Network Devices

Secure MikroTik RouterOS with cnspec

Scan MikroTik RouterOS routers and switches against security and compliance best practices with cnspec.

Scan your MikroTik RouterOS devices to find security risks before they become incidents. cnspec connects through the RouterOS API and evaluates the RouterOS version, exposed management services, user accounts, firewall and NAT rules, NTP and SNMP settings, and dozens of other controls, without installing anything on the device.

MikroTik RouterOS is one of the network devices cnspec can assess. For the full list of supported devices, see the network device scanning overview. New to cnspec? Start with the quickstart.

Prerequisites

To scan a MikroTik RouterOS device with cnspec, you must have:

  • cnspec installed on your workstation
  • Network access to the RouterOS API service (TCP port 8728, or 8729 for API-SSL)
  • A RouterOS user account with permission to read the configuration through the API

Give cnspec access to your RouterOS device

cnspec connects to RouterOS through the RouterOS API. You need to enable the API service and provide a user account that is allowed to read the configuration.

API setup instructions

Enable the API service

The API service must be reachable for cnspec to connect. From a RouterOS terminal, enable the api service (plaintext, port 8728) or the api-ssl service (TLS, port 8729):

/ip service enable api

To use an encrypted connection instead, enable API-SSL and assign a certificate:

/ip service enable api-ssl
/ip service set api-ssl certificate=YOUR_CERT

Create a user for scanning

Create a dedicated user with read-only access for cnspec. The group must include the api and read policies:

/user group add name=cnspec policy=read,api,winbox,test
/user add name=cnspec group=cnspec password=YOUR_PASSWORD

For more information, see the RouterOS user management documentation.

Test your connection

Before running a full scan, verify that cnspec can connect by opening a cnspec shell. For DEVICE_IP, substitute the hostname or IP address of the device, and for USER, substitute your RouterOS user name:

cnspec shell mikrotik USER@DEVICE_IP --ask-pass

Provide the password when prompted. To connect over the encrypted API-SSL service:

cnspec shell mikrotik USER@DEVICE_IP --tls --ask-pass

If cnspec connects successfully and shows a prompt, you're ready to scan.

Connection options

OptionDescription
--password, -pPassword for the RouterOS user
--ask-passPrompt for the connection password
--portRouterOS API port (default: 8728, or 8729 with --tls)
--tlsConnect using the RouterOS API-SSL service
--insecure, -kSkip TLS certificate verification (used with --tls)

Scan RouterOS devices

To scan a RouterOS device, use the cnspec scan command. For DEVICE_IP, substitute the hostname or IP address of the device, and for USER, substitute your RouterOS user name:

cnspec scan mikrotik USER@DEVICE_IP --ask-pass

To connect over the encrypted API-SSL service:

cnspec scan mikrotik USER@DEVICE_IP --tls --ask-pass

To skip TLS certificate verification when using API-SSL with a self-signed certificate:

cnspec scan mikrotik USER@DEVICE_IP --tls --ask-pass --insecure

When the scan completes, cnspec prints a pass or fail result for each check and an overall risk score. To output results in other formats such as JSON, JUnit, or SARIF, read Report Results.

Scan with the Mondoo MikroTik RouterOS Security policy

Mondoo maintains an out of the box MikroTik RouterOS Security policy that checks the RouterOS version, exposed management services, user accounts, firewall and NAT rules, NTP and SNMP settings, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "MikroTik", and add the policy. All future scans of your RouterOS devices automatically evaluate against it. To learn more, read Manage policies in Mondoo Platform.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan mikrotik USER@DEVICE_IP --ask-pass \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-mikrotik-security.mql.yaml

You can also create your own policies to enforce your organization's RouterOS hardening standards.

The example checks below show the kind of controls you can express in a policy.

Explore and test checks interactively

You can interactively explore resources and test checks using the cnspec shell. To open a shell connected to your RouterOS device:

cnspec shell mikrotik USER@DEVICE_IP --ask-pass

Below are some example queries and checks you can run from the shell.

Retrieve system information

cnspec> mikrotik.system { identity version boardName }
mikrotik.system: {
  identity: "MikroTik"
  version: "7.15.3"
  boardName: "RB5009UG+S+"
}

List exposed management services

cnspec> mikrotik.services { name port disabled }

List local user accounts and their groups

cnspec> mikrotik.users { name group disabled }

List firewall filter rules

cnspec> mikrotik.firewallRules { chain action disabled }

Example security checks

Ensure insecure management services are disabled

cnspec> mikrotik.services.where(name == /telnet|ftp|www$/).all(disabled == true)
[ok] value: true

Ensure the API-SSL service is preferred over plaintext API

cnspec> mikrotik.services.where(name == "api").all(disabled == true)
[ok] value: true

Ensure NTP time synchronization is enabled

cnspec> mikrotik.ntpClient.enabled == true
[ok] value: true

Ensure full-access accounts are restricted to specific addresses

cnspec> mikrotik.users.where(group == "full" && disabled == false).all(address != "")
[ok] value: true

Ensure SNMP is disabled

cnspec> mikrotik.snmp.enabled == false
[ok] value: false

Ensure the firewall input chain has a default drop rule

cnspec> mikrotik.firewallRules.where(chain == "input").any(action == "drop")
[ok] value: true

Learn more

On this page