Router Security
References:
http://routersecurity.org/
0. When you work on your router console use browser in private mode.
1. Change Username (if possible) and Pw (always possible)
2. Change WIFI pw (long up to 63 and complicated with ASCII). Better to set something really complicated and forget about it. Here an example from
https://www.grc.com/passwords.htm
p8SlT~?VXQF+u{IrA]r"zmHIk'pX[&t}z){DRN]~-loVh^X9bA?`t>n4*!6_l[.
3. Change SSID.
As long (max 32) and as complex as possible with lowercase, capital letters and number. The network name is involved in encryption, so a very simple name, such as a word in the dictionary, enables the use of rainbow tables to break the encryption. Special characters in the SSID may create problems with certain devices. Don't here anything that is connected to you (names, addresses, dates etc...).
4. Don't hide the SSID.
The main problem is this: When you connect your laptop to a non broadcasting SSID, and set it up to auto reconnect – then every time you turn your laptop on, it will broadcast out that SSID name “HEY *SSID* are you there!!?”. This becomes a problem say, when you go to the Airport and bootup your laptop it will broadcast that SSID. Now all a hacker has to do is setup *his* laptop as an Ad-Hoc network with the same SSID that you normally connect to – your laptop will connect to it thinking it’s the usual “home network SSID”. The hacker could setup his Ad-Hoc to relay traffic out to the Internet so you may think you have a good, live Internet connection – meanwhile the hacker is capturing all the traffic including usernames and passwords while you browse the Internet.
And by the in terms of security doesn't add anything.
5. Change IP range.
The first 2 sections it's better to leave as they are (i.e. 192.168.) the last 2 can be changed freely (i.e. .1.1.). Number that can be used: No 1 or 10 - Yes 2-253
For example change from 192.168.1.1 to 192.168.96.139
6. Have admin console in https if possible
7. Turn off WIFI community if possible
8. Timer to turn off during the night (or whenever not used) if possible.
9. Turn off everything you don't use (and your router supports):
UPnP (important)
Ping (important)
WPS (Always)
'Cloud Disk,' 'Smart Access,' and 'Smart Sync (important)
Remote administration (important)
SNMP
nat-pmp
SAMBA
Telnet
SSH
PPTP
VPN
VPN server
Bonjour
DLNA Media server
FTP
DDNS
DMZ
Port Forwarding
Port triggering
RIP v1, aka Routing Information Protocol version 1
Multicast
10. Encryption
Set to WPA2 (only! not WPA/WPA2)-AES (only! do not use TKIP, is vulnerable). To avoid fallback.
Set the same for your devices.
11. Firewall, set to medium.
Here are the stardards for router firewall.
HIGH: Enforces strict control on all incoming and outgoing connections. All inbound traffic is blocked. Restricts all outbound traffic except for the following: Web traffic (HTTP, HTTPS), email (IMAP, POP3, SMTP), ftp, newsgroups, Telnet, DNS, IPSEC IKE and VPN traffic.
MEDIUM: from here on no games, no torrent. All inbound traffic is blocked. All outbound traffic is allowed to the Internet except for Windows file sharing (NBT ports 137, 138, 139 and 445).
LOW: unsecure. Enforces basic control on incoming connections (all inbound traffic is blocked to the external UTM-1 appliance IP address, except for ICMP echoes, "pings"), while permitting all outgoing connections.
12. Change your DNS service with something that doesn't log and that uses DNSSEC.
For example:
Alternate DNS
198.101.242.72
23.253.163.53
Here you can test your DNS spoofability:
https://www.grc.com/dns/dns.htm
13. Update the firmware
14. Check if your router has vulnerabilities.
http://routersecurity.org/bugs.php