Q&A security for a paranoid elder

ticklemefeet

Level 26
Jan 31, 2018
1,548
Wow thank you everyone for all this information! Plenty to sort through and great recommendations! Here is what I'm considering at the moment:

- Antivirus: F-Secure or Kaspersky Internet Security (doesn't look like I'd really need Total Security package). Also will present Microsoft Defender as an option but he'll probably feel better paying for something he feels is even more secure.

- Firewall: Fort Knox (seems pretty complete), TinyWall (doesn't list protection from "outbound" attacks), Comodo (seems appealing especially with Cruelsister settings - is there significant benefit over the other options?)

- Other considerations: Definitely will Harden Windows, VoodooShield Free looks like a worthwhile security addition, KVRT as additional scan option.

Beyond all this his ISP supplied router is old however it lacks WPS which he likes. He's read that WPS sometimes isn't entirely disabled on routers when done through the router interface (I haven't come across this myself). To that end is it likely one could actually encounter attacks directed at the router itself circumventing the software security options above? I'd doubt it but I'm not qualified to back my doubts up. I've always setup my routers with the following guide in mind:


With that guide in mind is there really specific 3rd party routers worth considering with further security in mind? As stated I'd presume any half decent router with standard security setup should be absolutely fine with above software options but if there's something with tangible benefit that's not a fortune I can direct it to him for consideration.

By the way my dad doesn't engage in anything nefarious but rather just standard internet browsing. His biggest fear as it stands is suffering a network infection that would log his information when he uses his Chromebook for internet banking. Said Chromebook is only used for this purpose and is otherwise turned off.

Again thanks again everyone for this.

If you do decide to use Voodooshield, Dan used to give free Pro lic to MT members. Wink Wink
 
  • Like
Reactions: Zartarra

mathok87

New Member
Thread author
Jan 5, 2022
5
Mikrotik routers support DNS over HTTPS (Doh), am running NextDNS doh on my Mikrotik, it has a pretty decent firewall too.
View attachment 263460
Intriguing. I have a Mikrotik router myself and that would be a good configuration addition. I see that NextDNS is free up to 300000 queries a month which I'd presume would be sufficient for average use. With these Mikrotik router settings do you also register an account with NextDNS or do these routers simply have blanket access?
 
  • Like
Reactions: JoyousBudweiser
Dec 12, 2021
194
Intriguing. I have a Mikrotik router myself and that would be a good configuration addition. I see that NextDNS is free up to 300000 queries a month which I'd presume would be sufficient for average use. With these Mikrotik router settings do you also register an account with NextDNS or do these routers simply have blanket access?
If you dont register with NextDNS your configuration will be deleted after 7 days, and if theres not more than 4 devices thats actively used like phones, tablets and computers then the 300k querie limit will never be reached, my phone and my computer uses the same config and I get at max 150k per month.
 

JoyousBudweiser

Level 14
Verified
Top poster
Well-known
Aug 22, 2013
688
Intriguing. I have a Mikrotik router myself and that would be a good configuration addition. I see that NextDNS is free up to 300000 queries a month which I'd presume would be sufficient for average use. With these Mikrotik router settings do you also register an account with NextDNS or do these routers simply have blanket access?
Registration is also free and you also get logs of all the queries ( you can switch it off too) on creating the account. How to configure nextdns in mikrotik is given in the settings page of nextdns. Just go to device- routers- scroll down...that's it.
You can force every non encrypted DNS query from the devices ( via port 53) connected to the router to go through the router DOH by using the given firewall rule. The same rule can be repeated for traffic through port 5353 too, just change "port=53" to "port=5353" at the end of the rule.
/ip firewall nat

add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53
 
Last edited:
  • Like
Reactions: oldschool