How to Block SSH Port Access to Mikrotik RouterOS Using Firewall Rules

Block SSH access by configuring firewall rules.

Understanding the security of your network is crucial, and one of the key aspects is managing access to your Mikrotik RouterOS.
Mikrotik RouterOS is a popular operating system used in networking devices, known for its flexibility and customization capabilities.
Introduction to Mikrotik RouterOS Security
Securing your Mikrotik RouterOS involves several steps, including setting up firewall rules, configuring user accounts, and ensuring that only necessary services are exposed to the internet.
This guide focuses on blocking SSH port access, a critical step in protecting your router from unauthorized access.
Understanding the Importance of Network Security
Network security is essential for protecting your data and devices from unauthorized access and malicious activities.
It involves implementing various measures to prevent, detect, and respond to security threats.
Common Security Threats to Mikrotik RouterOS
Mikrotik RouterOS, like any other networking device, is vulnerable to various security threats, including brute-force attacks, malware, and unauthorized access.
These threats can be mitigated by implementing robust security measures, such as strong passwords, firewall rules, and regular updates.
Understanding SSH and Its Risks
SSH (Secure Shell) is a protocol used for secure remote access to a network device, but if not properly secured, it can become a vulnerability.
Default or weak passwords can lead to brute-force attacks, highlighting the need for robust security measures.

Regularly scanning your network for vulnerabilities is essential to identify and fix potential entry points for attackers.
This includes checking for open ports, outdated firmware, and weak passwords on devices like your Mikrotik router.
Secure SSH Configuration Best Practices
To secure your SSH configuration, it is recommended to change the default port, use strong passwords, and limit access to specific IP addresses.
Additionally, consider implementing two-factor authentication and monitoring SSH access logs for suspicious activity.
Risks of Unsecured SSH Access
Unsecured SSH access can lead to unauthorized access to your network, allowing attackers to steal sensitive data, install malware, or take control of your devices.
Therefore, it is crucial to prioritize SSH security and implement robust measures to protect against these risks.
Configuring Firewall Rules on Mikrotik RouterOS
To block SSH port access, you need to configure the firewall rules on your Mikrotik RouterOS to reject or drop incoming connections on the SSH port (typically port 22).
This can be done through the Winbox utility or the command-line interface, depending on your preference and familiarity with the system.
| Service | Port Number | Action |
|---|---|---|
| SSH | 22 | Block/Drop |
Blocking SSH access is just one part of securing your network; consider also learning how to power WiFi router with a battery for continuous operation.
Firewall Rule Configuration Options
When configuring firewall rules, you have several options, including blocking or dropping incoming connections, redirecting traffic, and setting up NAT rules.
Understanding these options and how to apply them is crucial for effective network security.
Common Firewall Rule Mistakes
Common mistakes when configuring firewall rules include allowing unnecessary services, using overly permissive rules, and failing to regularly review and update rules.
Avoiding these mistakes requires careful planning, attention to detail, and ongoing maintenance.
Step-by-Step Guide to Blocking SSH Access
Here is a step-by-step guide to blocking SSH access on your Mikrotik RouterOS:
- Open Winbox and connect to your Mikrotik router.
- Navigate to the "IP" -> "Firewall" -> "Filter Rules" section.
- Click the "+" button to add a new rule.
- Set the "Protocol" to "tcp", "Dst. Port" to "22", and "Action" to "drop" or "reject" as per your requirement.
- Click "Apply" and then "OK" to save the changes.
Ensuring your network's security also involves choosing the right tools, such as selecting the fastest VPN for gaming to protect your data without compromising performance.
Additional Configuration Options
Additional configuration options include setting up IP addresses, configuring DNS servers, and establishing VPN connections.
These options can enhance your network's security and functionality.
Troubleshooting Common Issues
Common issues when configuring firewall rules include incorrect protocol settings, misplaced rules, and conflicting rules.
Troubleshooting these issues requires careful analysis and attention to detail.
Advanced Security Considerations
Beyond blocking SSH access, consider other security measures like changing default passwords, limiting access to specific IP addresses, and regularly updating your router's firmware.
For more complex network setups, understanding how to roteador e rede configurations can be beneficial.

Network security is an ongoing process that requires constant monitoring and updates to protect against evolving threats.
Network Segmentation and Isolation
Network segmentation and isolation involve dividing your network into smaller, isolated segments to limit the spread of malware and unauthorized access.
This approach can enhance your network's security and reduce the risk of breaches.
Regular Security Audits and Updates
Regular security audits and updates are essential for identifying and addressing potential security vulnerabilities.
This includes reviewing firewall rules, updating firmware, and monitoring network activity.
DomineTec Tip: Regularly review your firewall rules and network configuration to ensure they remain aligned with your security needs and best practices.
Implementing Port Knocking for Enhanced Security
Port knocking is an effective method to secure the SSH service by requiring a specific sequence of connection attempts to predefined ports before access is granted.
This method can be implemented on a MikroTik router by creating firewall rules that only permit SSH access after the correct knock sequence is detected.
- Define a sequence of ports to use for knocking.
- Create firewall rules that allow access to the SSH port only after the knock sequence has been successfully triggered.
Monitoring SSH Access Attempts
Monitoring is crucial for identifying unauthorized access attempts to the SSH service on a MikroTik router.
Utilizing the logging feature in RouterOS can help track and analyze connection attempts, providing insights into potential security threats.
| Log Entry Type | Description |
|---|---|
| Connection Attempt | Logs each attempt to connect to the SSH port, including successful and failed attempts. |
| Firewall Drop | Records instances where connection attempts are blocked by firewall rules. |
Rate Limiting Connection Attempts
Implementing rate limiting can prevent brute force attacks against the SSH service by limiting the number of connection attempts from a single IP address.
This can be configured in MikroTik RouterOS using the firewall mangle feature to mark connections and apply limits accordingly.
- Create a mangle rule to mark connections exceeding a defined threshold.
- Apply a connection limit to the marked connections to enforce the rate limiting.
Backup and Restore Firewall Configurations
Regular backups of firewall configurations are essential for quick recovery in case of misconfiguration or security breaches.
MikroTik RouterOS provides commands to export and import firewall settings, ensuring configurations can be restored efficiently.
- Use the command /export file=firewall_backup to create a backup of the current configuration.
- Restore the configuration using /import file=firewall_backup.rsc in case of issues.
Implementing Rate Limiting for SSH Connections
Rate limiting is a crucial measure to prevent brute-force attacks on SSH access. By configuring rate limits, the number of connection attempts from a single IP can be restricted.
To implement rate limiting on a MikroTik router, navigate to the firewall filter settings and add a new rule:
- Chain: input
- Protocol: tcp
- Dst. Port: 22
- Action: rate-limit
- Limit: 3/5s
This setup allows three connection attempts every five seconds per IP, effectively mitigating rapid successive attempts.
Logging and Monitoring SSH Access Attempts
Monitoring SSH access attempts can provide insights into potential security breaches. MikroTik allows logging of firewall actions, which can be configured to track SSH access.
To enable logging for SSH attempts, create a new firewall rule:
- Chain: input
- Protocol: tcp
- Dst. Port: 22
- Action: log
- Log Prefix: "SSH Access Attempt"
Logs can then be reviewed in the MikroTik terminal or exported to a centralized logging server for further analysis.
Utilizing Port Knocking for Enhanced Security
Port knocking is an advanced security technique that adds an additional layer of protection for SSH access. It requires the user to send a sequence of connection attempts to specific ports before the SSH port is opened.
To implement port knocking on MikroTik, configure a script that opens the SSH port only after the correct sequence of ports is accessed:
- Knock Sequence: Configure a series of closed ports.
- Script Action: Open port 22 temporarily after the sequence is successfully completed.
This method significantly reduces the risk of unauthorized access, as the SSH port remains closed until the correct sequence is executed.
Implementing IP Address Whitelisting for Enhanced Security
To further secure SSH access, implementing IP address whitelisting can be beneficial. This method restricts access to specific IP addresses, preventing unauthorized attempts to connect.
To configure this, navigate to the Firewall Filter rules in RouterOS. You can add a rule that accepts connections from trusted IPs before the general block rule.
| Action | Chain | Source Address | Protocol | Destination Port |
|---|---|---|---|---|
| Accept | Input | 192.168.1.100 | tcp | 22 |
| Drop | Input | 0.0.0.0/0 | tcp | 22 |
Replace "192.168.1.100" with the actual IP addresses that require access. This approach minimizes exposure to brute-force attacks.
Monitoring and Logging Firewall Activities
Monitoring and logging of firewall activities can provide valuable insights into unauthorized access attempts. This process aids in identifying potential vulnerabilities and adjusting configurations accordingly.
Enable logging for the firewall rules by adding a logging action to the relevant rules. This will create logs for any dropped packets, which can be viewed in the system logs.
Navigate to the 'Log' section in RouterOS and filter by the relevant firewall rule to review access attempts. Regularly reviewing these logs can help in maintaining robust network security.
- Log Level: Set to "info" for detailed entries.
- Action: Ensure that the logging action is added to the drop rule for SSH.
Consistent monitoring and analysis of logs will allow for timely responses to new threats and the opportunity to refine firewall rules based on observed traffic patterns.
Implementing Rate Limiting for SSH Access
Rate limiting can be an effective method to mitigate potential brute-force attacks on the SSH port.
By configuring the Mikrotik router to limit connection attempts, unauthorized access can be reduced significantly.
Configuration Steps
- Access the Mikrotik terminal or Winbox interface.
- Navigate to the Firewall settings using the command:
/ip firewall filter. - Add a new rule to limit SSH connection attempts:
/ip firewall filter add chain=input protocol=tcp dst-port=22 \
connection-limit=3,32 action=drop
This rule limits the number of concurrent connections to three from a single IP address.
Adjust the connection-limit parameter as necessary based on network usage patterns.
Monitoring should be conducted to ensure that legitimate users are not affected by the limits imposed.
Logging and Monitoring SSH Access Attempts
Monitoring access attempts to the SSH port provides insights into potential security threats.
By configuring logging, it is possible to keep a record of all access attempts and take necessary actions.
Configuration Steps
- Use the Mikrotik CLI or Winbox to access the router settings.
- Enable logging for the firewall rules:
/ip firewall filter add chain=input protocol=tcp dst-port=22 \
action=log log-prefix="SSH Access Attempt: "
This configuration will log every SSH access attempt to the system.
Regular review of these logs can help identify unusual access patterns or repeated attempts from specific IP addresses.
Logs can be viewed using the command: /log print.
Consider integrating log analysis tools for more advanced monitoring capabilities.
Implementing Rate Limiting on SSH Connections
Rate limiting can be an effective strategy to mitigate brute force attacks on SSH ports. By configuring limits on the number of connection attempts from a single IP address, unauthorized access can be further restricted.
The following command can be used to implement rate limiting in RouterOS:
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh-attempts limit=3,5 action=add-src-to-address-list address-list=ssh-attempts address-list-timeout=1h
This command allows three connection attempts within five seconds before adding the source IP to an address list for one hour. Additionally, it is advisable to monitor the address list for repeated offenders.
Regular review can help in adjusting the limit parameters based on network behavior. Comparatively, a lower limit provides enhanced security but may inconvenience legitimate users.
| Limit Configuration | Security Level | User Experience Impact |
|---|---|---|
| 3 attempts/5 seconds | High | Moderate |
| 5 attempts/10 seconds | Medium | Low |
| 10 attempts/30 seconds | Low | High |
Monitoring and Logging SSH Access Attempts
Monitoring and logging SSH access attempts can provide insights into potential security threats. Configuring RouterOS to log SSH connection attempts helps in identifying patterns of unauthorized access.
The logging parameters can be set using the following command:
/system logging add topics=firewall,debug action=memory
This command will log firewall-related events to the memory, which can be reviewed later. To ensure that SSH access attempts are specifically logged, filtering can be applied.
For effective management, you can create a script that regularly checks the logs for suspicious activities. The following example script can be implemented:
:foreach i in=[/log find message~"SSH"] do={ /log print count=$i }
This script will loop through the logs, filtering for messages that contain "SSH" and will print the count of occurrences. Continuously monitoring these logs allows for timely responses to potential threats.
Incorporating log analysis tools can enhance security posture by providing real-time alerts for unusual activity. Regular audits of SSH access logs can reveal trends and enable proactive measures.
Frequently Asked Questions
What is the default SSH port on Mikrotik RouterOS?
The default SSH port on Mikrotik RouterOS is 22, but it can be changed for added security.
Changing the default port can help reduce the risk of automated attacks targeting the standard SSH port.
How do I allow SSH access from a specific IP address?
To allow SSH access from a specific IP address, create a new firewall rule that accepts TCP connections on port 22 from that IP address.
This can be done by adding a new rule in the "IP" -> "Firewall" -> "Filter Rules" section of Winbox.
Can I block SSH access using the command-line interface?
Yes, SSH access can be blocked using the command-line interface by adding a new firewall rule with the appropriate configuration.
This method provides a more detailed level of control over the firewall configuration.
Is blocking SSH access enough to secure my Mikrotik router?
No, blocking SSH access is just one aspect of securing your Mikrotik router; a comprehensive security approach includes updating firmware, securing user accounts, and monitoring network activity.
A thorough security audit and regular updates are necessary to protect against various threats.
How often should I review my firewall rules?
Firewall rules should be reviewed regularly, ideally every few months, to ensure they are up to date and aligned with current security best practices.
Regular reviews help in identifying and addressing any potential security vulnerabilities.
What are the consequences of not securing my Mikrotik router?
Not securing your Mikrotik router can lead to unauthorized access, data breaches, and malware infections, compromising your network's integrity and security.
Therefore, it is essential to prioritize router security and implement robust measures to protect against these risks.
Liked it? Share!




