- Jun 11, 2019
- 408
Currently, a wi-fi router is in almost every house or apartment. This is a device that first of all needs to be properly configured, as it is the main target for hacker attacks. Hacking a router, an attacker gains control over the entire local network.
In order for the router to become a truly reliable defender of the home LAN and be an impregnable wall for attackers, careful device configuration is necessary. I will share with you four levels of router protection, according to the principle - from simple to complex. This is suitable for most popular routers from D-Link, TP-Link, Asus.
At the first level, we will carry out the simplest basic protection setup. This setting will help protect against non-professional hackers, those who like to use someone else's Internet access for free.
At the preparatory stage, you need to reset all the current settings of the router and download the latest firmware for your device model from the manufacturer’s website.
The first level consists of eight steps:
1) firmware update to the latest version. This is the first thing to do, because new vulnerabilities are closed in new firmware, which can be exploited by attackers.
2) replacing the default username and password to access the router interface. Since the default username and password are not secrets for anyone (admin / admin, admin / 123, root / root, etc.), then anyone has access and the ability to configure the router.
3) the choice of the strongest encryption option for Wi-Fi networks and a complex password for accessing the network. The password for accessing the network should be as complex and non-trivial as possible so that it is difficult to crack by simply enumerating the options.
4) disabling access to the router using telnet and ssh.
5) disable access to the router from the Internet (WAN) and prohibit ping from the WAN.
6) disabling unused services and functions, for example, Upnp. DMZ and so on.
7) disable the ability to connect to the network using WPS.
8) come up with an original name for your wi-fi network and make it invisible (hide the SSID).
If you are worried that you may become a victim of the remaining few percent of crackers, then we will continue to configure further and move on to the second level, at which we need to take the following five steps:
1) replacing the default IP address of the router and the access port to the WebUI of the router. The well-known IP address and access port of the router make it easier for the attacker, therefore, they should be changed.
2) enable the MAC filter to access the network.
3) establish access to the WebUI of the router only from your computer (MAC authentication).
4) if the local area network is small, then make use of the function of binding computers by IP and MAC in the router, and also prescribe the static IP and MAC of the router itself on each computer in order to protect itself from attacks like ARP-spoofing.
5) if in the settings of the router there is such a function as brute-force protection, then activate it.
Together, these two levels of router protection will already provide approximately 95% protection. But if you want to continue strengthening your local network, then go to the third level at which we need to take two more steps:
1) enable and configure the guest wi-fi network, segment the home network.
2) if the manufacturer allows, then configure a secure connection to the router’s WebUI (only via the https protocol) by disabling access to the administration panel via the http protocol in the router settings. This will protect the router admin panel login and password from being intercepted. You can use either a certificate provided by the manufacturer of the router itself, or a certificate that can be generated free of charge on the Internet.
Thus, in aggregate, the protection of our router will already be approximately 99%. The remaining 1% of crackers are professionals and in order to somehow defend themselves against targeted hacking by a professional cracker (which is an extremely rare situation for a simple home network), there is a fourth specific level of protection, which can be called "hardcore". First you need to install an alternative firmware on the router and again go through all the previous levels. At the fourth level, you will have to master Linux and programming languages in detail, be able to work with complex scripts and know the intricacies of computer networks to complete the last two steps:
1) JFFS activation (if possible), script writing.
2) the use of low-level programming of the firewall of the router for manual adjustment of the rules.
For the home router, the steps of the first three levels are enough.
It should be added that you need to regularly monitor the release of new firmware for your router model on the manufacturer’s website, and update them as soon as possible. If the settings allow, then reduce the level of wi-fi signal so that the coverage area does not go far beyond the borders of your house or apartment. Some top models of routers (for example, F-Secure Sense) have a streaming anti-virus scan function that should be activated.
Be careful about protecting your wi-fi router and then your home local network will be safe.
In order for the router to become a truly reliable defender of the home LAN and be an impregnable wall for attackers, careful device configuration is necessary. I will share with you four levels of router protection, according to the principle - from simple to complex. This is suitable for most popular routers from D-Link, TP-Link, Asus.
At the first level, we will carry out the simplest basic protection setup. This setting will help protect against non-professional hackers, those who like to use someone else's Internet access for free.
At the preparatory stage, you need to reset all the current settings of the router and download the latest firmware for your device model from the manufacturer’s website.
The first level consists of eight steps:
1) firmware update to the latest version. This is the first thing to do, because new vulnerabilities are closed in new firmware, which can be exploited by attackers.
2) replacing the default username and password to access the router interface. Since the default username and password are not secrets for anyone (admin / admin, admin / 123, root / root, etc.), then anyone has access and the ability to configure the router.
3) the choice of the strongest encryption option for Wi-Fi networks and a complex password for accessing the network. The password for accessing the network should be as complex and non-trivial as possible so that it is difficult to crack by simply enumerating the options.
4) disabling access to the router using telnet and ssh.
5) disable access to the router from the Internet (WAN) and prohibit ping from the WAN.
6) disabling unused services and functions, for example, Upnp. DMZ and so on.
7) disable the ability to connect to the network using WPS.
8) come up with an original name for your wi-fi network and make it invisible (hide the SSID).
If you are worried that you may become a victim of the remaining few percent of crackers, then we will continue to configure further and move on to the second level, at which we need to take the following five steps:
1) replacing the default IP address of the router and the access port to the WebUI of the router. The well-known IP address and access port of the router make it easier for the attacker, therefore, they should be changed.
2) enable the MAC filter to access the network.
3) establish access to the WebUI of the router only from your computer (MAC authentication).
4) if the local area network is small, then make use of the function of binding computers by IP and MAC in the router, and also prescribe the static IP and MAC of the router itself on each computer in order to protect itself from attacks like ARP-spoofing.
5) if in the settings of the router there is such a function as brute-force protection, then activate it.
Together, these two levels of router protection will already provide approximately 95% protection. But if you want to continue strengthening your local network, then go to the third level at which we need to take two more steps:
1) enable and configure the guest wi-fi network, segment the home network.
2) if the manufacturer allows, then configure a secure connection to the router’s WebUI (only via the https protocol) by disabling access to the administration panel via the http protocol in the router settings. This will protect the router admin panel login and password from being intercepted. You can use either a certificate provided by the manufacturer of the router itself, or a certificate that can be generated free of charge on the Internet.
Thus, in aggregate, the protection of our router will already be approximately 99%. The remaining 1% of crackers are professionals and in order to somehow defend themselves against targeted hacking by a professional cracker (which is an extremely rare situation for a simple home network), there is a fourth specific level of protection, which can be called "hardcore". First you need to install an alternative firmware on the router and again go through all the previous levels. At the fourth level, you will have to master Linux and programming languages in detail, be able to work with complex scripts and know the intricacies of computer networks to complete the last two steps:
1) JFFS activation (if possible), script writing.
2) the use of low-level programming of the firewall of the router for manual adjustment of the rules.
For the home router, the steps of the first three levels are enough.
It should be added that you need to regularly monitor the release of new firmware for your router model on the manufacturer’s website, and update them as soon as possible. If the settings allow, then reduce the level of wi-fi signal so that the coverage area does not go far beyond the borders of your house or apartment. Some top models of routers (for example, F-Secure Sense) have a streaming anti-virus scan function that should be activated.
Be careful about protecting your wi-fi router and then your home local network will be safe.
Last edited:
