Hardening a wireless DSL router

Avoid that someone else uses your wireless DSL router

Most homes in developed countries use a home wireless DSL router to connect to the Internet. Remember that, in an increasing number of countries, the owner of the router is legally responsible for the data coming in and out of that home network to the Internet. Avoid being in an unwanted legal case by preventing that your DSL router (and your Internet connection) is used by an intruder to commit any illegal action. Make your DSL router relatively secure with the following preventive (and a final one, detective) security measures:

- Change the private IP address that the router has by default. How many routers come with 192.168.1.1 or with 10.0.0.1? Please, let your router be other than 192.168.1.1.

- Change the default IP addressing schema of your home LAN (cable or wireless). There is no obligation to always use 192.168.1.x or 10.0.0.x. As long as it is a private IP address (see RFC 1918), dare trying with e.g. 172.16.x.x.

- Limit the mac addresses that can connect to your router. Find out the mac addresses of all the gadgets that connect to your wireless LAN and input them into your router's mac ACL.

- Use WPA2 with a long password, you can get it for example here.

- Make the admin interface only available to your internal LAN (avoid making it available through the Internet). Easy way to check this: Find out your public IP address (e.g. using myipaddress), try to reach that public IP address and the admin web page.

- Are you a hardliner? Then disable the DHCP server in your router. Add the IP addresses. routing gateway (your router) and DNS servers in each of your wireless clients manually. Use different DNS servers on each of the gadgets (so that no unique DNS server gets a complete idea of your browsing behaviour).

These measures follow a defense-in-depth approach. None of them constitute the silver bullet, but the entire set of measures is a valid starting point.

If you would like to check your router's threat exposure to the Internet:
- Find your public IP address here.
- Install nmap in your box and launch the following two lines:

$ sudo nmap -sT -n -v -T4 -O -p- --reason yourpublicaddress
$ sudo nmap -sV -n -v -T4 -O -open ports coming out from first command yourpublicaddress


The nmap command line usage help can be found here.
- Limit the services you offer to the Internet.
Nmap should produce an output similar to this one:
All 65535 scanned ports on are filtered because of 65350 no-responses and 185 host-unreaches. Too many fingerprints match this host to give specific OS details.

If the result shows some open ports, identified by the -sV option as UPnP, review the expert view of the admin interface in your router, it is probable that you allow some firmware update, or push service provision coming from your ISP or a specific server app. Just check that it corresponds to your needs (e.g. a VPN server, a file server... or maybe, nothing is published to the Internet).
Finally, a detective measure: Check your router's logs frequently. Most routers can send their logs regularly to an email address. Use this feature. It is priceless to identify abnormal uses.

Happy scanning and happy secure home DSL router!
p.s. The "--reason" is a suggestion coming from a network jedi ;-)

Avoid misuses of your DSL router while you are on the beach
Additional measure (inspired by a comment left by an anonymous reader left)
Broadcast (but as little as you need ;-)
Scan the wireless networks that surround your place, choose a wireless channel that is not used, or at least very little used. This will enable you to decrease the level of energy used by your wireless router when broadcasting its signal. 
Fine tune the energy level so that the wireless signal is almost constrained to your place. This will definitely make a wireless attack to your network a little bit more "physically challenging". Here you are some command line tips to scan the wireless spectrum using aircrack-ng from a Linux box.

$ sudo apt-get install aircrack-ng
Information on aircrack-ng installation can be found here
Disconnect from your wireless network (keep the wireless driver working though)
$ sudo airmon-ng start wlan0
airmon will tell you the name of a wireless interface that can be used to scan (it will normally be mon0)
$ sudo airmon-ng start mon0
$ sudo airodump-ng mon0
and you will get a real-time list of active wireless networks (incluing channel numbers)

Thanks to the anonymous reader!

1 comments:

Anonymous said...

Very good compilation :-)

My 2cents: WiFi scanner looking for a free or not very demanded frequency. Then set the WiFi channel to one of these freqs and reduce the antenna emission power -> your WLAN will not be visible for the whole neighbourhood.