Secure MikroTik RouterOS with cnspec
Scan MikroTik RouterOS routers and switches against security and compliance best practices with cnspec.
Scan your MikroTik RouterOS devices to find security risks before they become incidents. cnspec connects through the RouterOS API and evaluates the RouterOS version, exposed management services, user accounts, firewall and NAT rules, NTP and SNMP settings, and dozens of other controls, without installing anything on the device.
MikroTik RouterOS is one of the network devices cnspec can assess. For the full list of supported devices, see the network device scanning overview. New to cnspec? Start with the quickstart.
Prerequisites
To scan a MikroTik RouterOS device with cnspec, you must have:
- cnspec installed on your workstation
- Network access to the RouterOS API service (TCP port 8728, or 8729 for API-SSL)
- A RouterOS user account with permission to read the configuration through the API
Give cnspec access to your RouterOS device
cnspec connects to RouterOS through the RouterOS API. You need to enable the API service and provide a user account that is allowed to read the configuration.
API setup instructions
Enable the API service
The API service must be reachable for cnspec to connect. From a RouterOS terminal, enable the api service (plaintext, port 8728) or the api-ssl service (TLS, port 8729):
/ip service enable apiTo use an encrypted connection instead, enable API-SSL and assign a certificate:
/ip service enable api-ssl
/ip service set api-ssl certificate=YOUR_CERTCreate a user for scanning
Create a dedicated user with read-only access for cnspec. The group must include the api and read policies:
/user group add name=cnspec policy=read,api,winbox,test
/user add name=cnspec group=cnspec password=YOUR_PASSWORDFor more information, see the RouterOS user management documentation.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell. For DEVICE_IP, substitute the hostname or IP address of the device, and for USER, substitute your RouterOS user name:
cnspec shell mikrotik USER@DEVICE_IP --ask-passProvide the password when prompted. To connect over the encrypted API-SSL service:
cnspec shell mikrotik USER@DEVICE_IP --tls --ask-passIf cnspec connects successfully and shows a prompt, you're ready to scan.
Connection options
| Option | Description |
|---|---|
--password, -p | Password for the RouterOS user |
--ask-pass | Prompt for the connection password |
--port | RouterOS API port (default: 8728, or 8729 with --tls) |
--tls | Connect using the RouterOS API-SSL service |
--insecure, -k | Skip TLS certificate verification (used with --tls) |
Scan RouterOS devices
To scan a RouterOS device, use the cnspec scan command. For DEVICE_IP, substitute the hostname or IP address of the device, and for USER, substitute your RouterOS user name:
cnspec scan mikrotik USER@DEVICE_IP --ask-passTo connect over the encrypted API-SSL service:
cnspec scan mikrotik USER@DEVICE_IP --tls --ask-passTo skip TLS certificate verification when using API-SSL with a self-signed certificate:
cnspec scan mikrotik USER@DEVICE_IP --tls --ask-pass --insecureWhen the scan completes, cnspec prints a pass or fail result for each check and an overall risk score. To output results in other formats such as JSON, JUnit, or SARIF, read Report Results.
Scan with the Mondoo MikroTik RouterOS Security policy
Mondoo maintains an out of the box MikroTik RouterOS Security policy that checks the RouterOS version, exposed management services, user accounts, firewall and NAT rules, NTP and SNMP settings, and more.
Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "MikroTik", and add the policy. All future scans of your RouterOS devices automatically evaluate against it. To learn more, read Manage policies in Mondoo Platform.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan mikrotik USER@DEVICE_IP --ask-pass \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-mikrotik-security.mql.yamlYou can also create your own policies to enforce your organization's RouterOS hardening standards.
The example checks below show the kind of controls you can express in a policy.
Explore and test checks interactively
You can interactively explore resources and test checks using the cnspec shell. To open a shell connected to your RouterOS device:
cnspec shell mikrotik USER@DEVICE_IP --ask-passBelow are some example queries and checks you can run from the shell.
Retrieve system information
cnspec> mikrotik.system { identity version boardName }
mikrotik.system: {
identity: "MikroTik"
version: "7.15.3"
boardName: "RB5009UG+S+"
}List exposed management services
cnspec> mikrotik.services { name port disabled }List local user accounts and their groups
cnspec> mikrotik.users { name group disabled }List firewall filter rules
cnspec> mikrotik.firewallRules { chain action disabled }Example security checks
Ensure insecure management services are disabled
cnspec> mikrotik.services.where(name == /telnet|ftp|www$/).all(disabled == true)
[ok] value: trueEnsure the API-SSL service is preferred over plaintext API
cnspec> mikrotik.services.where(name == "api").all(disabled == true)
[ok] value: trueEnsure NTP time synchronization is enabled
cnspec> mikrotik.ntpClient.enabled == true
[ok] value: trueEnsure full-access accounts are restricted to specific addresses
cnspec> mikrotik.users.where(group == "full" && disabled == false).all(address != "")
[ok] value: trueEnsure SNMP is disabled
cnspec> mikrotik.snmp.enabled == false
[ok] value: falseEnsure the firewall input chain has a default drop rule
cnspec> mikrotik.firewallRules.where(chain == "input").any(action == "drop")
[ok] value: trueLearn more
-
To learn about all the RouterOS resources and properties you can query, read the MikroTik Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information about RouterOS, see the MikroTik documentation.