Is your router configured securely?

  • Yes

    Votes: 14 73.7%
  • No

    Votes: 5 26.3%
  • Total voters
    19
  • Poll closed .

silversurfer

Level 47
Content Creator
Trusted
Malware Hunter
Verified
Source: Router configuration the most secure way with these five steps

Cybersecurity nowadays requires more (and better) protective measures than ever before. These measures range from adopting what are acknowledged as best practices, through helping end-users to stay well-informed about upcoming threats and how to avoid them, to implementing internet security technology and keeping it up to date.

In a dynamic environment where threats continually evolve and new vulnerabilities are identified almost daily, it is necessary to use the most up-to-date security tools, since they deal with protection measures for new and ever-shifting attack vectors.

Whether we are speaking about the work, school or home environment, security must consider and protect all elements that could become gateways for possible attacks. In this article we will review some security aspects users should look at in a home network ―particularly those related to the configuration of its internet-connected router.

1. Conduct router connectivity and authentication tests
Recently, we published information at WeLiveSecurity.com about how to secure your home router to prevent IoT threats. Now we will review other important points for the administration and configuration of routers ―in particular, steps pertaining to ports and services.

Routers allow administration and configuration using some ports in the local network; this could be done via Ethernet cable or wireless connection. Usually you can configure your router via the web, but routers also allow connections for other services and ports, such as FTP (port 21), SSH (22), Telnet (23), HTTP (80), HTTPS (443), or SMB (139, 445).

In addition to these, there are various other well-known and well-used services whose default ports are established as internet standards ―defined by the Internet Assigned Numbers Authority (IANA). Although the blocked port configuration might be set in your router by default, you can review it to ascertain the status and configuration settings. In other words, you can enable only the services you need, disable all others, and block unused ports. Even for remote connections, except where they are necessary.

The same logic applies to the use of passwords for management of services. If possible, you should change both (admin) password and username, so neither is the out-of-the-box default. If the router default password has not been changed, it could be known to, or easily guessed by, attackers; if that is the case, they can log into your router and reconfigure it, or compromise your network.

Also, we advise the use of long and complex passwords, or a passphrase for these purposes; you can use a password manager to create and store passwords in a safe place. Therefore, it is important to review the configuration of services and ports, the user accounts and the strength of passwords.

2. Perform vulnerability tests on the router
There is another aspect to consider when looking for weak points in your router settings – tests for routers that can be carried out using tools that automate tasks such as looking for known vulnerabilities. This type of tool includes information, options and suggestions on how to solve these possible problems. Attackers use similar tools to identify vulnerabilities in your router, so it’s a good idea to use them too, so that your router is no longer low-hanging fruit.

Some router tests include scanning for port vulnerabilities, malicious DNS server reputation, default or easy-to-crack passwords, vulnerable firmware, or malware attacks. Some also include vulnerability analysis of the router’s web server component, looking for issues such as cross-site scripting (XSS), code injection or remote code execution.

If you don’t know about these attacks and breaches, be sure to find a router test (or a group of tests) that does as much as possible of the hard work for you. While it’s not a complete test, a good way to start could be with the Connected Home Monitor tool.

3. Verify connected devices in the network
A third aspect of maintaining the proper functioning and performance of the router and the network is the identification of connected devices. Sometimes, due to bad practices and the use of vulnerable protocols, it’s possible for trusted devices to connect without proper authorization, and also for untrusted devices to connect.

It is therefore a good idea to be aware of and able to identify all the devices that connect to your router: firstly, to avoid the consumption of resources by third parties that do so illegitimately and degrade the network’s performance, and secondly, as a security measure, to prevent your information from being compromised.

Whether this verification is done through an automated tool or by manually using the router’s administration options, the appropriate next step consists of permitting allowed devices only, by using filters to restrict access to specific IP addresses or MAC addresses only.

To start this activity, the Connected Home Monitor tool provides an easy-to-access list of connected devices, categorized by device type (e.g. printer, router, mobile device, and so on), to show what is connected to your home network. Then, you must make the changes yourself using your router interface.

4. Update all devices on the home network
The recent news of the vulnerability known as KRACK (Key Reinstallation AttaCK), which allows the interception of traffic between devices that connect to an access point in a Wi-Fi network, emphasizes again the importance of updates.

For an attack to take advantage of this vulnerability, its perpetrator would normally have to be near the intended victim’s Wi-Fi network. Success would allow the attacker to spy on communications or install malware. We always recommend updating all devices connected to your network (like computers, smartphones or tablets), once the manufacturers publish the security patches that address the vulnerability; also install the updates to the firmware of the routers, as soon as patches are available.

Other practices, such as configuring computers for “Public Network” mode, increase the security level of the device compared to the “Private/Home” network mode, because it lessens the risk of attack across trusted devices. We would like to stress that the most essential thing to do is to keep computers and devices updated.

5. Enable security options
A fifth desirable practice is to enable the security options that are available in the configuration of the router, which vary depending on the model and type of device. Regardless of the router model used in your home network, we advise that you enable security options that are designed to offer more protection of your devices and the network.

For example, some recent routers include configuration options that allow increased protection against known Denial of Service (DoS) attacks, such as SYN Flooding, ICMP Echo, ICMP Redirection, Local Area Network Denial (LAND), Smurf and WinNuke. If enabling these options prevents your router and network performing properly, selectively disable them to improve performance.

The protection of information – a never-ending task
We have just touched lightly on five practices that help to improve security levels. It’s important to review the settings of your router and to change them, as needed, to contribute to the overall protection of the network, router, devices and, of course, your data; doing so will help block many of the entry points used by currently prevalent cybersecurity threats.
 

Slyguy

Level 40
Securing a home router is woefully simple because there aren't many options.

The most simple, effective way to secure one is to simply disable administrative access from WAN, restrict administrative access to a single IP address on the LAN. Then enforce 443/HTTPS authentication on administrative access with 80->443 forwarding disabled. That's going to secure a home router in such a way to make it exceedingly difficult to hack.

Disable UPnP, Disable WPS, change admin name/password, keep the firmware updated and you are gold. Well, as gold as a 'home' router can me.
 

upnorth

Level 29
Content Creator
Trusted
Verified
Here's another good source : Router Security

Quote : "
  1. Change the password used to access the router. Anything but the default should be OK, but don't use a word in the dictionary.
  2. Turn off WPS
  3. Wi-Fi encryption should be WPA2 with AES and your Wi-Fi password should be at least 14 characters long
  4. Turn off UPnP and NAT-PMP to protect both yourself and the rest of the Internet. For more see the Turn Off Stuff page.
  5. Be smart about choosing an SSID (network name)
  6. Use a password protected Guest Network whenever possible, not just for guests but for IoT devices too.
  7. Periodically check the DNS servers being used by the router. They should either belong to your ISP or be the ones you manually configured. If not, your router was probably hacked. One site that displays your current DNS servers is www.perfect-privacy.com/dns-leaktest.
  8. Test Your Router for open ports using some online testers
  9. Periodically update the router firmware
  10. Eat your vegetables (y) "
 

Slyguy

Level 40
Also, SSID's for Wireless should be complex and include _optout_nomap. Since rainbow tables exist for common SSID's it is recommended to use a generated SSID.

myoriginalssid_optout_nomap

ideally;

25CZBMV7mw4s_optout_nomap

I always sort of die inside a bit when I see someone with the SSID 'My Home'... LOL
 

grumpy_joe

Level 1
Also, SSID's for Wireless should be complex and include _optout_nomap. Since rainbow tables exist for common SSID's it is recommended to use a generated SSID.

myoriginalssid_optout_nomap

ideally;

25CZBMV7mw4s_optout_nomap

I always sort of die inside a bit when I see someone with the SSID 'My Home'... LOL
Could you abbreviate on why would a user do that. I am not sure that I completely understand.

I mean what does SSID have to do with my security..
 
  • Like
Reactions: roger_m

roger_m

Level 21
Content Creator
Verified
The following article explains the use of "_optout_nomap"
Myth Busting Windows 10 "Wi-Fi Sense", plus a Google Wireless Mapping reminder - TourKick
You may want to rename your wireless router’s SSID(s) from “My Named Network” to “My Named Network_optout_nomap“, or at least to “My Named Network_nomap“.

Read the rest of this article to decide what you should do for your scenario. Just to-the-point information here. No fear-mongering or B.S.
This is the first time I've heard of it too.
 

upnorth

Level 29
Content Creator
Trusted
Verified
Quote : " You should change the default SSID(s), for a couple reasons, one technical one not.

Using a default or common SSID, can make it easier for bad guys to crack the WPA2 encryption. The network name is part of the encryption algorithm, and password cracking dictionaries (rainbow tables) include common SSIDs. Thus, a popular SSID makes the hacker’s job easier.

On a totally different level, you don't appear to be technically clueless. Anyone who has not changed the default network name is immediately pegged as a non-techie whose defenses are likely to be poor. There might as well be a "hack me" sign on the network.

I have seen others argue that changing an SSID that has the vendor name in it is good for security, as it hides the company that made your router. It does not. The identity of the hardware vendor is advertised for the world to see in the MAC address that the router broadcasts. Even if you change a default SSID of "Linksys" to "Netgear", anyone with a Wi-Fi survey app such as WiFi Analyzer on Android can tell that the router was made by Linksys. "

Full source : Choosing an SSID - RouterSecurity.org

A few example : What are your Wi-Fi/Device names?
 

grumpy_joe

Level 1
Quote : " You should change the default SSID(s), for a couple reasons, one technical one not.

Using a default or common SSID, can make it easier for bad guys to crack the WPA2 encryption. The network name is part of the encryption algorithm, and password cracking dictionaries (rainbow tables) include common SSIDs. Thus, a popular SSID makes the hacker’s job easier.
Are you sure that not only WPA salts the password with SSID.

Thanks for clarifying the rest of the information though.
 
  • Like
Reactions: upnorth