Apologies if this has been asked before, my search foo seems to be failing me if it has; is there a way to completely disable all BTH functionality? The wiki suggests that this was possible in the recent past, but has since been changed without updating the documentation;
As far as I can tell, it should be off because we do not use BTH;
ddns-enabled: auto
ddns-update-interval: none
update-time: no
back-to-home-vpn: revoked-and-disabled
But it still phones home with four packets every 15 minutes or so? We would like to turn it off completely, as there will never be a need for this functionality, update notifications happen out of band, and so forth.
Check wireguard interfaces with bth name, firewall rules with same comment, nat rule masquerade with same comment, ip addresses with same comment.
And also interface lists (lan) .
The simplest way - export to text config and ctrl+f ‘back’.
There are none. This is a clean install, set up for a specific purpose after a /system reset-configuration no-defaults=yes skip-backup=yes, and we have already reviewed the complete configuration before posting this.
It looks like ‘time-zone-autodetect’ defaults to ‘yes’, though, even with UTC set, and a working NTP client. I’ll turn that off, see if that resolves the issue.
It looks like adding ‘time-zone-autodetect=no’ does resolve the issue;
/system clock set time-zone-autodetect=no time-zone-name=UTC
Less than ideal to have to turn stuff off instead of on, especially when it is apparently not controlled by a single switch, and the documentation suggests that it is off by default, but hey, sorted. Hopefully it’ll make it a bit easier for the next person who comes along.
You’re not wrong that disabling services is actually spread all over the place. And docs help.mikrotik.com is equally spread all over the place.
They only list a few things under Securing Your Router, not ALL these type of router-based traffic. And another page list all the features list all the feature, it doesn’t have link to pages or ports to even cross-reference.
The prime example be https://help.mikrotik.com/docs/spaces/ROS/pages/328229/IP+Services (in addition to not mentioning time-zone-autodetect=) does not get any coverage in the “Securing Your Router” page but that’s where the router listening port are configured, and while default firewall protects them from WAN. While these won’t send traffic without request, if you’re trying to “secure” your router, closing unused port is typically one of the top things.
While, there is logic in separating out /ip/cloud’s update-time=no from time-zone-autodetect=no - they are different things. Now I think time-zone-autodetect=no and UTC should be default, for other reasons - but I’m sure most folks are used to devices automatically showing the correct time, as there is always a “both sides” to these things.
My hardening diff is below. This is the first thing I do after I create new user with strong password and delete admin. Some settings match defaults, but I still save them in my config in case defaults change.
/interface list add name=neighbor-discovery
/interface list add name=mac-server
/ip smb set enabled=no
/ip neighbor discovery-settings set discover-interface-list=neighbor-discovery
/ip cloud set ddns-enabled=no update-time=no
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=no port=X
/ip service set www-ssl disabled=yes
/ip service set api disabled=yes
/ip service set winbox disabled=yes
/ip service set api-ssl disabled=yes
/ip socks set enabled=no
/ip ssh set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no strong-crypto=yes
/ip upnp set enabled=no
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=mac-server
/tool mac-server mac-winbox set allowed-interface-list=mac-server
/tool mac-server ping set enabled=no
/tool romon set enabled=no