MikroTik CHR: Basic system protection

Guide for essential system protection.

First to consider! If You leave service ports standard and don’t change the username and password as soon as possible, the chance to be compromised is enormous.

Here You will find the essential steps to protect your MikroTik CHR from intrusion.

Be careful while placing restrictive (drop) rules, it is possible to limit your own access to the router.

Use "Safe Mode" button while you are not sure what the changes may cause.

In CLI "Safe Mode" is enabled/disabled with [Ctrl]+[X] combination.

Remember to release "Safe mode" after all changes are confirmed as working properly, otherwise they will be reverted once You log-out.

1. First and most important:

Create new username and password with Full privileges

[[email protected]] > user add group=full name=newadmini [email protected]@sSw0Rd

Delete the default one

2. Modify service ports so that unused services are disabled, and those who will be used is not on it’s default ports. It is very useful against bots. Use ports of your choice, but not overlapping reserved system ports.


For example:

Disable API, API-SSL, Telnet, FTP, WWW and WWW-SSL.

[[email protected]] > ip service disable api,api-ssl,ftp,telnet,www,www-ssl

Change port for SSH from 22 to 22221

[[email protected]] > ip service set ssh port=22221

WinBox port should NOT be changed because the Windows App doesn’t support specifying destination port.

3. Add firewall/filter rules:
Chain INPUT:

[[email protected]] > ip firewall filter add action=accept chain=input comment="Allow ICMP ping" protocol=icmp

[[email protected]] > ip firewall filter add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp

[[email protected]] > ip firewall filter add action=accept chain=input comment="Allow SSH" dst-port=22221 protocol=tcp

[[email protected]] > ip firewall filter add action=accept chain=input comment="Accept established connections" connection-state=established

[[email protected]] > ip firewall filter add action=accept chain=input comment="Accept related connections" connection-state=related

[[email protected]] > ip firewall filter add action=accept chain=input comment="Allow DNS for trusted network" dst-port=53 protocol=udp src-address=

[[email protected]] > ip firewall filter add action=drop chain=input comment="Drop everything else"


In Cloud Hosted Router, forwarding table might be very different depending on the particular use scenario.

[[email protected]] > ip firewall filter add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid

4. Optional: For better security, You can easily restrict the access to the router, by accepting only your home or office IP address from which you will modify router’s configuration:

This should be done for all rules that accepts connection on service ports (SSH and WinBox).

Please, be noted that the above firewall rules are NOT complete protection! It is only the very basic rules, and they should be appended or modified according to the real set-up!

Benefit from the power of MikroTik CHR VPS without purchasing a license. Choose our ‘’Licensed’’ plan and save money.

Get Started!

Also Read

MikroTik CHR: How to set-up PPTP VPN Server

Quick guide to configure Mikrotik CHR as PPTP VPN Server. Both Command Line Interface and WinBox...

MikroTik CHR Licensed - Applying the included license

This article is only about "MikroTik Cloud Hosted Router - Licensed" package. In order to use...

MikroTik CHR: Low speed

In case you experience low speeds of internet traffic via CHR, please check what license level...

MikroTik CHR: First Run and Default Password

As every other MikroTik RouterOS based system, the Cloud Hosted Router comes up with default...