Suggestions you can think of?

[peters]

Site *
Accept from SELF++
Anon

You can also use a workaround to apply both Anonymize and Sandbox actions; place one of them in the SYSTEM ruleset, and the other in the USER ruleset.

Maybe also (above the first one)

Site .cn .ru (and whichever other TLDs you distrust)
Deny

Hi New to this forum
Have been using NS for a couple of years without understanding / realising how much it does !
I am slowly reading and trying to take all the good stuff in

I have an ABE question
Would the Quoted rule adversely affect normal Browsing? would using both Anon and Sandbox examples be a good idea or would they seriously affect browsing ?

Peter

[barbaz]

Would the Quoted rule adversely affect normal Browsing?

Not really a question someone else can answer for you given that we don't know your normal browsing habits - why not just try it and find out? If it doesn't work for you, just remove it, no harm done.

(Personally I think blocking entire TLDs is not something you should do unless you're an advanced user.)

would using both Anon and Sandbox examples be a good idea or would they seriously affect browsing ?

That definitely would seriously affect browsing. Rather than use ABE sandbox, just use the normal NoScript permissions for normal browsing. It's MUCH more usable/practical.

ABE Sandbox is for when you need to block scripts on webpages by path, or if you want to block scripts based on request origin; that's useful mainly for protecting sensitive sites, not so much normal browsing.

Note also that ABE Sandbox doesn't mean "block all active content coming from this site" - for that, you want something more like

Code: Select all

Site .example.net
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox

[peters]

Thanks for your advice barbaz

I think I should some reading before asking any more questions

[Thrawn]

When it comes to ABE, it's worth asking questions as you go...

[Argo]

Router Security

References:
http://routersecurity.org/

0. When you work on your router console use browser in private mode.

1. Change Username (if possible) and Pw (always possible)

2. Change WIFI pw (long up to 63 and complicated with ASCII). Better to set something really complicated and forget about it. Here an example from https://www.grc.com/passwords.htm

p8SlT~?VXQF+u{IrA]r"zmHIk'pX[&t}z){DRN]~-loVh^X9bA?`t>n4*!6_l[.

3. Change SSID.
As long (max 32) and as complex as possible with lowercase, capital letters and number. The network name is involved in encryption, so a very simple name, such as a word in the dictionary, enables the use of rainbow tables to break the encryption. Special characters in the SSID may create problems with certain devices. Don't here anything that is connected to you (names, addresses, dates etc...).

4. Don't hide the SSID.
The main problem is this: When you connect your laptop to a non broadcasting SSID, and set it up to auto reconnect – then every time you turn your laptop on, it will broadcast out that SSID name “HEY *SSID* are you there!!?”. This becomes a problem say, when you go to the Airport and bootup your laptop it will broadcast that SSID. Now all a hacker has to do is setup *his* laptop as an Ad-Hoc network with the same SSID that you normally connect to – your laptop will connect to it thinking it’s the usual “home network SSID”. The hacker could setup his Ad-Hoc to relay traffic out to the Internet so you may think you have a good, live Internet connection – meanwhile the hacker is capturing all the traffic including usernames and passwords while you browse the Internet.
And by the in terms of security doesn't add anything.

5. Change IP range.
The first 2 sections it's better to leave as they are (i.e. 192.168.) the last 2 can be changed freely (i.e. .1.1.). Number that can be used: No 1 or 10 - Yes 2-253

For example change from 192.168.1.1 to 192.168.96.139

6. Have admin console in https if possible

7. Turn off WIFI community if possible

8. Timer to turn off during the night (or whenever not used) if possible.

9. Turn off everything you don't use (and your router supports):
UPnP (important)
Ping (important)
WPS (Always)
'Cloud Disk,' 'Smart Access,' and 'Smart Sync (important)
Remote administration (important)
SNMP
nat-pmp
SAMBA
Telnet
SSH
PPTP
VPN
VPN server
Bonjour
DLNA Media server
FTP
DDNS
DMZ
Port Forwarding
Port triggering
RIP v1, aka Routing Information Protocol version 1
Multicast

10. Encryption
Set to WPA2 (only! not WPA/WPA2)-AES (only! do not use TKIP, is vulnerable). To avoid fallback.
Set the same for your devices.

11. Firewall, set to medium.
Here are the stardards for router firewall.

HIGH: Enforces strict control on all incoming and outgoing connections. All inbound traffic is blocked. Restricts all outbound traffic except for the following: Web traffic (HTTP, HTTPS), email (IMAP, POP3, SMTP), ftp, newsgroups, Telnet, DNS, IPSEC IKE and VPN traffic.

MEDIUM: from here on no games, no torrent. All inbound traffic is blocked. All outbound traffic is allowed to the Internet except for Windows file sharing (NBT ports 137, 138, 139 and 445).

LOW: unsecure. Enforces basic control on incoming connections (all inbound traffic is blocked to the external UTM-1 appliance IP address, except for ICMP echoes, "pings"), while permitting all outgoing connections.

12. Change your DNS service with something that doesn't log and that uses DNSSEC.
For example:

Alternate DNS
198.101.242.72
23.253.163.53

Here you can test your DNS spoofability:
https://www.grc.com/dns/dns.htm

13. Update the firmware

14. Check if your router has vulnerabilities.
http://routersecurity.org/bugs.php

[barbaz]

Router Security

References:
http://routersecurity.org/

Nice link, thanks for sharing.
(They have an interesting opinion of Win10 TTTBF.)

4. Don't hide the SSID.
The main problem is this: When you connect your laptop to a non broadcasting SSID, and set it up to auto reconnect – then every time you turn your laptop on, it will broadcast out that SSID name “HEY *SSID* are you there!!?”. This becomes a problem say, when you go to the Airport and bootup your laptop it will broadcast that SSID. Now all a hacker has to do is setup *his* laptop as an Ad-Hoc network with the same SSID that you normally connect to – your laptop will connect to it thinking it’s the usual “home network SSID”. The hacker could setup his Ad-Hoc to relay traffic out to the Internet so you may think you have a good, live Internet connection – meanwhile the hacker is capturing all the traffic including usernames and passwords while you browse the Internet.

Well you could just have your laptop(s) not automatically connect to that network, no? Or turn off Wi-Fi and then disable auto-connect to the hidden-SSID network when you know you're going somewhere you'll want to use Wi-Fi?

5. Change IP range.
The first 2 sections it's better to leave as they are (i.e. 192.168.) the last 2 can be changed freely (i.e. .1.1.). Number that can be used: No 1 or 10 - Yes 2-253

For example change from 192.168.1.1 to 192.168.96.139

This is not changing the IP range, this is just changing the internal IP of the router. Unless you also mean should change what part of 192.168.* the router uses for DHCP?

7. Turn off WIFI community if possible

What's Wi-Fi community?

[barbaz]

12. Change your DNS service with something that doesn't log and that uses DNSSEC.
For example:

Alternate DNS

That DNS service (website, because it's hard to find: alternate-dns.com) seems to be all about ad blocking...
Not a good idea to suggest it without giving this important information. The problem with ad blocking at the DNS level is that users cannot unblock or whitelist some ad-related thing if needed to either fix a broken webpage or to deliberately view specific site's ads: they will have to change DNS servers to do so (and it will be quite hard to discover that)...

[GµårÐïåñ]

I don't think anyone should use DNS services for "adblocking". As what is "bad" is relative to the user, what is bad to one is not to another and that will mean that it will be under performer, missing stuff, or over aggressive blocking too much. I think that's best on the client side. As far as DNS services, I would strongly recommend that people put some thought into their selection as it is the #1 factor (yes right behind bandwidth, connection speed and connection type) in determining the speed of your interaction with the internet. A slow responding or poorly configured DNS server can actually cause you massive slowness and unreliability. You need a server with 24/7 uptime framework, large geo distribution to ensure that your AD (administrative distance) is always chosen properly, least number of hoops, no content filtering (like Comodo and some other antivirus companies, like Norton) use, and of course goes without saying that there should be no logging, although almost EVERYONE logs to some extent for some reason, even if the least benign of aggregate data.

I have personally found OpenDNS to be the best performer (I use it personally, despite my discomfort that it is now run by Cisco). I also have failover servers that go to Google (don't be shocked, that doesn't mean I like or trust Google, but for failsafe, given their range, its the best option) and finally round out the list with Comodo Secure Servers (not a huge fan, as they do content filtering and I prefer my connections to just fail, rather than get some landing page, but for last resort, they are not awful). But something of note, something I have said for so many years that I am getting tired. ONE SIZE SECURITY DOESN'T EXIST. People need to be proactive and formulate what is best for THEIR setup.

A great tool that would allow you to better measure, test, implement and understand DNS configuration is available at GRC.com and I would STRONGLY recommend people take it for a spin. DNS Benchmark [direct link] can give you the visual and a testing platform to choose what's best. Also something people tend to overlook is that they enter DNS servers for their client (aka the PC, Mac, devices, etc) but almost nearly ALWAYS overlook the DNS that is assigned to them inside their routers (often provided by the ISP) which often override or can cause bottleneck if they are different than your client side servers.

What I do is load the custom DNS servers at the ROUTER level, meaning it will choose them over anything ISP gives and I maintain that list to ensure most efficiency. On my client side, I simply point to DNS servers by giving the router address (say 192.168.1.1 or whatever you have set it to or the manufacturer has chosen as the "ROUTER ADDRESS" and use that as your DNS entry. The tool I mentioned above WILL bitch about this, but it doesn't account for the fact that on a network, equal distribution of the DNS credentials is far better than maintaining individual systems which can get overlooked or go out of date. To each their own, I personally don' care and find this setup to have been the most stable, fast, and efficient setup.

[Argo]

Thank you all for your answers.
First I'd like to make a clarification: I am not a pro (not even a competent amateur) and not an English speaker.
So I apologise in advance for the many mistakes (in both areas) you'll find in my posts.
And I thank you all for all the corrections you'll point out.

Nice link, thanks for sharing.

You're very welcome.

Well you could just have your laptop(s) not automatically connect to that network, no? Or turn off Wi-Fi and then disable auto-connect to the hidden-SSID network when you know you're going somewhere you'll want to use Wi-Fi?

All those solutions work perfectly. For me was just important to make this information available. I found it as a comment of an article about router security but i've never seen anyone else making this point.
Although it is widely suggested to hide the SSDI no one warns about this danger.
I think the right formulation would be for me "If you hide your SSDI take one of these precautions...".

This is not changing the IP range, this is just changing the internal IP of the router. Unless you also mean should change what part of 192.168.* the router uses for DHCP?

That's exactly what I meant, thank you. It's just that all the routers I worked with so far did it automatically (but we can't assume that this always happens).

What's Wi-Fi community?

WIFI community is something like this: anyone that is walking on the street and can get the signal my router broadcasts can access internet by paying a per hour (or per minute or whatever) fee to my ISP.
Of course the WIFI Community network and mine are divided but many have allready pointed out the dangers of this.
My router supports the WIFI Community service and I cannot disable it nor I was informed about it by my ISP.
I am not the holder of the contract and so I could do very little about it (the contract holder is not interested in any of this: he's like if it's legale is safe!).
Unfortunately I have not time now to look for the article about the dangers of WC. I'll look for it later (I've only lately started to save the sources of the information I gather).

That DNS service (website, because it's hard to find: alternate-dns.com) seems to be all about ad blocking... Image
Not a good idea to suggest it without giving this important information.

I don't think anyone should use DNS services for "adblocking".

My apologies, I agree with both of you. I just recently made the step from using pre-existing filters (disconnect.me, ghostery etc...) to using tools that put the choice of what and how to use back in my hands.
In this context Alternate DNS is an heritage of the previous stage and I completely forgot about it.
So thank you, I already changed my DNS to OpenVPN while I look for something else (yes I really don't like the Cisco stuff).

[barbaz]

What's Wi-Fi community?

WIFI community is something like this: anyone that is walking on the street and can get the signal my router broadcasts can access internet by paying a per hour (or per minute or whatever) fee to my ISP.
Of course the WIFI Community network and mine are divided but many have allready pointed out the dangers of this.
My router supports the WIFI Community service and I cannot disable it nor I was informed about it by my ISP.
I am not the holder of the contract and so I could do very little about it (the contract holder is not interested in any of this: he's like if it's legale is safe!).
Unfortunately I have not time now to look for the article about the dangers of WC. I'll look for it later (I've only lately started to save the sources of the information I gather).

Wow, that has got to be one of the worst ideas I've ever heard. I should hope these ISPs at least don't hold the poor hapless sucker primary customer responsible for anything whatsoever that happens on Wi-Fi Community! It would really be unfair to count Wi-Fi Community data usage as part of the primary customer's data usage.


At least that would only apply to ISP-provided routers though, right? Probably your best bet security-wise is to buy a second router, attach only that router directly to your ISP-provided router, and use your computer(s) (and other devices) with your personal router. (Side note: I would recommend using a different private IP range with your personal router than your ISP router. Example, assuming your ISP-provided router uses 192.168.* for its internal network, set your personal router to use 10.0.* for its internal network.)

[GµårÐïåñ]

At least that would only apply to ISP-provided routers though, right? Probably your best bet security-wise is to buy a second router, attach only that router directly to your ISP-provided router, and use your computer(s) (and other devices) with your personal router. (Side note: I would recommend using a different private IP range with your personal router than your ISP router. Example, assuming your ISP-provided router uses 192.168.* for its internal network, set your personal router to use 10.0.* for its internal network.)

Subnetting is not always necessary as many advanced routers will have the option to configure VLANs so you can just go that route to keep the two "subnets" separate.

[yes_noscript]

http://routersecurity.org/

Thanks for the link.

0. When you work on your router console use browser in private mode.

I didn't see any reasons for this. If the pc/ OS account/ browser account is your own, all is okay.
And even if not. Just don't save the login data in the browser and/ or cookies.

3. Change SSID.
As long (max 32) and as complex as possible with lowercase, capital letters and number. The network name is involved in encryption, so a very simple name, such as a word in the dictionary, enables the use of rainbow tables to break the encryption. Special characters in the SSID may create problems with certain devices. Don't here anything that is connected to you (names, addresses, dates etc...).

All router send the SSID in plain text so why talking about rainbow tables to break the encryption? What you maybe mean is breaking the default WLAN password for router which generate it with the default SSID and other data.
But is isn't a realy problem because the most router fix this- or not vulnerable if the user set a own WLAN password and/ or SSID.
So in my opinion the SSID is indifferent.

A great tool that would allow you to better measure, test, implement and understand DNS configuration is available at GRC.com

The tool is very old and didn't include all DNS servers.
Last Updated: Sep 30, 2010 at 15:58
So i would not recommend using this tool.

I have personally found OpenDNS

OpenDNS is shi*. First its Cisco, second they log your IP and more, third they have a realy bad configuration.
Just take a look at the website. Did you think they realy care about your data? Sorry but no. "Business Security"
If you need a good DNS server then use the FoeBud or CCC one.

[barbaz]

And even if not. Just don't save the login data in the browser and/ or cookies.

Because someone else's computer is guaranteed not to have a keylogger installed or the like?

If you need a good DNS server then use the FoeBud or CCC one.

FoeBud DNS appears not to exist (I can't find even any sign of it at all), and CCC appears to be an organization of haxxors...
Dubious recommendations to say the least.

And kindly tone down the language, profanity is not called for here.

[GµårÐïåñ]

The tool is very old and didn't include all DNS servers.
Last Updated: Sep 30, 2010 at 15:58
So i would not recommend using this tool.

This tool is timeless because the list that comes with it covers most major backbones. But ultimate its designed FOR YOU to take an active role in creating a DNS list and testing them. Again we go back to complacency.

OpenDNS is shi*. First its Cisco, second they log your IP and more, third they have a realy bad configuration.
Just take a look at the website. Did you think they realy care about your data? Sorry but no. "Business Security"
If you need a good DNS server then use the FoeBud or CCC one.

I wouldn't go that far, yes, they were acquired by Cisco, not an entirely bad thing when it comes to resources and experience of the company. As for the logging, as I said for statistical purposes EVERYONE logs access to their servers, period. Anyone says they don't, they are OUTRIGHT LYING. Ultimately, to each their own.

[GµårÐïåñ]

FoeBud DNS appears not to exist (I can't find even any sign of it at all), and CCC appears to be an organization of haxxors...
Dubious recommendations to say the least.

Agreed

And kindly tone down the language, profanity is not called for here.

+1