We have several routers in the filed at this point that we access from our Office. We have 8291 open and can access these no problem. We use a good 8 character password currently.
What do you guys to secure this more? Should we use a stronger password? Changing the port? Can I specify specific hosts that have access?
What do you guys do, or do you leave it open with a strong password?
Thanks in advance!
You can use simple port knocking to open the access and protect against others. Or you can use some kind of tunnelling and allow access only from devices within the tunnel.
hmmmm - never done port knocking I will do a search and see if I figure it out. Or if you have some info please pass it along.
by tunneling do you mean VPN?
Port knocking is quite easy. You need two rules: One that allows access only from the IP adresses listed in address list. And second rule, that adds an address to the address list when there is attempt to access some port with tcp protocol from that address.
Then you use your browser to access http://wan.ip.address.com:65432/. It will not do anything but it will add your source ip to the allowed address list.
After that you will be allowed to access the winbox port from that source address.
Of course you have not to disclose the knocking port… 
.
If you are really paranoic, you can use cascade of ports to knock. First will allow to knock on second, the second will allow to knock the third… and the last will open the winbox .
It has also some disadvantages. For example it is that if you are somewhere behind nat and share the same public ip with other users, by this you open access also for them. But you can use very short opening window, for example one minute by setting the address list timeout, so none will be able to access the winbox from the same address like you after one minute passed from your port knocking, even your session will be still open (because you have a rule that accepts related and established connections, so once you are logged into winbox you do not need to have the port opened further).
By tunnel I mean some kind of vpn. There are many tunnel types you can use with ros.
thank you very much - that really helps
Kudos to you,
Glad I helped you. You can give karma, if you want to express your thanks…