ADSL Router / Cable Modem / Home Wireless AP Hardening in 5 Steps

Published: 2008-04-11
Last Updated: 2008-04-11 19:58:32 UTC
by John Bambenek (Version: 1)
1 comment(s)

Last month, we discussed the possibility of a D-Link Router worm for consumer network hardware.  While there were particular problems with D-Link, there are dangers in all consumer network hardware that require the attention of everyone that installs these devices regardless of the vendor. Taking a device out of the box, plugging it in and letting it go can expose you to "worms" or other remote-based exploitation. This stems from a similar problem with software and operating systems, namely, these things do not ship in a secure-by-default configuration.  Here are 5 easy steps to take when you get a network device / access point to harden yourself against "easy" exploitation (and this applies to ALL hardware):

1) Change the default passwords, preferably to a strong password (at least 8 characters the include upper/lower case, numbers, special characters). Many of these devices ship with a password of "password" or "admin" and that is just asking for someone to kick over your router.

2) Disable remote administration. Administration of your router / access point should be "local only", namely, there is no reason to let people from another country access to your network hardware. If you need to make changes, you should be local to the device (i.e. physically connected, internal side of the network, etc).

3) Update the firmware. Believe it or not, consumer network hardware needs to be patched also. Check the support site of the vendor of the device when you get it and check for an update. Sign up for e-mail alerts for updates, if available, or check back on a regular basis for updates.

4) Disable unused services. Many of these devices are "feature rich" and enable these features by default even though 95% of users will never use them. Turn of SNMP, UPNP, "DMZ" features, etc. SNMP, particularly, allows someone to grab all the device settings of your device especially if the community string is "public" (and by default, 99% of the time it is). This is big and likely will lead to the largest amount of exploitation, namely, open SNMP that gives away all your settings to the world on request.

5) Change the default settings of the device. All vendors tend to use the same set of default settings for their devices, such as IP addresses of the internal network. Change these settings to something that makes sense for what you are trying to do. Changing default settings for wireless is also important, especially doing WPA2 authentication and not WEP. Hardening access points is its own topic though as well.

6) (Okay there is more than 5), Submit your logs to DShield. Here is a nice guide on how to accomplish sending your logs from these kind of devices to us. The more submitters we have, the more complete picture of what is going on and the better intelligence we have to share with you. Especially in the consumer ISP space, there is lots of action that would be helpful for us to see.

--
John Bambenek / bambenek [at] gmail {dot} com

1 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives