How do you secure your (wireless) router?

For discussions about security.
Message
Author
wboz
Posts: 233
Joined: Wed 20 Nov 2013, 21:07

How do you secure your (wireless) router?

#1 Post by wboz »

Not asking: what should one do, but more: What do YOU do ... or at least, recommend people do.

For years I have been, shall we say, lukewarm. OK, kinda lax. Yes, I secure the Wifi with a password, like all non-idiots. I went the extra step for security by unintentionally misspelling the word, leading most guests to the house to spend many minutes retyping correctly-spelled but wrong passwords.

But beyond that ... I run WPA, but probably only because it was the best available for the firmware at the time. Until today my router login was the admin (which admittedly is only good if you can get on the wifi, but still). I update the firmware but only every year or so. I broadcast SSID. And I use the default public ID "NETGEAR" which does nothing to make the router technically more vulnerable, but does demonstrate that 1) the user doesn't care very much about security.

If I stop doing any of the above (like, if I move to WPA+WPA2), am I going to knock my (many) older devices off the network until I repair them? Is there anything else I should be doing? Note I am not very fearful of a local wifi snooper - my low-power wifi-g hardly reaches to the next house - but more so remote attackers who care nothing about the individual target.

Of course the entire background behind me lax approach is that, quite frankly, I have very little of value around these (electronic) parts ... :)

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#2 Post by bark_bark_bark »

If a 3rd party open source router firmware exists that is compatible with your router, then absolutely use that.
....

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#3 Post by mikeb »

WPA2 and changed password.... firmware is locked to the isp so never been an upgrade.

been ok since 2008 that way and there are plenty of other computer users in range.

Only failure was the guinea pig ate the wire from the psu recently. He had a wild child moment...

Mike

User avatar
neerajkolte
Posts: 516
Joined: Mon 10 Feb 2014, 07:05
Location: Pune, India.

#4 Post by neerajkolte »

I don't have a wireless outer But I found these posts
http://www.howtogeek.com/173921/secure- ... right-now/
http://www.howtogeek.com/205299/how-to- ... y-updates/
Also see "RELATED ARTICLES" inside them.

Seems helpful.

Thanks.

- Neeraj.
"One of my most productive days was throwing away 1000 lines of code."
- Ken Thompson

“We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run.â€￾
- Amara’s Law.

User avatar
Burn_IT
Posts: 3650
Joined: Sat 12 Aug 2006, 19:25
Location: Tamworth UK

#5 Post by Burn_IT »

I only use the 5Ghz band and disable the 2.4Ghz one.
I refuse to buy any device that NEEDS constant network access and doesn't support this band.

I do turn it on occasionally for those devices that need it for updates.
"Just think of it as leaving early to avoid the rush" - T Pratchett

wboz
Posts: 233
Joined: Wed 20 Nov 2013, 21:07

#6 Post by wboz »

Thanks everyone.
1) I actually only partially agree with the advice to get 3rd party firmware. I think if your device has limited capabilities in the stock firmware, absolutely. But the Netgear firmware included is actually quite good, there are a lot of options you don't normally see like upload limiting, blocked sites and services, QoS, guest networking etc. I have looked at DD-WRT before and not found any additional capabilities I wanted - it's one of the things I appreciate about this not-very-flashy router.
2) I don't have a 5GHz band :P ... and I would say the majority of my devices don't support 5GHz anyway. The only device that needs constant connectivity is the Nest smoke alarm.

Does the router constrain download speeds if the ISP speed is the primary constraint? If the g band is giving 54MB/sec and the ISP download tier is 20MB/sec ... would there be ANY benefit in upgrading the router? I have no NAS or in-network streaming need.

User avatar
Burn_IT
Posts: 3650
Joined: Sat 12 Aug 2006, 19:25
Location: Tamworth UK

#7 Post by Burn_IT »

The download speed is only a restriction from the internet.
Inter-device speed may be important, that is where the local frequency/channel range is important and the biggest factor there is contention. If you live somewhere where most of your neighbours use wireless devices, you may struggle to get decent reception in the 2.4Ghz band.
I just this second looked at InSSider and I have 25 nearby networks in the 2.4Ghz band and my guest one is by no means the strongest.
Mine is the only one in the 5Ghz band.
"Just think of it as leaving early to avoid the rush" - T Pratchett

User avatar
bigpup
Posts: 13886
Joined: Sun 11 Oct 2009, 18:15
Location: S.C. USA

#8 Post by bigpup »

The routers default password is easily found.
If you do not change it you leave it wide open to access by others.
http://www.routerpasswords.com/
This is the password used to access the internal working of the router.
It's internal software and setup settings.

This is not the same as the wireless network password, most people setup, used to connect to the router.
But if you did not setup that password. The default manufactures password would probably work for that one also.
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected :shock:
YaPI(any iso installer)

fuelish
Posts: 78
Joined: Fri 15 Mar 2013, 13:46

#9 Post by fuelish »

bigpup wrote:The routers default password is easily found.
If you do not change it you leave it wide open to access by others.
http://www.routerpasswords.com/
This is the password used to access the internal working of the router.
It's internal software and setup settings.

This is not the same as the wireless network password, most people setup, used to connect to the router.
But if you did not setup that password. The default manufactures password would probably work for that one also.
Wouldn't you first have to have the wireless network password and be connected before you could access the router admin page?

User avatar
Burn_IT
Posts: 3650
Joined: Sat 12 Aug 2006, 19:25
Location: Tamworth UK

#10 Post by Burn_IT »

The Wireless access hacking is fairly easy with most routers as the default WEP password is dead easy to break even if it has been changed..
"Just think of it as leaving early to avoid the rush" - T Pratchett

fuelish
Posts: 78
Joined: Fri 15 Mar 2013, 13:46

#11 Post by fuelish »

Burn_IT wrote:The Wireless access hacking is fairly easy with most routers as the default WEP password is dead easy to break even if it has been changed..
I have heard that WEP can be hacked. Which is why WPA is recommended.

Then IIUC the answer to my question is that you must know the wireless password and be connected to the wireless network before you can access the router admin page.

User avatar
Burn_IT
Posts: 3650
Joined: Sat 12 Aug 2006, 19:25
Location: Tamworth UK

#12 Post by Burn_IT »

Well that DOES assume that you aren't Ethernet connected!!
"Just think of it as leaving early to avoid the rush" - T Pratchett

fuelish
Posts: 78
Joined: Fri 15 Mar 2013, 13:46

#13 Post by fuelish »

Burn_IT wrote:Well that DOES assume that you aren't Ethernet connected!!
Ethernet? You’re having me on. I don’t know why I talk to you.

User avatar
Burn_IT
Posts: 3650
Joined: Sat 12 Aug 2006, 19:25
Location: Tamworth UK

#14 Post by Burn_IT »

Of course I was being ironic.
But we have been having this deep? discussion about router security, but completely ignoring the fact that the physical box has to be in a secure location and without such obvious back doors as an ethernet connection into it.
I've been into a small company before now where they were locked out of their own router and didn't know how to get into it.
One paper clip and a look at the bottom of the box and that was solved.
Of course, the first thing I did was turn off wireless access altogether until I'd changed the passwords and all the default access settings.
It took them a while to get used to having long and complicated WAP2 keys and to change them when someone left.
"Just think of it as leaving early to avoid the rush" - T Pratchett

User avatar
bigpup
Posts: 13886
Joined: Sun 11 Oct 2009, 18:15
Location: S.C. USA

#15 Post by bigpup »

Wouldn't you first have to have the wireless network password and be connected before you could access the router admin page?
Normally, in initial setup, you connect with a wired connection and set everything up.

After that you do it by way of your wireless connection.

However,
The router is already and always connected to the Internet by way of it's connection to the ISP provided modem. The Internet can already see it and access it.

The wireless part is for computers in the area around the router.
If you set one up to begin with the wireless network password allows only you to connect to the router.
The password prevents someone else, around you, picking up the wireless signal, and also connecting to the router. They do not know the password.

Remember the connection path.
Internet
ISP (Internet service provider)
ISP Modem
Router
Wireless signal
Your computer.
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected :shock:
YaPI(any iso installer)

wboz
Posts: 233
Joined: Wed 20 Nov 2013, 21:07

#16 Post by wboz »

Hm, nope, I think with consumer routers you plug 'em in, and then you look at the manual in the box and then access the Wifi point with the default password. Then login to the router with the default credentials and then change the WIfi password, because, otherwise idiot.

But you leave the router credentials as they are because you assume they can only be accessed by someone with a) your Wifi password that you have just changed or b) ethernet access to the router which is deterred by physical means such as door locks/windows. Not Fort Knox here, but then again, no gold either. Unless it's a "cloud router" you assume that the router controls cannot be accessed with the default login directly from the internet, only from the onsite connected ethernet cable or Wifi.

So is that assumption above .. a correct assumption? Or dangerous?

gcmartin

#17 Post by gcmartin »

A little too wordy for this thread's needs. Moved to new thread, here
Last edited by gcmartin on Fri 26 Dec 2014, 23:02, edited 1 time in total.

User avatar
bigpup
Posts: 13886
Joined: Sun 11 Oct 2009, 18:15
Location: S.C. USA

#18 Post by bigpup »

I have not seen any accesses from any wireless user outside of my home premise....ever. I live is a area with many homes and lots of walkers, young and old and constant traffic in and out of the neighborhood.
I wish I could say that or even some people who live around me.

I can access and use up to 3 different wireless routers, owned by other people living in homes around my house, simply because they do not have them password access protected.
I can see the wireless routers and access them with no problem.
But I do not.
They can see my router too, but they do not have my connection access password.

People who think nothing can happen make it so easy for things to happen.
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected :shock:
YaPI(any iso installer)

wboz
Posts: 233
Joined: Wed 20 Nov 2013, 21:07

#19 Post by wboz »

OK cool, so I think now I've secured myself sufficiently prudently. Wifi password enabled. Admin password changed. No WEP. Seems like that's the basics; I'm not overly worried about the NSA or North Korea:)

Let's talk about a hypothetical situation where a snooping user has cracked the wifi password (assume they guessed it manually or in some more sophisticated way; doesn't matter.)

Can that user potentially view internet traffic from other connected devices? Let's assume for simplicity one of those is a Windows device, ie probably least secure of current OSs. Can they upload or download files from those devices? Could they upload firmware to the router to do ... anything else nefarious that I can't even think of?

Note I am NOT looking for instructions or wish to do any of those bad things myself. I'm purely concerned about the other side, the personal data security aspect. And as you can tell, it's realistically 99.999% likely to remain hypothetical in any case :)

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#20 Post by amigo »

Once they get through the door, a hacker can do any number of things. The specifics will depend somewhat on what software is installed on the targeted machine. But having root privileges makes things much easier for them.

Post Reply