SFox

Level 3
Verified
Currently, a wi-fi router is in almost every house or apartment. This is a device that first of all needs to be properly configured, as it is the main target for hacker attacks. Hacking a router, an attacker gains control over the entire local network.
In order for the router to become a truly reliable defender of the home LAN and be an impregnable wall for attackers, careful device configuration is necessary. I will share with you four levels of router protection, according to the principle - from simple to complex. This is suitable for most popular routers from D-Link, TP-Link, Asus.
At the first level, we will carry out the simplest basic protection setup. This setting will help protect against non-professional hackers, those who like to use someone else's Internet access for free.
At the preparatory stage, you need to reset all the current settings of the router and download the latest firmware for your device model from the manufacturer’s website.

The first level consists of eight steps:

1) firmware update to the latest version. This is the first thing to do, because new vulnerabilities are closed in new firmware, which can be exploited by attackers.

2) replacing the default username and password to access the router interface. Since the default username and password are not secrets for anyone (admin / admin, admin / 123, root / root, etc.), then anyone has access and the ability to configure the router.

3) the choice of the strongest encryption option for Wi-Fi networks and a complex password for accessing the network. The password for accessing the network should be as complex and non-trivial as possible so that it is difficult to crack by simply enumerating the options.

4) disabling access to the router using telnet and ssh.

5) disable access to the router from the Internet (WAN) and prohibit ping from the WAN.

6) disabling unused services and functions, for example, Upnp. DMZ and so on.

7) disable the ability to connect to the network using WPS.

8) come up with an original name for your wi-fi network and make it invisible (hide the SSID).

If you are worried that you may become a victim of the remaining few percent of crackers, then we will continue to configure further and move on to the second level, at which we need to take the following five steps:

1) replacing the default IP address of the router and the access port to the WebUI of the router. The well-known IP address and access port of the router make it easier for the attacker, therefore, they should be changed.

2) enable the MAC filter to access the network.

3) establish access to the WebUI of the router only from your computer (MAC authentication).

4) if the local area network is small, then make use of the function of binding computers by IP and MAC in the router, and also prescribe the static IP and MAC of the router itself on each computer in order to protect itself from attacks like ARP-spoofing.

5) if in the settings of the router there is such a function as brute-force protection, then activate it.

Together, these two levels of router protection will already provide approximately 95% protection. But if you want to continue strengthening your local network, then go to the third level at which we need to take two more steps:

1) enable and configure the guest wi-fi network, segment the home network.

2) if the manufacturer allows, then configure a secure connection to the router’s WebUI (only via the https protocol) by disabling access to the administration panel via the http protocol in the router settings. This will protect the router admin panel login and password from being intercepted. You can use either a certificate provided by the manufacturer of the router itself, or a certificate that can be generated free of charge on the Internet.

Thus, in aggregate, the protection of our router will already be approximately 99%. The remaining 1% of crackers are professionals and in order to somehow defend themselves against targeted hacking by a professional cracker (which is an extremely rare situation for a simple home network), there is a fourth specific level of protection, which can be called "hardcore". First you need to install an alternative firmware on the router and again go through all the previous levels. At the fourth level, you will have to master Linux and programming languages in detail, be able to work with complex scripts and know the intricacies of computer networks to complete the last two steps:

1) JFFS activation (if possible), script writing.

2) the use of low-level programming of the firewall of the router for manual adjustment of the rules.

For the home router, the steps of the first three levels are enough.
It should be added that you need to regularly monitor the release of new firmware for your router model on the manufacturer’s website, and update them as soon as possible. If the settings allow, then reduce the level of wi-fi signal so that the coverage area does not go far beyond the borders of your house or apartment. Some top models of routers (for example, F-Secure Sense) have a streaming anti-virus scan function that should be activated.
Be careful about protecting your wi-fi router and then your home local network will be safe.
 
Last edited:

Lenny_Linux

Level 6
Apologize for asking, but I have read elsewhere that adding Mac Address filtering adds more hassle than protection.

I have recently hardened our home network and used advice I found on the internet. I remember a few additional tips (because I have implemented them on our home network).
  1. Use a long passphrase for user admin and user passwords (as long as the router allows).
  2. Disable remote access to the router's console
  3. Create a guest network with limited lease time (maximum of 12 hours or so) and disconnect/lockout guest network at night using parental control. They also adviced to leave the guest network visible and give it the old route name. Tthe guest network acts as a decoy.
  4. Reduce IP range for home network and disconnect WIFI/lockout home network for one hour at night. A hacker can't lock you out by using all internal IP-addresses and set lease time to eternal and you always have a time window to take back control. The advice was to make the SSID network name of the home network hidden.
  5. Check whether build-in firewall has disabled options, check internet what a settings does instead of blindly enabling it.

So I am interested in the MAC-address filtering: is it worth the hassle?

Also would like to get feedback on the additional tips: are they sound advice or mumbo jumbo (because of the conflicting advice on mac address filtering,I am now also unsure about the five above (extra) measures I have taken.
 
Last edited:

Arequire

Level 24
Verified
Content Creator

blackice

Level 15
Verified
Reduce IP range for home network and disconnect WIFI/lockout home network for one hour at night. A hacker can't lock you out by using all internal IP-addresses and set lease time to eternal and you always have a time window to take back control. The advice was to make the SSID network name of the home network hidden.
If I understand this step correctly I don’t know if taking this step is really necessary. If you find out your router is compromised you want to factory reset the firmware immediately. You don’t know what they’ve changed or injected, so why bother trying to salvage a compromised setup. You should have physical access to do this and not need to keep a device connected.
 

TairikuOkami

Level 25
Verified
Content Creator
8) come up with an original name for your wi-fi network and make it invisible (hide the SSID).
Finding the name is the matter of seconds, but by hiding the SSID, you turn your computer into a beacon.

3) the choice of the strongest encryption option for Wi-Fi networks and a complex password for accessing the network.
Preferably 63 ASCII characters long password, it is only copy/paste in txt/message, so no hassle.

If I understand this step correctly I don’t know if taking this step is really necessary.
Just because someone is connected to your router, does not necessarily mean, he can use it against you as long as you are connected via https. It only adds another possible MITM. My IP range is limited to 4 devices, so in the worst case scenario, 2 of my neighbours would be using my internet. :sleep:
 

Attachments

Lenny_Linux

Level 6
If I understand this step correctly I don’t know if taking this step is really necessary. If you find out your router is compromised you want to factory reset the firmware immediately. You don’t know what they’ve changed or injected, so why bother trying to salvage a compromised setup. You should have physical access to do this and not need to keep a device connected.
As @TairikuOkami explained it also reduces possible stealing of network capacity by script kiddies snooping your WIFI netwirk. I had not thought about that. The point the guy made from who I copied this was that hackers often use all available IP-addresses with eternal lease time, so you can't see what is wrong / what caused the intrusion. leaving me with only one option: a factory reset.

When the hacker has managed to lock you out, he/she also knows what the router make and model is and often simply can get access again using defaults user-id's and passwords. After the reset you might be in a rat race with the hacker again. Also when you don't know what caused, fair chance you did not resolve the cause/problem/leak and the hacker kicks you out in no time again.

The lockout time window also gives me the time to set the router up again (after a factory reset), without having to worry about someone trying to get access simultaneously. That is the point of keeping a backdoor and a time slot for yourself open. But, hey I am just parroting what I read from what I thought was an expert.
 
Last edited:

blackice

Level 15
Verified
As @TairikuOkami explained it also reduces possible stealing of network capacity by script kiddies snooping your WIFI netwirk. I had not thought about that. The point the guy made from who I copied this was that hackers often use all available IP-addresses with eternal lease time, so you can't see what is wrong / what caused the intrusion. leaving me with only one option: a factory reset.

When the hacker has managed to lock you out, he/she also knows what the router make and model is and often simply can get access again using defaults user-id's and passwords. After the reset you might be in a rat race with the hacker again. Also when you don't know what caused, fair chance you did not resolve the cause/problem/leak and the hacker kicks you out in no time again.

The lockout time window also gives me the time to set the router up again (after a factory reset), without having to worry about someone trying to get access simultaneously. That is the point of keeping a backdoor and a time slot for yourself open. But, hey I am just parroting what I read from what I thought was an expert.
That makes sense. Although I would personally just factory reset ASAP. Most routers have to do their setup through a wired connection, so no MitM would be happening. But again, I don’t think I fully grasp his precautions in this situation.
 

TairikuOkami

Level 25
Verified
Content Creator
Most routers have to do their setup through a wired connection, so no MitM would be happening.
Many routers contain unpatched vulnerabilities, like KRACK and vendors do bother to patch them, they want people to buy new ones.
Besides, when someone is able to connect to your WiFi, he can easily eavesdrop to http and even to https, if there is some vulnerability.
Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.
 

SFox

Level 3
Verified
So I am interested in the MAC-address filtering: is it worth the hassle?
Filtering by MAC address is inconvenient if you often receive a large number of guests. If this is not the case and the number of devices is stable, then filtering will not hurt. Yes, this protection is easy enough to get around, but few inexperienced crackers will guess :)
Finding the name is the matter of seconds, but by hiding the SSID, you turn your computer into a beacon.
As for hiding the SSID, really such a measure will save only from completely novice "hackers" who do not have special equipment and software, and they try to pick out only those networks that Windows shows them, that which is visible to the naked eye :) But also this is enough to protect against the kids :)

The main thing is to protect yourself from listening to the network and protect the settings of the router, if the hacker still penetrated. And for this, you have a tight binding by IP and MAC, and https for entering the admin panel (and also for connections in general), and network segmentation. A lot of things, the main thing is not to be lazy to set up. Even replacing the username and password in the administrative panel, as well as replacing the standard IP address and port of the router, will already help from scanning with special hacker programs. But how many users do these settings? Usually, the Internet cable was poked into the router, the Internet is there - and nothing else is needed :)
 

SFox

Level 3
Verified
By the way, I recommend just such a small program for wi-fi network monitoring. It’s called a Wi-Fi Guard. WiFi Guard is an essential tool for everyone running a small wireless network and striving to keep it safe and secure. Generally, modern Wi-Fi networks are well protected, but there are a number of weaknesses that can compromise your Wi-Fi password; this includes vulnerabilities in encryption and brute force attacks. As a result, someone can gain unauthorised access to your Internet connection and LAN and exploit them while staying unnoticed. Link to the official website: SoftPerfect WiFi Guard : keep your Wi-Fi network secure
гард.png
 

yuanyasmine

New Member
Thanks for the great info, but I am trying to figure out how to connect a W10 PC to a WiFi network that does NOT broadcast its SSID. That instruction is not anywhere in this documentation, at least not that I see... I MAY, however, be blind.... ;-)
 

SFox

Level 3
Verified
Thanks for the great info, but I am trying to figure out how to connect a W10 PC to a WiFi network that does NOT broadcast its SSID. That instruction is not anywhere in this documentation, at least not that I see... I MAY, however, be blind.... ;-)
SSID broadcasts any network, but it can be hidden. We connect to a hidden Wi-Fi network in Windows 10. The process itself is practically no different from a normal Wi-Fi connection in Windows 10. Open the list of available networks and click on "Hidden network". If you want the computer to connect to this network automatically, leave a checkmark next to "Connect automatically." Enter the name of the Wi-Fi network. Enter the password and click "Next". If you specified everything correctly, then Windows 10 will connect to a hidden Wi-Fi network.
 

Lenny_Linux

Level 6
Thx for the info: I asked the system admin where I am working now. He said chances of being hacked by a real hacker are near zero, chances of being hacked by a script kiddy trying to evade parental control is low, but real, so his advice was:

Must-do
  1. Access your router's console (e.g. 192.168.0.1) from a wired cable connection (not WIFI).Look for an option in the router's manual to access the console via HTTPS only (meaning an encrypted/secured connection). When not: bad luck, you always should configure your router from a wired connection (not WIFI). When your router has that option, enable it and you can access the router via a wireless (WiFi) connection.
  2. Change ADMIN and USER names - choose long pass phrases as password.
  3. Setup a guest network with a lease time of 12 or 24 hours (guest network is separated from home network)
  4. Choose the strongest encryption option for Wi-Fi networks (currently WPA2) and a long passphrase for home network and complex password for accessing the guest network and rename these networks to a name which is not tied to your address or family name.
  5. Connect all personal devices of family members to home network and connect all IOT devices (smart TV, security camera's, smart central heating, etc) to the guest network and limit the lease time of the guest network to 24 hours.

Should-do
  1. Disable features you don't need (anymore): think of DeMilitarizedZone, Universal Plug and Play, Wifi Protected Setup
  2. Disable remote stuff you probably don't need like: Telnet, SSH, Web Access From WAN (remote access to router console)
  3. Check to enable both IP4 and IP6 firewall and browse through advanced firewall options for additional protection, look for
    malformed packets protection, - IP-flood/ DDoS protection, detect spoofing (attacks). When an option is not enabled by default, Google to understand what it does and enable wisely not blindly.
  4. Limit the IP-range of your guest network to the maximum number of guests you ever had on a house party plus 10, limit the IP-range of your home network to all personal devices plus 5.
  5. Check to see whether router has parental control and limit access (internet) time for the devices of your children.
Optional
  1. When there was something mentioned on the Must-do or Should-do you had not heard of before, stop here! You are entering the over-my-head zone and risk locking yourself out or degrading performance and/or security of your network by setting or implementing it incorrectly
  2. When you had a "what else is new" experience while reading the Must-do and Should-do checklist, you probably have bought a high end router or a router which had an open source console. You know better, you don't need this checklist.
 
Last edited:

Lenny_Linux

Level 6
@TairikuOkami

Based on your responses in this thread I see you are a seasoned forum member who knows what he is doing. I trust you were not locked out by following the tips I just posted. :oops:

My router does not have a HTTPS console option, so how did that happen, what sequence of actions went wrong (e.g. only HTTPS access over Wifi before enabling Wifi?).
 

SFox

Level 3
Verified
Mac filtering also doesn't help users think. A attacker can use the same Mac (spoof own) and voila.
Here binding can help. If you bind the poppy address to the ip address, then the attacker will not be able to replace the poppy address, since it is tied to the ip reserved for another computer. Each computer in the home network must be tightly attached to the router and the router to the computer so that no substitution is possible.
And I also agree that another measure would be good to limit the pool of addresses issued by the dhcp-server so that an extraneous device could not get an ip address and connect to the network.
 

blackice

Level 15
Verified
Many routers contain unpatched vulnerabilities, like KRACK and vendors do bother to patch them, they want people to buy new ones.
Besides, when someone is able to connect to your WiFi, he can easily eavesdrop to http and even to https, if there is some vulnerability.

Sorry maybe I was confused on the point of the step I was questioning. It seemed to imply you want a back door back into your router in case it gets hacked. I was just saying if it gets hacked my approach would be a factory reset ASAP. Not trying to get back in and retake control. Most people wouldn’t know how to figure out what the compromise was anyway. And most routers require setup through a wired connection, so mitm isn’t a concern during the setup process. I totally agree about the issues with eaves dropping and packet sniffing.