Secure your wireless router

Kevin Dearing
Mar 24, 2015
Updated • Aug 21, 2019
Network
|
28

There is no such thing as perfect security. Given enough knowledge, resources, and time any system can be compromised. The best you can do is to make it as difficult for an attacker as possible. That said there are steps you can take to harden your network against the vast majority of attacks.

The default configurations for what I call consumer-grade routers offer fairly basic security. To be honest, it doesn’t take much to compromise them. When I install a new router (or reset an existing), I rarely use the ‘setup wizards’. I go through and configure everything exactly how I want it. Unless there is a good reason, I usually don’t leave it as default.

I cannot tell you the exact settings you need to change. Every router’s admin page is different; even router from the same manufacturer. Depending on the specific router, there may be settings you can’t change. For many of these settings, you will need to access the advanced configuration section of the admin page.

Tip: you may use the Android app RouterCheck to test your router's security.

I’ve included screenshots of an Asus RT-AC66U. It is in the default state.

Update your firmware. Most people update the firmware when they first install the router and then leave it alone. Recent research has shown that 80% of the 25 top-selling wireless router models have security vulnerabilities. Affected manufacturers include: Linksys, Asus, Belkin, Netgear, TP-Link, D-Link, Trendnet, and others. Most manufacturers release updated firmware when vulnerabilities are brought to light. Set a reminder in Outlook or whatever email system you use. I recommend checking for updates every 3 months. I know this sounds like a no-brainer, but only install firmware from the manufacturer’s website.

Also, disable the router’s capability to automatically check for updates. I’m not a fan of letting devices ‘phone home’. You have no control over what date is sent. For example, did you know that several so-called ‘Smart TVs’ send information back to their manufacturer? They send all your viewing habits every time you change the channel. If you plug a USB drive into them, they send a list of every filename on the drive. This data is unencrypted and is sent even if the menu setting is set to NO.

Disable remote administration. I understand some people need to be able to reconfigure their network remotely. If you have to, at least enable https access and change the default port. Note that this includes any type of ‘cloud’ based management, such as Linksys’ Smart WiFi Account and Asus’ AiCloud.

Use a strong password for router admin. Enough said. Default passwords for routers are common knowledge and you don't want anyone to just try a default pass and get in to the router.

Enable HTTPS for all admin connections. This is disabled by default on many routers.

wireless-security-1

Restrict inbound traffic. I know this is common sense, but sometimes people don’t understand the consequences of certain settings. If you must use port forwarding, be very selective. If possible, use a non-standard port for the service you’re configuring. There are also settings for filtering anonymous internet traffic (yes), and for ping response (no).

wireless-security-2

Use WPA2 encryption for the WiFi. Never use WEP. It can be broken within minutes with software freely available on the internet. WPA isn’t much better.

wireless-security-3

Turn off WPS (WiFi Protected Setup). I understand the convenience of using WPS, but it was a bad idea to start.

wireless-security-4

Restrict outbound traffic. As mentioned above, I normally don’t like devices that phone home. If you have these types of devices, consider blocking all internet traffic from them.

Disable unused network services, especially uPnP. There is a widely known vulnerability when using uPnP service. Other services probably unnecessary: Telnet, FTP, SMB (Samba/file sharing), TFTP, IPv6

Log out from the admin page when done. Just closing the web page without logging out can leave an authenticated session open in the router.

Check for port 32764 vulnerability. To my knowledge some routers produced by Linksys (Cisco), Netgear, and Diamond are affected, but there may be others. Newer firmware was released, but may not fully patch the system.

Check your router at: https://www.grc.com/x/portprobe=32764

Turn on logging. Look for suspicious activity in your logs on a regular basis. Most routers have the capability of emailing the logs to you at set intervals. Also make sure the clock and time zone are set correctly so that your logs are accurate.

For the truly security-conscious (or maybe just paranoid), the following are additional steps to consider

Change the admin user name. Everyone knows the default is usually admin.

Set up a ‘Guest’ network. Many newer routers are capable of creating separate wireless guest networks. Ensure it only has access to the internet, and not your LAN (intranet). Of course, use the same encryption method (WPA2-Personal) with a different passphrase.

Do not connect USB storage to your router. This automatically enables many services on your router and may expose the contents of that drive to the internet.

Use an alternate DNS provider. Chances are you are using whatever DNS settings your ISP gave you. DNS has increasingly become a target for attacks. There are DNS providers who have taken additional steps to secure their servers. As an added bonus, another DNS provider may increase your internet performance.

Change the default IP address range on your LAN (inside) network. Every consumer-grade router I’ve seen uses either 192.168.1.x or 192.168.0.x making it easier to script an automated attack.
Available ranges are:
Any 10.x.x.x
Any 192.168.x.x
172.16.x.x to 172.31.x.x

Change the router’s default LAN address. If someone does gain access to your LAN, they know the router’s IP address is either x.x.x.1 or x.x.x.254; don’t make it easy for them.

wireless-security-5

Disable or restrict DHCP. Turning off DHCP is usually not practical unless you’re in a very static network environment. I prefer to restrict DHCP to 10-20 IP addresses starting at x.x.x.101; this makes it easier to keep track of what’s happening on your network. I prefer to put my ‘permanent’ devices (desktops, printers, NAS, etc.) on static IP addresses. That way only laptops, tablets, phones, and guests are using DHCP.

wireless-security-6

Disable admin access from wireless. This functionality is not available on all home routers.

Disable SSID broadcast. This is not difficult for a professional to overcome and can make it a pain to allow visitors on your WiFi network.

Use MAC filtering. Same as above; inconvenient for visitors.

Some of these items fall into the category of ‘Security by Obscurity’, and there are many IT and security professionals that scoff at them, saying they are not security measures. In a way, they are absolutely correct. However, if there are steps you can take to make it more difficult to compromise your network, I think it’s worth considering.

Good security is not ‘set it and forget it’. We’ve all heard about the many security breaches at some of the biggest companies. To me, the really irritating part is when you here they had been compromised for 3, 6, 12 months or more before it was discovered.

Take the time to look through your logs. Scan your network looking for unexpected devices and connections.

Below is an authoritative reference:

Summary
Secure your Wireless Router
Article Name
Secure your Wireless Router
Description
A thorough guide to securing your wireless router to harden it against attacks and other threats.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Facebook said on December 23, 2019 at 1:52 pm
    Reply

    We are surrounded by routers nowadays. There’s evidence that hackers are now also trying to affect routers by making new viruses made especially for routers. It’s high time for us to start protecting our routers by securing it with all types of security. The steps shown here are very important & need to be followed by everyone who owns a router. Even the network providers should learn all this & implement it when the setup a connection.

  2. Vincent Cruz said on October 22, 2019 at 8:06 pm
    Reply

    What about NORDVPN added to the router? Wouldn’t this also discourage hackers?

  3. rap said on December 22, 2018 at 6:12 pm
    Reply

    I enabled HTTPS for admin connections as advised above… the fist impact was that I could not use the LAN (192.168.1.1) adress to access anylonger. I took note that the router says I should use:
    https://router.asus.com:8443/index.asp

    However, now Choogle Chrome says that this is an unsafe public location (unsafe). The URL bar shows “Unsafe: https://router.asus.com:8443/index.asp

    That does not sound like a good thing… is this normal?

    1. Uday said on January 5, 2019 at 2:59 am
      Reply

      I have the same issue as rap that when I use https, chrome says it is not secure. I also tried using a certificate and I could not get it to work.

      Thanks in advance for your help.

  4. mikef90000 said on March 29, 2015 at 5:32 am
    Reply

    Kevin, this is a fine article but it reminded me of a continuing major annoyance. Mainly, consumer routers REALLY SUCK as their firmware is updated (maybe) for a short period of time until the vendor moves on to hardware version 2 with a completely different chipset. With the continual evolution of new threats we need a router hardware platform with a stable design, longer warranty and, if all possible, an open source stack.

    I don’t envy the OpenWRT devs who have to chase and reverse engineer all of these cheap little sh*t boxes. Just lucky that my old WRT54GL keeps on working but eventually I’ll need faster wireless, GigE and IPv6 support.

    Possibly out of this sites scope, but please consider reviewing some lower cost and better quality firewall hardware on my short list: Ubiquity EdgeRouter Lite, RouterBoard RB750GL, PC Engines ALIX. Have I missed any? :) TIA, Mike

  5. All Things Firefox said on March 26, 2015 at 11:30 pm
    Reply

    The How-To Geek addressed MAC address filtering and SSID hiding by saying that they are practically useless and that a strong password solves any problem these would “fix”. MAC filtering is a pain in the neck to administer and as Kevin said, they can be easily broken by an advanced user. A good password/passphrase will turn anyone away. Again, with SSID hiding, a strong password makes this pointless. An analogy HTG used was using tape and a strong lock to help secure your front door. If the lock can be breached, the tape isn’t going to help anything.
    Also, how can a router that’s been made inaccessible from wireless be made reaccessible? Does it require resetting the router?
    Thanks for these interesting and informative articles Kevin.

  6. Sta... said on March 26, 2015 at 3:43 am
    Reply

    Although I have difficulty even wanting to read an article titled, “Secure you wireless router”, I buzzed through most of it.
    These is too much stilted and incorrect English, especially on line. When an article’s headline shows someone either doesn’t know English or doesn’t care to say (write) what they mean, I don’t care to read it anymore than I do Nigerian email scams.

    1. Jojo said on March 31, 2015 at 4:31 am
      Reply

      @Sta – So what was the purpose of your poorly written post criticizing someone else’s poor English, IYO), which was not poorly written at all)? You wanted to look dumb in front of everyone?

      Suggest you try looking in the mirror, because your own use of English is pretty poor, in and of itself. [roflol]

  7. Trevor said on March 25, 2015 at 8:55 pm
    Reply

    Merlins Firmware is on top of the recent security exploits and his builds are just bug fixes, security improvements, and features.

    He covers all of the ASUS routers from the low end to the high end AC87U

    http://asuswrt.lostrealm.ca/

  8. Maurice Green said on March 25, 2015 at 6:52 pm
    Reply

    Slight slip of the finger. Didn’t you mean “Secure YOUR wireless router”?
    Was about to post it to our FB page when I saw the misspelling.
    Maury

    1. Martin Brinkmann said on March 25, 2015 at 7:04 pm
      Reply

      Thanks, corrected. How could I overlook this..

      1. Maurice Green said on March 25, 2015 at 7:54 pm
        Reply

        Thanks Martin,
        Excellent article
        Just shared it on our FB timeline, http://facebook.com/spaug.net but it still says ‘YOU’ not ‘YOUR’. You might want to check that out.
        Maury

  9. Saranathan said on March 25, 2015 at 2:28 am
    Reply

    Nice informative useful article.
    Thanks.

  10. D.C. said on March 24, 2015 at 7:06 pm
    Reply

    In order for Chromecast to work properly, Google says I have to enable uPnP on my router. Is there some way to make uPnP more secure when enabled short of toggling it on and off when I use the Chromecast?

    1. Kevin Dearing said on March 24, 2015 at 7:19 pm
      Reply

      I have 3 in my house that work fine without uPnP.

      1. svim said on September 3, 2019 at 10:38 pm
        Reply

        I also have had no problems for years using my Chromecast with uPnP disabled on any of my routers.

        Where did you read that it was necessary? There isn’t any official statements from Google stating uPnP is necessary, perhaps it was just some reference in a random comment made by an anonymous user in one of Google’s help forums?

  11. YB said on March 24, 2015 at 6:13 pm
    Reply

    Such a shame that many browsers still don’t route to HTTPS yet. I would think that in 2015, this would be default.

  12. matt said on March 24, 2015 at 4:40 pm
    Reply

    You didn’t mention using alternative firmwares like DD-WRT. I don’t use it but have considered. What is your opinion about something like that?

    1. Kevin Dearing said on March 24, 2015 at 7:18 pm
      Reply

      I love DD-WRT; have one in my network as well as a few others distributed among my family and friends.

      Thought hard about including it, but decided that, by itself, DD-WRT was not really a security measure. And because I believe DD-WRT (and/or Tomato) deserve a standalone article. It’s on my list of topic ideas.

  13. exrelayman said on March 24, 2015 at 2:41 pm
    Reply

    Timely for me. Just getting ready to try a router/modem combined unit, as 2 attempts to use a router for wi fi messed up my wired service. Of your article, I am afraid my ignorance of what is actually going on could cause me to screw things up, and I don’t want to begin by screwing things up – I don’t have the expertise to be confident of being able to fix it. I will do the easiest things first and then one step at a time test using some of the more obscure things, so any problem can be fixed by undoing the last step of the process. Hopefully there is also a simple restore entire unit to factory defaults button to save me also if needed!

  14. Super Man said on March 24, 2015 at 2:00 pm
    Reply

    Martin,
    Hopefully you will be around a long time.

    Back to router configuration – the first time I did a firmware upgrade it totally screwed up my router. The connections would keeping resetting themselves. I had to go back to the original firmware and let me tell you it was not easy. It had taken me several days to find the right documentation and the original firmware software. Needless to say I won’t be doing another upgrade. I do have most of the other security settings here will have to go back and check them all.

    1. Blue said on March 24, 2015 at 5:34 pm
      Reply

      Though Kevin is correct why there is a need for firmware upgrades, not every ISP can work with the new firmware which may be the reason why you’re having connection issues. Much like my Blackberry when I purchased it it had firmware version 2.5, according to the manufacturer’s suggestion and knowing which service providers protocol I was on, they suggested the maximum I could upgrade to was version 4.0.

      When I brought my phone in for repairs, afterwards the service provider kept upgrading me to 4.1 without my permission which really screwed up my phone. It would not longer ring any tone, it would only vibrate, and when I put the phone into sleep mode it kept rebooting. So to make a long story short, no unless the protocols of the new firmware can work with your ISP/hardware, I would not suggest upgrading firmware.

    2. Kevin Dearing said on March 24, 2015 at 3:29 pm
      Reply

      I would encourage you to reconsider.

      The reason for firmware updates is to fix bugs and vulnerabilities. These cannot be solved by configuration alone.
      If you are running the original firmware, more than likely you have a security vulnerability, maybe multiple.

      Remember, your router is directly on the internet with a public IP address. This means anyone in the world can reach it.
      There are people that scan whole blocks of internet IP ranges looking for vulnerabilities. Some do it to inform/educate, most have other intentions.

      1. Super Man said on March 24, 2015 at 3:44 pm
        Reply

        Kevin,
        If I do this again and it does the same thing where I cannot use the router at all how does that help me?
        Also, spent many hours on phone with support.

  15. YB said on March 24, 2015 at 11:55 am
    Reply

    Glad to see you are back online. The web wasn’t the same without you Martin.

    That being said, excellent article as always.

    1. Martin Brinkmann said on March 24, 2015 at 1:00 pm
      Reply

      I’m not back online permanently yet though. Hopefully all will get sorted out tomorrow.

  16. Scott said on March 24, 2015 at 11:48 am
    Reply

    A thorough, excellent post. Thank you, Kevin!

  17. Dmitry said on March 24, 2015 at 11:18 am
    Reply

    Btw, about a week ago there was a post on russian resource about Asus routers’ AiCloud vulnerability tested on latest firmware ver. 3.0.0.4.370 and it seems it hasn’t been fixed yet for most Asus models, so you definitely should turn AiCloud off.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.