Secure your home broadband wireless router
Wireless is everywhere now. Virtually all home broadband routers come with WiFi built-in and 90% are enabled by default with standard passwords.
Here are my 5 tips for securing your home broadband wireless router.
Tip 0 – Default Passwords
Change the default password. Most devices come with a standard password which is the same for all devices from the same manufacturer or ISP. The default password is often printed on the bottom of your router.
The router provided by my ISP has the password changeme. I bet many of these in my neighbourhood still have this.
Go into your router’s set-up screen and change this. Now.
If you forget it most home routers have a factory reset button to put everything back to its default state.
Remember the new password.
The next tips are related to the wireless security.
For wireless, the first question to ask yourself before doing anything is Do I need the wireless switched on? This isn’t a silly question – if you’re not using a laptop or tablet around the house, or you don’t have any wireless devices you need to connect to your home network, switch it off.
Then, Do you need it on 24/7?
If you’re going out, do you need to keep the device switched on? You may not want to always be switching it on and off on a daily basis, the inconvenience may not be worth it to you. On the other hand, if you’re going to be away for more than a couple of days, do you need it switched on? If you’re not there, and you have no connected laptops/tablets/smartphones etc, why leave it open for anyone passing?
Tip 1 – Change your SSID
The SSID is the name of the network you see when you scan for networks. These tend to either be made up of the ISP’s name or the manufacturer’s name. This type of information gives a clue for attackers:
- default user names
- administrative logins
- default passwords
- known manufacturer weaknesses
When you change the name, don’t use the following information
- Street/House/apartment number: If I see an SSID called “5AshRoad”, then I can be pretty sure that 5 Ash road will have a computer, maybe a tablet or two, smart-phones. Not only that, if an attacker sees no activity on the WiFi, they also can make a pretty good guess if anyone is at home or not.
- Business name: Like advertising your address, you are advertising your business name and saying “here’s a link into my network”.
- Family name: Could be put together with other information to target you for fraud or identity theft.
- Name: If your SSID is “joes_network”, then someone trying to get into you computers can be pretty sure that at least one will have an account called “Joe”. Also, if Joe was the person who set this up, he’s probably got administrative access to his devices also.
Make up an SSID, preferably of combination of random letters, words and numbers. You’ll be able to find your access point easily, but it won’t give clues for someone trying to break into your network, or find out more about you.
Examples of good names are:
- odK14a : Random letters and numbers
- job.personality : two random words
- J0b.per50n411ty: the same words but with some simple number substitution
None of these tells you the manufacturer or the ISP, as they are inherently meaningless.
(PS. Don’t call your SSID surferdude if you’ve a VW Combi with board logos parked outside your house also).
The exception is if you are running a public access point so a name like Joes_Cafe_Public would make it easier for your customers to connect to the correct WiFi.
Hiding your SSID is another option, but even with this hidden it is still relatively easy for an attacker to find out. If you have guests using your network, this may also be inconvenient for them (and for you) each time they want to connect.
Put a good password on your wireless connection. You’ll usually see several password types
- WPA2 (or WPA) Personal
- WPA2 (WPA) Enterprise
Never use WEP. This is a very very weak method and can be cracked by an attacker in a matter of minutes. The
WPA2 method has the strongest security, and while some older equipment may not support it your first choice should always be the strongest method.
If you have equipment that absolutely needs WEP, you might want to seriously consider replacing it. It will be very old, and puts the rest of your network in danger.
The WPA Enterprise method can be used if you have another system providing passwords, so for home (or small business) use the WPA Personal option should be selected.
Choosing a password or a pass-phrase
It goes without saying that you don’t choose something like password or letmein or 1234567890. So I’ll say it clearly – don’t use a password like password, letmein and 1234567890. This may strike you as stating the clearly obvious, but in a recent survey of passwords, password was overtaken at the top spot by 123456. The third most popular was 12345678; that’ll be the sites that need an 8 character password!
Because your devices can be set up to remember the access points, they usually only need to be entered the first time you log in, so it doesn’t need to be memorable.
Chose a good strong password. At least 8 characters of random keyboard characters. Close your eyes to create this. Mix upper and lower case. Throw in some numbers. Add some punctuation to the mix also.
I wouldn’t normally suggest this as it goes against every part of good password management, but here goes.
Write it on a band-aid and tape it to the bottom of your router so you have to pick it up to find it. Now if you have a guest come over and you want to give them access to your WiFi, you know where the password is.
Why would I suggest writing the password down here? Well, it’s easy to find when you need it, and because, quite frankly, if an intruder has gained access to your house, looking at your broadband router is probably the least of your problems.
In a commercial setting, this is completely forbidden unless it is your publicly accessible WiFi (for example in a café ) and you will be giving out the password to customers.
Tip 3: Disable Remote Administration
Not all wireless routers allow remote administration, but it is worth spending a few minutes going through the options to see if it is an option, and if it is enabled. Opening up the gateway to your network with administrative access is going to be a bad idea in 99.9% of cases.
The only place you should let the administration be done is locally. This means you can only access the configuration of your router from inside your network, preferably via a wired connection also. By restricting it to inside of your network an attacker needs to be in your network (either via a trojan/malware on a device inside your network) or they’ve already cracked your wireless password and have access to your network. Leaving it accessible remotely means it is available to the whole world for attacking.
If you do need to do this, then choose an insanely long password/passphrase
Tip 4: Use MAC Filtering
Use MAC filtering. The MAC address is the hardware identifier of the wireless network adapter in your device. By using this, only devices with permitted MAC addresses will be allowed to connect to the router.
This isn’t a panacea however, because it is easy to change the MAC address in software, so an attacker who monitors your traffic could snoop your MAC address and duplicate it. This doesn’t make it pointless, but it should be used in conjunction with other protections.
Tip 5 Look at your log files
Most broadband routers keep a small log. This will show when it was switched on, the current connection state, and any failures. They may also show a small security log. Just looking at this is an eye opener; you’ll find you are under pretty much constant attack. My logs show constant port scanning and SYN floods – which are just two methods used to try and break into your network.
If you’re lucky, your router may even list login attempts, successful and unsuccessful. You might see more attacks here.
Okay, There are actually 8 tips, but 8 sounds like more work then 5! I hope you find this useful.