tikinit
Intro
Mikrotik script to initialize out of the box mikrotiks to something more secure and usable
The script does:
- disables fast-path
- sets package update channel to "long-term"
- updates the packages and firmware
- adds NTP servers
- sets ssh server settings to more secure ones (strong crypto, no passwords if ssh key present etc...)
- adds local users with SSH public keys and either filed passwords or completely random passwords
- creates a self-signed certificate
- disables unsecure/not required services
- enables ssl webfig with the created certificate
Prerequisites
- A new or just resetted mikrotik
- Working internet connection
- Updated user table in script. The format is "username";"password";"ssh public key"
- SSH key must be either RSA or DSA. Tested with RSA only
- If password is set to "random", a random password will be generated for this user, enabling ssh with public key
Running the script
- Download the script to a fresh Mikrotik with "/tool fetch", scp, web interface etc...
- Execute "/import file-name=tikinit.rsc"
- Wait (certificates take a while to sign)
- Verify remote access with ssh and web ssl (all other services should be disabled)
- Optional: Disable "admin" account
- Optional: Change random passwords to more obscure ones
- Reboot