24 is set on bridge (LAN port)
#|     DHCP Server: enabled;
#| WAN (gateway) Configuration:
#|     gateway:  ether1 ;
#|     ip4 firewall:  enabled;
#|     NAT:   enabled;
#|     DHCP Client: enabled;
#|     DNS: enabled;

:global defconfMode;
:log info Starting_defconf_script_;
#-------------------------------------------------------------------------------
# Apply configuration.
# these commands are executed after installation or configuration reset
#-------------------------------------------------------------------------------
:if ($action = "apply") do={
# wait for interfaces
:local count 0; 
:while ([/interface ethernet find] = "") do={ 
:if ($count = 30) do={
:log warning "DefConf: Unable to find ethernet interfaces";
/quit;
}
:delay 1s; :set count ($count +1); 
};

 /interface list add name=WAN comment="defconf"
 /interface list add name=LAN comment="defconf"
 /interface bridge
   add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
 :local bMACIsSet 0;
 :foreach k in=[/interface find where !(slave=yes  || name="ether1" || name~"bridge")] do={
   :local tmpPortName [/interface get $k name];
   :log info "port: $tmpPortName"
   :if ($bMACIsSet = 0) do={
     :if ([/interface get $k type] = "ether") do={
       /interface bridge set "bridge" auto-mac=no admin-mac=[/interface ethernet get $tmpPortName mac-address];
       :set bMACIsSet 1;
     }
   }
   /interface bridge port
     add bridge=bridge interface=$tmpPortName comment=defconf;
 }
   /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
   /ip dhcp-server
     add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
   /ip dhcp-server network
     add address=192.168.88.0/24 gateway=192.168.88.1 comment="defconf";
  /ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
   /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
 /interface list member add list=LAN interface=bridge comment="defconf"
 /interface list member add list=WAN interface=ether1 comment="defconf"
 /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
 /ip firewall {
   filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
   filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
   filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
   filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
   filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
   filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
   filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
   filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
 }
   /ip neighbor discovery-settings set discover-interface-list=LAN
   /tool mac-server set allowed-interface-list=LAN
   /tool mac-server mac-winbox set allowed-interface-list=LAN
 /ip dns {
     set allow-remote-requests=yes
     static add name=router.lan address=192.168.88.1
 }

}
#-------------------------------------------------------------------------------
# Revert configuration.
# these commands are executed if user requests to remove default configuration
#-------------------------------------------------------------------------------
:if ($action = "revert") do={
/user set admin password=""
 /system routerboard mode-button set enabled=no
 /system routerboard mode-button set on-event=""
 /system script remove [find comment~"defconf"]
 /ip firewall filter remove [find comment~"defconf"]
 /ip firewall nat remove [find comment~"defconf"]
 /interface list member remove [find comment~"defconf"]
 /interface detect-internet set detect-interface-list=none
 /interface detect-internet set lan-interface-list=none
 /interface detect-internet set wan-interface-list=none
 /interface detect-internet set internet-interface-list=none
 /interface list remove [find comment~"defconf"]
 /tool mac-server set allowed-interface-list=all
 /tool mac-server mac-winbox set allowed-interface-list=all
 /ip neighbor discovery-settings set discover-interface-list=!dynamic
   :local o [/ip dhcp-server network find comment="defconf"]
   :if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
   :local o [/ip dhcp-server find name="defconf" !disabled]
   :if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
   /ip pool {
     :local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
     :if ([:len $o] != 0) do={ remove $o }
   }
   :local o [/ip dhcp-client find comment="defconf"]
   :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
 /ip dns {
   set allow-remote-requests=no
   :local o [static find name=router.lan address=192.168.88.1]
   :if ([:len $o] != 0) do={ static remove $o }
 }
 /ip address {
   :local o [find comment="defconf"]
   :if ([:len $o] != 0) do={ remove $o }
 }
 :foreach iface in=[/interface ethernet find] do={
   /interface ethernet set $iface name=[get $iface default-name]
 }
 /interface bridge port remove [find comment="defconf"]
 /interface bridge remove [find comment="defconf"]
}
:log info Defconf_script_finished;
:set defconfMode;

近日单位核心路由器更换为Mikrotik的CCR系列。该路由器功能和性能十分强大,图形化的配置使得操作和运维都极其方便。但便利带来的弊端便是系统默认对外暴露了大量服务和接口,造成了较多的安全隐患。为此博主查阅了相关文档对路由器进行了安全加固。总体思路就是关闭不必要的端口和服务,减少暴露来大大提升系统安全性。

# 将默认用户名admin更改为其他名称
/user set 0 name=othername
# 设置高强度的密码
/user set 0 password=“大小写字母数字特殊符号不少于10字符”
# 通过指定的IP地址访问
/user set 0 allowed-address=xxxx/yy
# 只保留安全的服务
/ip service disable telnet,f??tp,www,api,api-ssl
# 注意:该操作会禁用Telnet,FTP,WWW,API,API-SSL
# 更改默认端口,这将立即停止大多数随机SSH暴力登录尝试
/ip service set ssh port=2200
# 设置Winbox允许登陆的网段
/ip service set winbox address=192.168.88.0/24
# 禁用mac-telnet服务
/tool mac-server set allowed-interface-list=none
# 禁用mac-winbox服务
/tool mac-server mac-winbox set allowed-interface-list=none
# 禁用mac-ping服务
/tool mac-server ping set enabled=no
# 邻居发现
# MikroTik邻居发现协议用于显示和识别网络中的其他MikroTik设备,禁用所有接口上的邻居发现
# 禁用IPv4 的邻居发现协议
/ip neighbor discovery-settings set discover-interface-list=none
# 禁用IPv6 的邻居发现协议
/ipv6 nd set [find] disabled=yes
# 带宽服务器用于测试两个MikroTik路由器之间的吞吐量,请在测试后禁用它。
/tool bandwidth-server set enabled=no
# DNS缓存
/ip dns set allow-remote-requests=no
# 设置更安全的SSH访问,打开SSH强加密
/ip ssh set strong-crypto=yes
# 关闭 Proxy,Socks代理
/ip proxy set enabled=no
/ip socks set enabled=no
# MikroTik UPnP服务(通用即插即用协议)
/ip upnp set enabled=no
# MikroTik自带的DDNS服务器(动态域名解析)
# 如果不是使用的话请用以下命令禁用
/ip cloud set ddns-enabled=no update-time=no
# 某些型号的RouterBOARD有LCD模块用于信息显示。
/lcd set enabled=no
# 如果你的路由器不提供VPN服务,请用以下命令关闭VPN
/interface l2tp-server server set enabled=no
/interface pptp-server server set enabled=no
/interface sstp-server server set enabled=no
/interface ovpn-server server set enabled=no
# 禁用在设备上使用Radius进行授权
/user aaa set use-radius=no
# 移除操作请慎用
/radius remove numbers=[/radius find]