If I’m understanding what I’ve read correctly, what’s listed under IP>Services is a set of ports that the router listens on to provide access to various services to the outside world.
Unless and/or until I decide I will be using any of these (e.g., ftp or ssh), is it OK to disable these services? Or, rather, does leaving them open present any unnecessary security risk?
I’m pretty sure 80 has to stay open, right? But telnet doesn’t. (Do people still use telnet over ssh?) But if I’m not SSH-ing to any of my local computers, there’s no reason for me to leave that port open, right?
The services run locally on the firewall, I.E, The SSH service allows you to SSH into the router itself. Disabling it will prevent you using SSH to access the router.
Be careful when disabling services. I’d use safe mode.
I personally dont use SSH and Telnet, and for that disable it. FTP dont use, because have server connected to RB, and there have ftp server. WWW access also disable it, because have many peoples who connected to my network, and dont want to have access to RB admin panel. So i use only API ( To connect to my RB via Mikrotik addroid app), and Winbox access, to configure things from my PC.
So conclusion ! If you dont use some services, you CAN disable it, to avoid unantorized access to your RB.
You can disable or leave the services on, its up to you as netadmin. However, for reduced security risk, if you leave certain services on, you can add address or segment from which you can access your router, so lets say that you minimalized the risk of attack.
I personally preffer to Enable the service when is needed. You probably have android smartphone. Install Mikrotik android app, and enable the service before use. After finishing with work, turn off the service again. Its simple.
But, OK. This is just for my home router/AP. I don’t have much use for the SSH terminal yet, but for the winbox and www accesses, I could use the “Available From” setting and use my internal address range, right? And then that would allow me to access it from my LAN, while keeping everyone else out?
