Security
Supported versions
Section titled “Supported versions”| Version | Supported |
|---|---|
| Latest release | ✓ |
| Previous minor | ✓ |
| Older versions | ✗ |
Reporting vulnerabilities
Section titled “Reporting vulnerabilities”-
Do not open a public issue
-
Contact privately
Email the maintainer directly or use GitHub’s private vulnerability reporting feature.
-
Include details
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We aim to respond within 48 hours and will work with you to understand and address the issue.
Security considerations
Section titled “Security considerations”RouterOS API credentials
Section titled “RouterOS API credentials”- Use a dedicated user with minimal permissions (only
api,read,writepolicies) - Use TLS when possible (
mikrotik.tls: true) - Store credentials securely (environment variables or secrets management)
- Never commit credentials to version control
CrowdSec LAPI connection
Section titled “CrowdSec LAPI connection”- Use TLS certificates for LAPI connections when available
- Restrict LAPI access to trusted networks
- Rotate bouncer API keys periodically
Metrics endpoint
Section titled “Metrics endpoint”Docker security
Section titled “Docker security”- The official Docker image runs as a non-root user
- Use read-only filesystem mount where possible
- Limit container capabilities
- Use secrets management for credentials (Docker secrets, Kubernetes secrets)
Systemd hardening
Section titled “Systemd hardening”The setup command writes a systemd unit with hardening enabled:
| Setting | Purpose |
|---|---|
NoNewPrivileges=yes | Prevents privilege escalation through exec transitions |
ProtectSystem=strict | Mounts system paths read-only for the service |
ProtectHome=yes | Blocks direct access to home directories |
ReadWritePaths=/var/log | Allows log file writes when logging.file points under /var/log |
PrivateTmp=yes | Gives the service an isolated temporary directory |
LimitNOFILE=65536 | Leaves headroom for RouterOS API sessions and HTTP endpoints |
If you maintain a manual unit file, keep these settings unless your deployment has a specific reason to relax one.
Firewall rule integrity
Section titled “Firewall rule integrity”- The bouncer identifies its rules by structured comments — do not modify these comments manually
- Use the
comment_prefixoption to avoid conflicts with other tools - The bouncer performs cleanup on startup and shutdown to prevent stale rules
- Every bouncer rule also includes the fixed
@cs-routeros-bouncersignature. This lets crash-recovery cleanup find old rules even ifcomment_prefixchanges later.