How to Secure and Change the Default SSH Port in Mikrotik RouterOS Settings

Changing the default SSH port in MikroTik RouterOS enhances security by reducing exposure to automated attacks.

Understanding the Importance of SSH Security
SSH (Secure Shell) is a network protocol that allows secure communication over an unsecured network.
By default, SSH operates on port 22, making it a prime target for attackers using automated scripts to find vulnerable systems.
Changing the default port helps in obscuring the service and can significantly reduce brute force attacks and unauthorized access attempts.
Steps to Secure Your MikroTik RouterOS SSH Configuration
Securing the SSH configuration requires a series of steps to ensure that the router remains safe from potential threats.
Follow the steps below for changing the SSH port in MikroTik RouterOS.
- Connect to your MikroTik router using Winbox or SSH.
- Navigate to the IP menu and select Services.
- Locate the SSH service in the list.
- Change the Port from 22 to a custom port (e.g., 2222).
- Apply the changes and save the configuration.

Configuring Firewall Rules to Enhance Security
After changing the port, it is important to configure firewall rules to allow traffic on the new port.
This step ensures that only authorized users can access the SSH service.
- Access the Firewall settings under the IP menu.
- Select the Filter Rules tab and add a new rule.
- Set the chain to Input and protocol to TCP.
- Specify the new SSH port in the Dst. Port field.
- Set the action to Accept to allow access.
Verifying the Changes
Once the SSH port has been changed and firewall rules configured, verification is necessary.
Using an SSH client, attempt to connect to the new port to confirm that the configuration is successful.
For example, if the new port is 2222, the command would look like this: ssh user@your-router-ip -p 2222.
Successful connection indicates that the changes have been applied correctly.
Considerations When Changing the SSH Port
While changing the SSH port is an effective measure, there are additional considerations to keep in mind.
It is advisable to maintain a backup of the previous configuration to ensure recovery in case of issues.
Additionally, informing authorized users about the new port is crucial to avoid connection problems.
Technical Specifications Comparison Table
| Feature | Default SSH Port (22) | Custom SSH Port (e.g., 2222) |
|---|---|---|
| Security Level | Higher exposure to attacks | Reduced exposure to automated attacks |
| Ease of Access | Standard for most users | Requires communication of new port |
| Firewall Configuration | No additional rules needed | New rules required to allow access |
| Compatibility | Universally standard | May require adjustments on client-side |
| Risk of Brute Force | Higher risk | Lower risk |
DomineTec Tip: Consider using additional security measures such as key-based authentication and disabling password login for SSH.
Conclusion
Securing the SSH port in MikroTik RouterOS is a critical step in safeguarding network infrastructure.
Regularly monitoring logs and adjusting configurations based on observed activity can further enhance security efforts.
Understanding SSH Protocol and Security Implications
SSH (Secure Shell) is a cryptographic network protocol that facilitates secure data communication, remote command-line login, and other secure network services. Changing the default SSH port enhances security by reducing exposure to automated attacks that typically target port 22.
Checking Current SSH Settings
To review current SSH settings on a MikroTik router, access the terminal and execute the command /ip service print. This command displays the list of services, including SSH, and their respective port numbers.
Configuring Firewall Rules for Custom SSH Port
After changing the SSH port, it is essential to create firewall rules to allow traffic on the new port. Use the command /ip firewall filter add chain=input protocol=tcp dst-port= to permit access.
Testing the SSH Connection
To verify that the new SSH port is functioning correctly, attempt to connect using an SSH client with the command ssh -p . Ensure that the connection is established successfully without errors.
Monitoring SSH Access Logs
Monitoring access logs can provide insights into unauthorized access attempts. Utilize the command /log print where message~"ssh" to filter and review SSH-related log entries.
Implementing Further Security Measures
For enhanced security, consider implementing key-based authentication instead of password-based login. This adds an extra layer of protection, making unauthorized access significantly more difficult.
Understanding SSH Security Protocols
SSH, or Secure Shell, employs cryptographic techniques to ensure secure data transmission over an unsecured network. Utilizing key-based authentication significantly enhances security compared to traditional password methods.
Configuring Firewall Rules for SSH Access
To restrict access to the new SSH port, specific firewall rules must be established. Use the command: /ip firewall filter add chain=input protocol=tcp dst-port= to allow traffic on the designated port.
Setting Up Fail2Ban for SSH Protection
Fail2Ban can be integrated with RouterOS to monitor SSH login attempts and block malicious IP addresses. Configuration requires custom scripts that trigger on repeated failed login attempts.
Monitoring SSH Access Logs
Regularly monitoring SSH access logs is crucial for identifying unauthorized access attempts. Use the command: /log print where message~"ssh" to filter and review SSH-related log entries.
Implementing Two-Factor Authentication
Two-factor authentication adds an extra layer of security to SSH access by requiring a second form of verification. This can be configured using external authentication services that support RADIUS or TACACS+ protocols.
Understanding SSH Protocol and Security Implications
SSH (Secure Shell) is a cryptographic network protocol that enables secure communications over unsecured networks, commonly used for remote management of network devices.
Changing the default port from 22 to a non-standard port can significantly reduce the likelihood of automated attacks and unauthorized access attempts.
Steps to Change the SSH Port in RouterOS
Access the RouterOS terminal or Winbox, navigate to the 'IP' menu, and select 'Services' to view the list of services running on the router.
Use the command ip service set ssh port=your_custom_port to change the default SSH port to a preferred number between 1024 and 65535.
Configuring Firewall Rules for Secure Access
After changing the SSH port, it is essential to update the firewall rules to allow traffic through the new port while blocking the default port to enhance security.
Use the command ip firewall filter add chain=input protocol=tcp dst-port=your_custom_port action=accept to permit access, followed by ip firewall filter add chain=input protocol=tcp dst-port=22 action=drop to block the old port.
Monitoring SSH Access and Logs
To ensure that the SSH access is secure, regularly review the logs by using the command log print or navigating to the 'Log' section in Winbox.
Set up logging specifically for SSH by adding a rule in the logging settings to capture any unauthorized access attempts for further analysis.
Best Practices for Enhancing SSH Security
Implement public key authentication instead of password authentication to increase security, as it is less susceptible to brute-force attacks.
Additionally, consider configuring fail2ban or similar mechanisms to automatically block IPs that exhibit suspicious behaviors such as multiple failed login attempts.
Understanding SSH Port Configuration in RouterOS
SSH (Secure Shell) is a protocol that enables secure remote administration of network devices, including Mikrotik routers. Configuring and changing the default SSH port is a crucial step in enhancing the security posture of network infrastructure.
By default, Mikrotik RouterOS listens for SSH connections on port 22. This default setting is well-known among potential attackers, making it a prime target for unauthorized access attempts. Changing the default port can help mitigate the risk of automated attacks and port scanning.
To change the SSH port in Mikrotik RouterOS, the user must access the terminal interface. The command to change the SSH port is as follows: /ip service set ssh port=. It is essential to choose a port number outside the well-known range (1-1024) to avoid conflicts with other services.
After executing the port change command, it is crucial to verify that the SSH service is still operational. This can be done by using the command /ip service print, which displays the current configuration of all services, including the updated SSH port. If the new port is not listed, further troubleshooting will be required to ensure the command was executed correctly.
Best Practices for Securing SSH Access on Mikrotik Routers
Securing SSH access involves not only changing the default port but also implementing additional security measures. One of the best practices is to use strong, complex passwords or, even better, SSH key authentication, which avoids password-related vulnerabilities altogether.
To implement SSH key authentication, a public-private key pair is required. The public key needs to be added to the Mikrotik router using the command: /user ssh-keys import public-key-file=. This ensures that only users with the corresponding private key can access the router via SSH.
Another essential security measure is to restrict SSH access to specific IP addresses or address ranges. This can be accomplished by using firewall rules that allow SSH connections only from trusted sources. The command for adding such a rule would be: /ip firewall filter add chain=input protocol=tcp dst-port=.
Monitoring SSH access logs is also crucial for identifying potential unauthorized attempts to access the router. The command /log print can be used to view logs and identify any suspicious activity. Regular audits of these logs can help in detecting patterns that may indicate a security breach.
Understanding the Implications of Changing the SSH Port
Changing the default SSH port on Mikrotik RouterOS can significantly enhance security by reducing the risk of automated attacks targeting the standard port 22.
However, it is essential to understand the implications of this change, as it may affect connectivity and accessibility for legitimate users.
When the SSH port is altered, all users must be informed about the new port number to ensure seamless access to the router for management and configuration tasks.
Failure to communicate this change can lead to confusion and connectivity issues, as users attempting to connect via the previous default port will be unable to establish a session.
Furthermore, it is crucial to examine firewall rules in Mikrotik RouterOS after changing the SSH port.
Default firewall configurations may restrict access to the new port unless explicitly allowed, which could inadvertently block legitimate SSH traffic.
To verify connectivity, the firewall rules should be reviewed using the command:
/ip firewall filter print
This command displays the current filter rules, enabling administrators to identify whether the new SSH port is permitted.
In addition to firewall configurations, verifying that any network address translation (NAT) settings accommodate the new SSH port is vital.
NAT rules must be adjusted to ensure that incoming connections on the new port are correctly forwarded to the router's internal IP address.
To modify NAT rules, the command:
/ip firewall nat print
can be utilized to display existing NAT configurations.
Lastly, it is advisable to test the new SSH configuration from an external source before finalizing the changes.
This testing can be accomplished by attempting to connect to the router using the new port number:
ssh admin@-p
Successful connection confirms that the port change was implemented correctly and that firewall and NAT settings are properly configured.
Implementing Additional Security Measures Alongside SSH Port Change
Alongside changing the SSH port, implementing additional security measures can further enhance the protection of Mikrotik RouterOS devices.
One effective strategy is to utilize public key authentication instead of password-based logins, which significantly reduces the risk of brute force attacks.
To enable key-based authentication, the public key must be generated on the client machine using a command like:
ssh-keygen -t rsa -b 2048
Once generated, the public key should be copied to the Mikrotik Router using the command:
/user ssh-keys import public-key-file=
Another critical aspect of securing SSH access is implementing fail2ban or similar mechanisms that monitor login attempts and block IP addresses after a certain number of failed attempts.
Although Mikrotik RouterOS does not natively support fail2ban, scripts can be written to check for failed login attempts and automate the banning of offending IP addresses.
For example, a script can be created to log failed access attempts and subsequently add a corresponding firewall rule to drop packets from those sources.
This proactive approach minimizes the risk of unauthorized access by systematically reducing exposure to repeated attack vectors.
Additionally, configuring a time-based access control list can greatly enhance security by limiting SSH access to specific hours when administrative tasks are performed.
This can be accomplished using the scheduler feature of Mikrotik RouterOS, which allows for rules to be activated or deactivated based on time.
By creating a script to enable SSH during designated hours and disabling it during off-hours, unauthorized access attempts outside of these times can be effectively mitigated.
Lastly, regularly auditing and updating the Mikrotik RouterOS firmware is crucial for maintaining security.
Firmware updates often include patches for vulnerabilities that could otherwise be exploited by attackers.
To check the current version and available updates, the command:
/system package update check-for-updates
can be utilized, ensuring that the router is always running the latest, most secure version of RouterOS.
Frequently Asked Questions
What is the default SSH port for MikroTik RouterOS?
The default SSH port for MikroTik RouterOS is port 22, which is commonly targeted by attackers.
Why change the default SSH port?
Changing the default port reduces the likelihood of automated attacks and improves overall security.
How do I connect to my MikroTik router after changing the SSH port?
Use an SSH client and specify the new port with the command: ssh user@your-router-ip -p new-port.
What additional security measures can be implemented?
Besides changing the SSH port, enabling key-based authentication and disabling root login are effective security measures.
Can I revert to the default SSH port?
Yes, the SSH port can be changed back to the default value in the MikroTik settings if necessary.
Liked it? Share!




