mikrotik-mcp

Security Policy

Overview

MikroTik MCP provides programmatic access to MikroTik RouterOS devices through SSH connections. Given the sensitive nature of network infrastructure management, security is a critical concern. This document outlines our security policy and provides guidance on reporting security vulnerabilities.

Reporting a Vulnerability

If you discover a security vulnerability in MikroTik MCP, please report it by:

Creating a security issue at: https://github.com/jeff-nasseri/mikrotik-mcp/issues

When reporting a security issue, please include:

What to Expect

Security Considerations

1. SSH Connection Security

MikroTik MCP uses SSH to connect to RouterOS devices. Be aware of the following:

2. Command Injection Risks

3. Access Control

4. Logging and Auditing

5. Router Configuration Changes

6. Backup File Security

7. Wireless Security

8. Docker Security

⚠️ Environment variables are exposed by docker inspect. Any value passed to a container as an environment variable — whether via -e VAR=value, -e VAR (inherited from the host shell), or --env-file — is stored in the container’s configuration and shown in full by docker inspect. Reading a file into a variable (export VAR=$(cat secret.txt)) does not help: the resolved value still ends up in the container’s environment.

When running MikroTik MCP in a container, the MikroTik password is therefore visible to anyone who can run docker inspect on the host. The server logs a warning at startup when it detects this. To reduce the exposure:

9. API Exposure

When exposing MikroTik MCP via REST API (using MCPO):

Security Best Practices

For Developers

  1. Input Validation: Always validate and sanitize inputs
  2. Error Handling: Don’t expose sensitive information in error messages
  3. Dependencies: Keep all dependencies updated
  4. Code Review: Review security-critical code changes carefully
  5. Testing: Include security testing in your test suite

For Users

  1. Principle of Least Privilege: Create MikroTik users with minimum required permissions
  2. Network Security:
    • Use VPNs or secure channels for remote access
    • Implement network segmentation
    • Enable firewall rules on MikroTik devices
  3. Monitoring:
    • Monitor MikroTik logs for unauthorized access
    • Set up alerts for configuration changes
    • Review audit logs regularly
  4. Updates:
    • Keep MikroTik MCP updated
    • Keep MikroTik RouterOS updated
    • Update Python and system packages regularly
  5. Backup Strategy:
    • Maintain regular encrypted backups
    • Test backup restoration procedures
    • Store backups in secure, off-site locations

Known Security Considerations

Current Implementation Notes

  1. SSH Host Key Verification: Uses AutoAddPolicy() which automatically accepts unknown host keys. This is convenient but less secure than strict host key checking.

  2. Password Logging: Passwords are not logged, but be cautious with debug logging that might expose sensitive command parameters.

  3. Command Execution: Direct command execution on RouterOS requires careful input validation at the application level.

Compliance and Standards

This project aims to align with:

Additional Resources

Contact

For security-related questions or concerns, please open an issue at: https://github.com/jeff-nasseri/mikrotik-mcp/issues


Remember: Security is a shared responsibility. While we work to make MikroTik MCP as secure as possible, proper deployment, configuration, and usage are equally important.