Secure your wireless router

There is no such thing as perfect security. Given enough knowledge, resources, and time any system can be compromised. The best you can do is to make it as difficult for an attacker as possible. That said there are steps you can take to harden your network against the vast majority of attacks.

The default configurations for what I call consumer-grade routers offer fairly basic security. To be honest, it doesn’t take much to compromise them. When I install a new router (or reset an existing), I rarely use the ‘setup wizards’. I go through and configure everything exactly how I want it. Unless there is a good reason, I usually don’t leave it as default.

I cannot tell you the exact settings you need to change. Every router’s admin page is different; even router from the same manufacturer. Depending on the specific router, there may be settings you can’t change. For many of these settings, you will need to access the advanced configuration section of the admin page.

I’ve included screenshots of an Asus RT-AC66U. It is in the default state.

Update your firmware. Most people update the firmware when they first install the router and then leave it alone. Recent research has shown that 80% of the 25 top-selling wireless router models have security vulnerabilities. Affected manufacturers include: Linksys, Asus, Belkin, Netgear, TP-Link, D-Link, Trendnet, and others. Most manufacturers release updated firmware when vulnerabilities are brought to light. Set a reminder in Outlook or whatever email system you use. I recommend checking for updates every 3 months. I know this sounds like a no-brainer, but only install firmware from the manufacturer’s website.

Also, disable the router’s capability to automatically check for updates. I’m not a fan of letting devices ‘phone home’. You have no control over what date is sent. For example, did you know that several so-called ‘Smart TVs’ send information back to their manufacturer? They send all your viewing habits every time you change the channel. If you plug a USB drive into them, they send a list of every filename on the drive. This data is unencrypted and is sent even if the menu setting is set to NO.

Disable remote administration. I understand some people need to be able to reconfigure their network remotely. If you have to, at least enable https access and change the default port. Note that this includes any type of ‘cloud’ based management, such as Linksys’ Smart WiFi Account and Asus’ AiCloud.

Use a strong password for router admin. Enough said.

Enable HTTPS for all admin connections. This is disabled by default on many routers.

wireless-security-1

Restrict inbound traffic. I know this is common sense, but sometimes people don’t understand the consequences of certain settings. If you must use port forwarding, be very selective. If possible, use a non-standard port for the service you’re configuring. There are also settings for filtering anonymous internet traffic (yes), and for ping response (no).

wireless-security-2

Use WPA2 encryption for the WiFi. Never use WEP. It can be broken within minutes with software freely available on the internet. WPA isn’t much better.

wireless-security-3

Turn off WPS (WiFi Protected Setup). I understand the convenience of using WPS, but it was a bad idea to start.

wireless-security-4

Restrict outbound traffic. As mentioned above, I normally don’t like devices that phone home. If you have these types of devices, consider blocking all internet traffic from them.

Disable unused network services, especially uPnP. There is a widely known vulnerability when using uPnP service. Other services probably unnecessary: Telnet, FTP, SMB (Samba/file sharing), TFTP, IPv6

Log out from the admin page when done. Just closing the web page without logging out can leave an authenticated session open in the router.

Check for port 32764 vulnerability. To my knowledge some routers produced by Linksys (Cisco), Netgear, and Diamond are affected, but there may be others. Newer firmware was released, but may not fully patch the system.

Check your router at: https://www.grc.com/x/portprobe=32764

Turn on logging. Look for suspicious activity in your logs on a regular basis. Most routers have the capability of emailing the logs to you at set intervals. Also make sure the clock and time zone are set correctly so that your logs are accurate.

For the truly security-conscious (or maybe just paranoid), the following are additional steps to consider

Change the admin user name. Everyone knows the default is usually admin.

Set up a ‘Guest’ network. Many newer routers are capable of creating separate wireless guest networks. Ensure it only has access to the internet, and not your LAN (intranet). Of course, use the same encryption method (WPA2-Personal) with a different passphrase.

Do not connect USB storage to your router. This automatically enables many services on your router and may expose the contents of that drive to the internet.

Use an alternate DNS provider. Chances are you are using whatever DNS settings your ISP gave you. DNS has increasingly become a target for attacks. There are DNS providers who have taken additional steps to secure their servers. As an added bonus, another DNS provider may increase your internet performance.

Change the default IP address range on your LAN (inside) network. Every consumer-grade router I’ve seen uses either 192.168.1.x or 192.168.0.x making it easier to script an automated attack.
Available ranges are:
Any 10.x.x.x
Any 192.168.x.x
172.16.x.x to 172.31.x.x

Change the router’s default LAN address. If someone does gain access to your LAN, they know the router’s IP address is either x.x.x.1 or x.x.x.254; don’t make it easy for them.

wireless-security-5

Disable or restrict DHCP. Turning off DHCP is usually not practical unless you’re in a very static network environment. I prefer to restrict DHCP to 10-20 IP addresses starting at x.x.x.101; this makes it easier to keep track of what’s happening on your network. I prefer to put my ‘permanent’ devices (desktops, printers, NAS, etc.) on static IP addresses. That way only laptops, tablets, phones, and guests are using DHCP.

wireless-security-6

Disable admin access from wireless. This functionality is not available on all home routers.

Disable SSID broadcast. This is not difficult for a professional to overcome and can make it a pain to allow visitors on your WiFi network.

Use MAC filtering. Same as above; inconvenient for visitors.

Some of these items fall into the category of ‘Security by Obscurity’, and there are many IT and security professionals that scoff at them, saying they are not security measures. In a way, they are absolutely correct. However, if there are steps you can take to make it more difficult to compromise your network, I think it’s worth considering.

Good security is not ‘set it and forget it’. We’ve all heard about the many security breaches at some of the biggest companies. To me, the really irritating part is when you here they had been compromised for 3, 6, 12 months or more before it was discovered.

Take the time to look through your logs. Scan your network looking for unexpected devices and connections. If you want a quick and easy way to see what’s on your network, Fing is a handy app, available for IOS, Android, Windows, Mac,etc. http://www.overlooksoft.com/fing

Below are some authoritative references:

Summary
Article Name
Secure your Wireless Router
Description
A thorough guide to securing your wireless router to harden it against attacks and other threats.
Author
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Secure your wireless router

  1. Dmitry March 24, 2015 at 11:18 am #

    Btw, about a week ago there was a post on russian resource about Asus routers' AiCloud vulnerability tested on latest firmware ver. 3.0.0.4.370 and it seems it hasn't been fixed yet for most Asus models, so you definitely should turn AiCloud off.

  2. Scott March 24, 2015 at 11:48 am #

    A thorough, excellent post. Thank you, Kevin!

  3. YB March 24, 2015 at 11:55 am #

    Glad to see you are back online. The web wasn't the same without you Martin.

    That being said, excellent article as always.

    • Martin Brinkmann March 24, 2015 at 1:00 pm #

      I'm not back online permanently yet though. Hopefully all will get sorted out tomorrow.

  4. Super Man March 24, 2015 at 2:00 pm #

    Martin,
    Hopefully you will be around a long time.

    Back to router configuration - the first time I did a firmware upgrade it totally screwed up my router. The connections would keeping resetting themselves. I had to go back to the original firmware and let me tell you it was not easy. It had taken me several days to find the right documentation and the original firmware software. Needless to say I won't be doing another upgrade. I do have most of the other security settings here will have to go back and check them all.

    • Kevin Dearing March 24, 2015 at 3:29 pm #

      I would encourage you to reconsider.

      The reason for firmware updates is to fix bugs and vulnerabilities. These cannot be solved by configuration alone.
      If you are running the original firmware, more than likely you have a security vulnerability, maybe multiple.

      Remember, your router is directly on the internet with a public IP address. This means anyone in the world can reach it.
      There are people that scan whole blocks of internet IP ranges looking for vulnerabilities. Some do it to inform/educate, most have other intentions.

      • Super Man March 24, 2015 at 3:44 pm #

        Kevin,
        If I do this again and it does the same thing where I cannot use the router at all how does that help me?
        Also, spent many hours on phone with support.

    • Blue March 24, 2015 at 5:34 pm #

      Though Kevin is correct why there is a need for firmware upgrades, not every ISP can work with the new firmware which may be the reason why you're having connection issues. Much like my Blackberry when I purchased it it had firmware version 2.5, according to the manufacturer's suggestion and knowing which service providers protocol I was on, they suggested the maximum I could upgrade to was version 4.0.

      When I brought my phone in for repairs, afterwards the service provider kept upgrading me to 4.1 without my permission which really screwed up my phone. It would not longer ring any tone, it would only vibrate, and when I put the phone into sleep mode it kept rebooting. So to make a long story short, no unless the protocols of the new firmware can work with your ISP/hardware, I would not suggest upgrading firmware.

  5. exrelayman March 24, 2015 at 2:41 pm #

    Timely for me. Just getting ready to try a router/modem combined unit, as 2 attempts to use a router for wi fi messed up my wired service. Of your article, I am afraid my ignorance of what is actually going on could cause me to screw things up, and I don't want to begin by screwing things up - I don't have the expertise to be confident of being able to fix it. I will do the easiest things first and then one step at a time test using some of the more obscure things, so any problem can be fixed by undoing the last step of the process. Hopefully there is also a simple restore entire unit to factory defaults button to save me also if needed!

  6. matt March 24, 2015 at 4:40 pm #

    You didn't mention using alternative firmwares like DD-WRT. I don't use it but have considered. What is your opinion about something like that?

    • Kevin Dearing March 24, 2015 at 7:18 pm #

      I love DD-WRT; have one in my network as well as a few others distributed among my family and friends.

      Thought hard about including it, but decided that, by itself, DD-WRT was not really a security measure. And because I believe DD-WRT (and/or Tomato) deserve a standalone article. It's on my list of topic ideas.

  7. YB March 24, 2015 at 6:13 pm #

    Such a shame that many browsers still don't route to HTTPS yet. I would think that in 2015, this would be default.

  8. D.C. March 24, 2015 at 7:06 pm #

    In order for Chromecast to work properly, Google says I have to enable uPnP on my router. Is there some way to make uPnP more secure when enabled short of toggling it on and off when I use the Chromecast?

    • Kevin Dearing March 24, 2015 at 7:19 pm #

      I have 3 in my house that work fine without uPnP.

  9. Saranathan March 25, 2015 at 2:28 am #

    Nice informative useful article.
    Thanks.

  10. Maurice Green March 25, 2015 at 6:52 pm #

    Slight slip of the finger. Didn't you mean "Secure YOUR wireless router"?
    Was about to post it to our FB page when I saw the misspelling.
    Maury

  11. Trevor March 25, 2015 at 8:55 pm #

    Merlins Firmware is on top of the recent security exploits and his builds are just bug fixes, security improvements, and features.

    He covers all of the ASUS routers from the low end to the high end AC87U

    http://asuswrt.lostrealm.ca/

  12. Sta... March 26, 2015 at 3:43 am #

    Although I have difficulty even wanting to read an article titled, "Secure you wireless router", I buzzed through most of it.
    These is too much stilted and incorrect English, especially on line. When an article's headline shows someone either doesn't know English or doesn't care to say (write) what they mean, I don't care to read it anymore than I do Nigerian email scams.

    • Jojo March 31, 2015 at 4:31 am #

      @Sta - So what was the purpose of your poorly written post criticizing someone else's poor English, IYO), which was not poorly written at all)? You wanted to look dumb in front of everyone?

      Suggest you try looking in the mirror, because your own use of English is pretty poor, in and of itself. [roflol]

  13. All Things Firefox March 26, 2015 at 11:30 pm #

    The How-To Geek addressed MAC address filtering and SSID hiding by saying that they are practically useless and that a strong password solves any problem these would "fix". MAC filtering is a pain in the neck to administer and as Kevin said, they can be easily broken by an advanced user. A good password/passphrase will turn anyone away. Again, with SSID hiding, a strong password makes this pointless. An analogy HTG used was using tape and a strong lock to help secure your front door. If the lock can be breached, the tape isn't going to help anything.
    Also, how can a router that's been made inaccessible from wireless be made reaccessible? Does it require resetting the router?
    Thanks for these interesting and informative articles Kevin.

  14. mikef90000 March 29, 2015 at 5:32 am #

    Kevin, this is a fine article but it reminded me of a continuing major annoyance. Mainly, consumer routers REALLY SUCK as their firmware is updated (maybe) for a short period of time until the vendor moves on to hardware version 2 with a completely different chipset. With the continual evolution of new threats we need a router hardware platform with a stable design, longer warranty and, if all possible, an open source stack.

    I don't envy the OpenWRT devs who have to chase and reverse engineer all of these cheap little sh*t boxes. Just lucky that my old WRT54GL keeps on working but eventually I'll need faster wireless, GigE and IPv6 support.

    Possibly out of this sites scope, but please consider reviewing some lower cost and better quality firewall hardware on my short list: Ubiquity EdgeRouter Lite, RouterBoard RB750GL, PC Engines ALIX. Have I missed any? :) TIA, Mike

Leave a Reply