This is a tutorial I wrote some time ago on how to secure your router. You can find many similar tutorials on the net but I dare say that mine is a bit more detailed and extensive. I have included a special section on firewall rules that I have not see else where.
So if you have any questions let me know and I can help you out. A good firewalled router is one of the best measures that you can take to protect your comptuer and network.
So this are my 11 steps to securing your Internet network. Although 11 steps may seem a lot it should not take you more than half an hour to do all of this. If you have tackled this issue before this should be just fun. If you are struggling with any part of this feel free to ask or PM me. Any way this tutorial has been written for info/sec minded people so I do not think that there should be any problem.
I have seen girls cry on youtube videos because a hacker penetrated there firewall and deleted all the stuff they had on the computer. It is not a pleasant sight and if you do not want to be another victim of hackers this tutorial is a pretty good start to protecting your computer and your network.
1. Update your firmware
If your router is old you need to update your firmware. How to do that you may ask? Well the first thing is that you need to do is figure out what is the name and model of the router. Than Google it and you will find the site of the manufacturer of your router. Very likely they have the new firmware you are looking for.
2. Use a strong password
If you still have the default password than I think this is one of the first things that you need to address. A strong password should be at least six characters long and should contain random letters and numbers. I recommend you to use some tool that would generate a pass phrase for you but if not try to use some 1337 language.
3. Disable upNp
Once that you have a working router and do not plan to connect any other devices to it like switches or any thing else you do not need it any more. Hackers could use this service as described on this site: http://www.gnucitizen.org/blog/hacking-the-interwebs
4. Disable ping on the wan side
Plain and simple!
5. Use protocol filters
The following is taken from the following e-book: Router Security Configuration Guide 1.1 c.This e-book is publicly accessible on the following site: http://www.nsa.gov/snac/downloads_all.cfm
3 (TCP & UDP) tcpmux
7 (TCP & UDP) echo
9 (TCP & UDP) discard
11 (TCP) systat
13 (TCP & UDP) daytime
15 (TCP) netstat
19 (TCP & UDP) chargen
37 (TCP & UDP) time
43 (TCP) whois
67 (UDP) bootp
69 (UDP) tftp
95 (TCP & UDP) supdup
111 (TCP & UDP) sunrpc
135 (TCP & UDP) loc-srv
137 (TCP & UDP) netbios-ns
138 (TCP & UDP) netbios-dgm
139 (TCP & UDP) netbios-ssn
177 (UDP) xdmcp
445 (TCP) netbios (ds)
512 (TCP) rexec
515 (TCP) lpr
517 (UDP) talk
518 (UDP) ntalk
540 (TCP) uucp
1434 (UDP) Microsoft SQL Server
1900, 5000 (TCP & UDP) Microsoft UPnP SSDP
2049 (UDP) NFS
6000 - 6063 (TCP) X Window System
6667 (TCP) IRC
12345-6 (TCP) NetBus
31337 (TCP & UDP) Back Orifice
6. Disable DHCP
You would want to set static LAN IP's on all of the computers that are using your router. After that you can disable the DHCP service.
7. Set firewall rules
The following is an excerpt from the e-book. You will find the following paragraphs on p.40:
• Reject all traffic from the internal networks that bears a source IP address
which does not belong to the internal networks. (Legitimate traffic
generated by sources on the internal networks will always bear a source
address within the range or ranges assigned to the internal networks; any
other traffic is attempting to claim a bogus source address, and is almost
certainly erroneous or malicious in nature.)
• Reject all traffic from the external networks that bears a source address
belonging to the internal networks. (Assuming that addresses are assigned
correctly, traffic sent from the external networks should always bear a
source address from some range other than those assigned to the internal
networks. Traffic bearing such spoofed addresses is often part of an
attack, and should be dropped by a border router.)
• Reject all traffic with a source or destination address belonging to any
reserved, unroutable, or illegal address range.
Now what does all of this mean you may ask? Well for a non-techie like me I was not sure either so I had to ask as well. Basically what it means is that you have to disable all connections coming from the outside (WAN) to the inside (LAN). So what do you need to do? You have to deny the following IP range: 192.168.1.0-192.168.1.255. Unless you are using remote asses option on your router you should implement this!
Next thing that you need to do is to prevent all internal IP ranges to connect to the out side that of course are not in use by any of the computers. So for instance if you have five computers using the 192.168.1.2-192.168.1.5 range than you should block all the other internal IP ranges. So in this case it would be 192.168.1.5-192.168.1.255 and do not forget the 192.168.1.0 LAN IP as well. You of course need the 192.168.1.1 to connect to the router because if you restrict your self from it than you would have to reset your router and start all over again.
8. Change the name of your router
Just do it!
9. Use MAC filters
Figure out all the MAC addresses of the computers that are using your router. Simply add them to the list and allow only those to use your router.
10. Use SSH to connect to the router
The last part is to use a secure way to communicate with your router. A good idea is to use SSH!
11. WIFI
If you are using WIFI you need to use some form of Encryption like Speaking for my self I found that the more I used windows the less I liked them. Until it came to the point that every day it was almost painful to turn on the computer and work on windows. Yeah, the games are great and it is easy to install programs but that is pretty much all it has to offer. So if you can manage with out your games for a while you do not really need windows at all. Sure it is difficult some times to install some applications of linux but most of the time you can use the applications that are already on your OS or you can use the GUI, package manager or Yast to install programs on it. Learning how to install from source is not that difficult and if you run into problems I just see it as a chalange. Maybe you find a bug and you can report it and in a way you are helping out the community. In windows there is no such thing, Probably they do not even look at the issue you are having. I do not think they care. They work for money and not necesarily to make people happy.
So this are my 11 steps to securing your Internet network. Although 10 steps may seem a lot it should not take you more than half an hour to do all of this. If you have tackled this issue before this should be just fun. If you are struggling with any part of this feel free to ask or PM me. Any way this tutorial has been written for info/sec minded people so I do not think that there should be any problem.
For all those who are not sure whether this is relevant to them let me say this. The router if you have one of course is the first line of defense against any possible intruders. A router with default configuration is a lot easier to hack than one that has been properly configured. Of course the hacker needs to know your IP to hack you and if you use proxies for all your Internet activities than that is great but if you like many others use torrents or like me run a tor relay than your IP is public knowledge and in the case of a static IP you can not just change when ever you want to.
I have seen girls cry on youtube videos because a hacker penetrated there firewall and deleted all the stuff they had on the computer. It is not a pleasant sight and if you do not want to be another victim of hackers this tutorial is a pretty good start to protecting your computer and your network.
1. Update your firmware
If your router is old you need to update your firmware. How to do that you may ask? Well the first thing is that you need to do is figure out what is the name and model of the router. Than Google it and you will find the site of the manufacturer of your router. Very likely they have the new firmware you are looking for.
2. Use a strong password
If you still have the default password than I think this is one of the first things that you need to address. A strong password should be at least six characters long and should contain random letters and numbers. I recommend you to use some tool that would generate a pass phrase for you but if not try to use some 1337 language.
3. Disable upNp
Once that you have a working router and do not plan to connect any other devices to it like switches or any thing else you do not need it any more. Hackers could use this service as described on this site: http://www.gnucitizen.org/blog/hacking-the-interwebs
4. Disable ping on the wan side
Plain and simple!
5. Use protocol filters
The following is taken from the following e-book: Router Security Configuration Guide 1.1 c.This e-book is publicly accessible on the following site: http://www.nsa.gov/snac/downloads_all.cfm
3 (TCP & UDP) tcpmux
7 (TCP & UDP) echo
9 (TCP & UDP) discard
11 (TCP) systat
13 (TCP & UDP) daytime
15 (TCP) netstat
19 (TCP & UDP) chargen
37 (TCP & UDP) time
43 (TCP) whois
67 (UDP) bootp
69 (UDP) tftp
95 (TCP & UDP) supdup
111 (TCP & UDP) sunrpc
135 (TCP & UDP) loc-srv
137 (TCP & UDP) netbios-ns
138 (TCP & UDP) netbios-dgm
139 (TCP & UDP) netbios-ssn
177 (UDP) xdmcp
445 (TCP) netbios (ds)
512 (TCP) rexec
515 (TCP) lpr
517 (UDP) talk
518 (UDP) ntalk
540 (TCP) uucp
1434 (UDP) Microsoft SQL Server
1900, 5000 (TCP & UDP) Microsoft UPnP SSDP
2049 (UDP) NFS
6000 - 6063 (TCP) X Window System
6667 (TCP) IRC
12345-6 (TCP) NetBus
31337 (TCP & UDP) Back Orifice
6. Disable DHCP
You would want to set static LAN IP's on all of the computers that are using your router. After that you can disable the DHCP service.
7. Set firewall rules
The following is an excerpt from the e-book. You will find the following paragraphs on p.40:
• Reject all traffic from the internal networks that bears a source IP address
which does not belong to the internal networks. (Legitimate traffic
generated by sources on the internal networks will always bear a source
address within the range or ranges assigned to the internal networks; any
other traffic is attempting to claim a bogus source address, and is almost
certainly erroneous or malicious in nature.)
• Reject all traffic from the external networks that bears a source address
belonging to the internal networks. (Assuming that addresses are assigned
correctly, traffic sent from the external networks should always bear a
source address from some range other than those assigned to the internal
networks. Traffic bearing such spoofed addresses is often part of an
attack, and should be dropped by a border router.)
• Reject all traffic with a source or destination address belonging to any
reserved, unroutable, or illegal address range.
Now what does all of this mean you may ask? Well for a non-techie like me I was not sure either so I had to ask as well. Basically what it means is that you have to disable all connections coming from the outside (WAN) to the inside (LAN). So what do you need to do? You have to deny the following IP range: 192.168.1.0-192.168.1.255. Unless you are using remote asses option on your router you should implement this!
Next thing that you need to do is to prevent all internal IP ranges to connect to the out side that of course are not in use by any of the computers. So for instance if you have five computers using the 192.168.1.2-192.168.1.5 range than you should block all the other internal IP ranges. So in this case it would be 192.168.1.5-192.168.1.255 and do not forget the 192.168.1.0 LAN IP as well. You of course need the 192.168.1.1 to connect to the router because if you restrict your self from it than you would have to reset your router and start all over again.
8. Change the name of your router
Just do it!
9. Use MAC filters
Figure out all the MAC addresses of the computers that are using your router. Simply add them to the list and allow only those to use your router.
10. Use SSH to connect to the router
The last part is to use a secure way to communicate with your router. A good idea is to use SSH!
11. WIFI
If you are using WIFI you need to use some form of Encryption like WPA2 and use a strong password. I personally prefer using cables but that is just me!
Of course this is no guarantee that some skilled hacker could not hack you. If you are really concerned about this you could try and put another hardware firewall behind the router in the shape of an old computer running smoothwall or IPcop.
Nevertheless if you followed this instructions you should have a pretty good level of security. I have done all of these things on my router and they work so I am sure they will work on yours too.
P.S.This tutorial has been written by lyecdevf. If you choose to post it on other forums please give credit!
and use a strong password. I personally prefer using cables but that is just me!
Of course this is no guarantee that some skilled hacker could not hack you. If you are really concerned about this you could try and put another hardware firewall behind the router in the shape of an old computer running smoothwall or IPcop.
Nevertheless if you followed this instructions you should have a pretty good level of security. I have done all of these things on my router and they work so I am sure they will work on yours too.
P.S.This tutorial has been written by lyecdevf. If you choose to post it on other forums please give credit!
0 comments:
Post a Comment