Pinterest Stumbleupon Whatsapp
Ads by Google

Default router settings put your network at risk Why Your Router Is A Security Risk & How To Fix It Why Your Router Is A Security Risk & How To Fix It Read More . Not only could strangers in your vicinity use your Wi-Fi without your permission, their freeloading could subsequently reduce your bandwidth, and exhaust your data allowance.

More worryingly, their actions even get you in trouble if they used your network for illegal activities, whether downloading copyrighted material or hacking into your devices. Default settings could also invite wannabe hackers to log into your network’s admin panel and hijack your settings.

We have summarized the standard router settings that can prevent leeching and unauthorized access to your network.

Basic Router Security Settings

The following are the bare minimum security-related settings. They’re easy to set up. Connect your computer to your router using a LAN cable and log in using the router IP address and – unless you already changed them – the manufacturer-provided administrator username and password.

If your router interface doesn’t immediately reveal the settings listed below or doesn’t look like the example screenshots, I recommend you to consult your router’s manual; you can probably find it online. Many manufacturers, including Linksys and Netgear, also offer detailed support pages.

Change Default Administrator Credentials

The default username and password you use to log into your router are often the same for thousands of other devices Does Your Default Router Configuration Make You Vulnerable to Hackers & Scammers? Does Your Default Router Configuration Make You Vulnerable to Hackers & Scammers? Routers rarely arrive in a secure state, but even if you have taken the time to configure your wireless (or wired) router correctly, it can still prove to be the weak link. Read More and they can be looked up online. Thus log into your router and change both. Since you use a browser to log into your router, you can store the new login credentials in a password manager 9 Password Managers to Make Use Of [We Ask You Results] 9 Password Managers to Make Use Of [We Ask You Results] Creating and remembering passwords for every website you interact with is a real pain in the ass. Unfortunately, it's also essential. Read More like LastPass. If only you or family members have physical access to your router, there is no harm in putting a sticker with the username and password onto your router.

Ads by Google

Linksys Router Settings

The settings above are for a Linksys router.

Set a Wireless Password or Passphrase

While you’re logged into your router, make sure you have set a password for your Wi-Fi. As mentioned above, an open Wi-Fi network can have all sorts of negative consequences. However, a password that’s easy to crack is almost as bad as no password at all. To be safe, use WPA2 level encryption WPA2, WEP, And Friends: What's The Best Way To Encrypt Your Wi-Fi? WPA2, WEP, And Friends: What's The Best Way To Encrypt Your Wi-Fi? When setting up wireless encryption on your router, you'll come across a variety of confusing terms -- WPA2, WPA, WEP, WPA-Personal, and WPA-Enterprise. Read More because anything else is too easy to bypass.

enable-wpa2-on-router.png

Turn Off WPS

Wi-Fi Protected Setup (WPS) is a wireless standard that makes it very easy to set up an encrypted wireless connection. To give a device access to your wireless network, you either press a button on both the router and your device or you enter the 4 to 8 digit number printed on a sticker on your router.

The problem is, this feature is turned on by default and since there are no limits to how many times you can enter a wrong code, WPS is crackable by brute force Think Your WPA-Protected Wifi Is Secure? Think Again - Here Comes The Reaver Think Your WPA-Protected Wifi Is Secure? Think Again - Here Comes The Reaver By now, we should all be aware of the dangers of securing networks with WEP, which I demonstrated before how you could hack in 5 minutes. The advice has always been to use WPA or... Read More . With the right tools, which can be found online, it only takes minutes or hours to compromise your wireless network How Easy Is It to Crack a Wi-Fi Network? How Easy Is It to Crack a Wi-Fi Network? Whether you're a computer novice or a pro-level geek, you probably have some idea about Wifi security. You know that you need to have some kind of password, and you also know that there's a... Read More . Once the WPS code is cracked, your Wi-Fi key is revealed, too.

To be safe from this vulnerability, you have to manually turn it off. Find the respective setting in your router admin panel and disable it.

disable-insecure-wps.png

Unfortunately, turning off WPS might not actually do anything. Many manufacturers either don’t offer an option to turn if off, or WPS continues to work despite having been disabled.

Change Default SSID Name

The SSID is the name of your wireless network. Your devices use the SSID to recognize previously used networks and will try to hook up to any matching network that they have stored login data for. With a default SSID, you’re potentially setting your devices up to connect to a lot of strange networks by default. Moreover, if the default SSID reveals your router, hackers might be able to identify the model, leading them to uncover router-based vulnerabilities Open Router Ports & Their Security Implications [Technology Explained] Open Router Ports & Their Security Implications [Technology Explained] Read More of your network.

macwifiscanner

Don’t be tempted to hide your SSID! Contrary to common recommendations, security expert Joshua Wright explains that hiding your SSID is a bad idea because devices trying to connect to your network will essentially try to match with any AP (access point) out there. Now a malicious network could impersonate your network How Easy Is It to Crack a Wi-Fi Network? How Easy Is It to Crack a Wi-Fi Network? Whether you're a computer novice or a pro-level geek, you probably have some idea about Wifi security. You know that you need to have some kind of password, and you also know that there's a... Read More and thus obtain access to your device. Instead of cloaking your SSID, make sure you follow our recommendation and give it a unique name.

Change Default Router IP

Above we told you to change your default login credentials. That’s a simple and effective way to prevent unsolicited access to your router. To make it even harder for hackers to find your router’s admin panel, change the default internal gateway or comparative IP. If you’re using LastPass to store your login data, update the IP there, too.

Disable Remote Administration or Management

When remote access is enabled, anyone on the Internet can access your router and change its settings. To prevent unsolicited remote access , you need to disable this feature.

Note that this still allows anyone close enough to catch your Wi-Fi to access the admin panel, provided they know the login credentials. If your router offers this option, set it to permit access to the admin panel only with a wired connection to the router. This is a rare feature and you might have to upgrade or change your router firmware to get it.

Advanced Router Security Settings

Those of you confident enough to dive a little deeper into securing your routers might want to consider the following settings. They’re also recommended if your router is located in a high risk environment, e.g. in an apartment building or close to a public space.

Update Firmware

Generally, firmware is a kind of software coded onto hardware to help it execute operations and communicate with peripherals. Whenever a router vulnerability is revealed 1.2 Million Routers Are Vulnerable To Being Hijacked. Is Yours One Of Them? 1.2 Million Routers Are Vulnerable To Being Hijacked. Is Yours One Of Them? Read More , manufacturers typically release new firmware to close the security hole. That’s why it’s recommended to periodically check and update your router firmware. Most standard routers come with an in-built router update option, typically found under router administration.

NETGEAR genie

Note that updating your firmware could restore default settings, meaning you’d have to re-apply any changes you previously made. If possibly, make a backup of your custom settings prior to updating firmware.

Switch to 5 GHz Band

The standard band is 2.4 GHz, which travels further. By using the 5 GHz band you reduce the reach of your Wi-Fi network and thus the chance of a bad guy picking it up and trying to break in. It also decreases interference, improves speed, and increases stability of your network.

Unfortunately, not all devices support the 5 GHz band. One solution here, if you wanted to be meticulous, would be to either connect these devices using an Ethernet cable or upgrade your router to 802.11ac and create a dual network setup. You’d have one network for each band ad could move most of your traffic over to the 5 GHz band. Of course that would not actually increase your security because now you’d offer two points to attack your network.

Disable PING, Telnet, SSH, UPnP, and HNAP

Find the respective settings in your router interface and disable them. Rather than closing these ports, use the stealth settings (if available) which will result in attempts to access your network from outside being met with silence, thus hiding the port. An efficient way to hide your router is to prevent it from responding to PING commands.

Enable Router Firewall

If your router has its own firewall, enable it. You shouldn’t rely on your router firewall Why Your Router Is A Security Risk & How To Fix It Why Your Router Is A Security Risk & How To Fix It Read More alone, just consider it an extra layer of protection.

common-security-mistakes-firewall

DISABLE Wireless MAC Filter

Briefly, MAC addresses are easy to spoof and thus MAC filtering isn’t worth the effort.

Pro Router Security Settings

Finally, here are the settings for those of you who want to take every last step to secure their network.

Install Alternative Firmware

Third-party router firmware The Top 6 Alternative Firmwares for Your Router The Top 6 Alternative Firmwares for Your Router Alternative firmwares offer more features and better functionality than stock firmwares. Here are some of the best ones to use. Read More not only adds additional features, but is also more secure than the latest firmware provided the manufacturer of your router. Alternative firmwares are less commonly affected by vulnerabilites. Popular open source firmwares include the Linux based DD-WRT (our DD-WRT review What Is DD-WRT And How It Can Make Your Router Into A Super-Router What Is DD-WRT And How It Can Make Your Router Into A Super-Router In this article, I'm going to show you some of the coolest features of DD-WRT which, if you decide to make use of, will allow you to transform your own router into the super-router of... Read More ) and Tomato.

dd-wrt

Before you install new firmware, make sure you find one that is compatible with your router, then review the step-by-step instructions for installing it.

Change Default DNS (Domain Name Server)

Rather than using your ISP’s default server, pick an OpenDNS or Google Public DNS server (our review Find Fastest DNS and Optimize Your Internet Speed Find Fastest DNS and Optimize Your Internet Speed Read More ). It can improve your Internet speed How to Optimize Your DNS for Faster Internet How to Optimize Your DNS for Faster Internet "The Internet is just a series of tubes" as one man so wisely stated. Unfortunately, it’s not as simple as that. There’s a complex architecture that supports the Internet, and data packets need to travel... Read More and your network’s security How To Change Your DNS Servers & Improve Internet Security How To Change Your DNS Servers & Improve Internet Security Imagine this - you wake up one beautiful morning, pour yourself a cup of coffee, and then sit down at your computer to get started with your work for the day. Before you actually get... Read More .

Be Careful with Wi-Fi Network for Guests

Again, the recommendations here are contradicting. Some say it’s better to disable guest networks because they come with no login security and default passwords can be found online. If you can, however, create a custom login and make the guest network expire after a given time, then it’s a great option to provide guests with temporary access to your network, while keeping any shared folder or devices in your network private.

Is Your Router Safe?

We’re curious! How many of these router security settings had you made use of already and which ones didn’t you know about before?

By the way, if you’re still not sure whether you’re router settings are fine, you can test your network security with this website or use Fing (for Android, iOS, Windows, OS X, Linux) to analyze your network.

Image Credits: Linksys settings via Linksys, NETGEAR genie via NETGEAR

  1. zia
    November 8, 2016 at 2:04 am

    hi,
    does anyone know how to always show search criteria with macOS saved searches by making it the default?

    • Tina Sieber
      November 8, 2016 at 9:55 am

      Hi Zia, I think you scrolled too far and left your comment below the wrong article. The above is about router configuration for home networks.

  2. Bruce Epper
    June 6, 2015 at 12:36 pm

    The Remote Admin function of routers is all about accessing it via the WAN (internet) port. WiFi devices can still hit the admin control panel as long as it is connected to the local network; it does not force the use of a wired connection.

    That said, I have also seen some routers that can force the use of a wired connection for administration but the Remote Admin setting is not the one that does it. It has been some time since I have seen one of them, so I don't remember what they call the setting or even what hardware routers support it.

    • Tina Sieber
      June 6, 2015 at 2:41 pm

      Thanks for pointing out that misunderstanding, Bruce!

  3. fcd76218
    June 5, 2015 at 8:14 pm

    Another alternative firmware is OpenWRT.

    To find faster DNS connections download and use the "namehelp" app.

  4. Edward Gibbs
    June 5, 2015 at 5:36 pm

    I have most of them - 5 GHZ has trouble getting to some parts of my house so I leave both on and I hand't thought top change the default DNS. I have Guest network enabled with a password, and I use it to connect things that need internet but not access to the full network - like my thermostat. So if it get hacked (likely, I'm sure it has next to no security) they hopefully can't get to the PCs.

    But I also have something extra that might be controversial. My router is a "Free" router provided by my cable ISP (Cablevision Optimum Online) and it includes an Optimum Hotspot that is wide open to anyone with an Optimum ID. Strangely, I am perfectly OK with this. Partly this is due to the altruistic kick of helping provide "free" internet to others, partly it is because I get a pretty good router (AC1750) at no cost and that I can upgrade anytime I want. There is also the "Plausible Deniability" aspect - if someone on my network downloads a copy of the latest Star wars or something and we get a nasty letter from the MPAA, it might be hard for them to prove it was one of us if we have a wide open hotspot that anyone could have connected to.

    In fact, I have read at least one article by a "security pro" advising people to enable Guest Network with no password for exactly this reason, to provide plausible deniability.

    Of course, I am trusting that there is no way to traverse from the open network to the closed one, and that may be a bad assumption.

    Thoughts?

    • Martin Green
      June 5, 2015 at 5:47 pm

      I would be extremely surprised if the open WiFi feature of your modem operates on the same IP address as your primary connection, so the plausible deniability value is probably moot. That said, leaving your guest portal open is more likely to protect you, although your router logs might give you away if you don't regularly prune them. If your logs are intact for the period of alleged copyright infringement, and only the MAC addresses of your own devices are listed, you are busted anyway. Of course, you could always wipe your logs when you get an ISP copyright warning notice.

      • Bruce Epper
        June 6, 2015 at 12:22 pm

        I have yet to see any routers that will use 2 IP addresses on the WAN port which is what you are suggesting here (open WiFi not using the same IP as your primary connection).

        • Martin Green
          June 7, 2015 at 2:49 pm

          I looked at the Optimum Online FAQ page and although it isn't clearly stated, the terminology does suggest they your ISP is using simple guest account functionality to implement it, which is definitely not secure and makes any guest activity look like it originated from you. If so, this is not the same thing as the true WiFi hotspot networks implemented by some major carriers. Comcast's Xfinity routers, for instance, definitely isolate hotspot connections from your primary IP address.

          From an arsTechica article on the topic...

          "A Comcast spokesperson told Ars today that this is false, that a customer's private network and the public hotspot 'have separate IP addresses.' A Comcast FAQ says the public hotspots are 'completely separate from your secure Wi-Fi home network.'"

          Here is the full article link...

          arstechnica.com/tech-policy/2014/12/comcast-sued-by-customers-for-turning-routers-into-public-hotspots/

        • Bruce Epper
          June 7, 2015 at 3:20 pm

          Your home network has its own set of non-internet routable IP addresses. The XFINITYWIFI "public" network (effectively a DMZ) has its own non-internet routable IP addresses for its network separate from your private home network. Both of these are connected to a single WAN port that connects to the web with a single IP address.

          I'll be in a Comcast-served monopoly area at the end of next month and will pull data to show this if you want.

          Or if you are in one of those areas you can try it yourself. Connect to your home WiFi network with a device, then find what your internet IP address is at network-tools.com. Now, disconnect from that network and connect to the XFINITYWIFI network on your router. Go back to network-tools.com and look at the same IP address returned from this network as well.

          You still have the same internet-facing IP address regardless of which of your WiFi networks you are connecting to.

          With the exhaustion of IP4 addresses, there is no way Comcast can possibly put 2 IP addresses on every WAN port of the routers they have out there.

        • Martin Green
          June 7, 2015 at 5:04 pm

          I don't know where you are getting your information, but the Xfinity FAQ says you are wrong...

          "Your XFINITY Wireless Gateway broadcasts an additional “xfinitywifi” network signal for use with XFINITY WiFi. This creates AN EXTENSION OF THE XFINITY WIFI NETWORK right in your home that any XFINITY Internet subscriber can use to sign in and connect. This XFINITY WiFi service is COMPLETELY SEPARATE from your secure WiFi home network." (emphasis mine)

          http://www.xfinity.com/wifi/faqs.html

          Also, other tech-oriented sites confirm that Xfinity uses a separate IP address for public WiFi connections to you router. This technique has been used in Europe for several years now.

          http://www.howtogeek.com/184727/your-home-router-may-also-be-a-public-hotspot-dont-panic/

          "With the exhaustion of IP4 [sic] addresses, there is no way Comcast can possibly put 2 IP addresses on every WAN port of the routers they have out there."

          Why not? My cable ISP allows me two distinct public IP address from my modem, as do all the other ISPs in my area. Not only that, but the second address doesn't have to be a public-facing one. When you connect to your own WiFi network your router doesn't assign you a public IP, it gives you a local one and then uses NAT to make sure you get the packets intended for you. Xfinity could easily do the same. Note the important phrase from the FAQ quoted above...

          "an extension of the XFINITY WiFi network"

          It doesn't say it is a direct DMZ connection to the internet. When someone connects to the Xfinity hotspot they get a TEMPORARY IP address which would come from the same pool as the older style ISP hotspots that have been around for a while now. They don't have to reserve any more IP addresses for hotspots than they did the old way, they are just eliminating the expense of installing dedicated hardware all over their coverage areas.

          Also, I don't think you understand the nature of the IPv4 address scarcity problem. The challenge is that there are not enough address blocks left to give to new applicants (which may or may not be existing block holders). Companies like Comcast, however, already own huge blocks of addresses, not all of which are being used by their customers at any given time. As long as they have enough slack in their block allocations they could give each customer TEN IPv4 addresses if they wanted to. Since Comcast doesn't publish stats on how many free IP addresses they have available in the blocks they own (to my knowledge) nobody but they can say if they can afford to give each person connected to an Xfinity, or a traditional, hotspot, their own unique public IP address.

          Comcast, and other tech web sites say that Xfinity hotspot users get an IP separate from the home network. Using your experience with your own ISP, which I have already conceded probably DOES share your IP with hotspot users (based on their ambiguous FAQ language) is not evidence that this is the norm.

        • VanishingMediator
          August 14, 2016 at 10:10 am

          I'm confused as to who is arguing what. These days not many people believe that companies like Comcast or that major media outlets that get paid off by them tell the truth.

          The simple question is, if Comcast gets a copyright infringement notice from RIAA or whoever, does it actually mean that the user in question did the infringement. If RIAA only detects the WAN address of the router, and there is only one, doesn't that mean that RIAA cannot tell the difference between a public hotspot user and the person who owns the property the router is in?

          If so, and as Comcast claims, they really can tell the difference, does that mean they are using their inside knowledge of your network to tell the difference? In which case, they are actually spying on you.

          A further question is if the person logging into the public wifi can then hack the router and find out the password for the home network.

          Xfinity has been known to make all sorts of ridiculous claims and tell lies in the past. They will almost always try to steal your personal modem when you have your own and terminate your account. Most SP's put phony taxes on your bills, or ones they have negotiated with the government to benefit from (Bellsouth was notorious for this back in the day, some of their taxes where property taxes on their own HQ) They have all sorts of scams involving sending techs out to fix problems that are obviously caused by remote problems with BS about signal strength or modem problems. I'm fairly certain they used this to switch out many people's hardware.

  5. Zack McCauley
    June 5, 2015 at 5:26 pm

    True to that. I wasn't saying to negate the article, so I apologize if that is how it came across. MAC filtering, a super strong password, changed passwords, etc is still a lot easier then some of the steps and still provides for a stronger network. Anything that can be done to increase the strength is better then doing nothing at all.

    Changing your DNS could have issues with certain setups. I run satellite at home (only thing available and it is still 4x better then charter in town., and if I change the DNS in the router all internet traffic ceases. *Sigh*

    • Martin Green
      June 5, 2015 at 5:40 pm

      I assumed you were just adding to the article, not trying to negate it. I did the same thing about an hour before you did, but my post is still awaiting moderation since I included a link in it. I was commenting that the author missed a HUGE security hole by not warning against using WPS, which has been demonstrated to be seriously insecure. On some routers without updated firmware even DISABLING WPS is not enough to protect you against its weaknesses. In any case, one of the most basic and important security protocols for home routers is NEVER NEVER NEVER use WPS, and disable it completely if you can.

  6. Zack McCauley
    June 5, 2015 at 4:55 pm

    Forgetting the easiest single way to lock down your network from people logging on.
    MAC Based authentication.
    Get the addresses of all your devices that are approved to join, enter it, and turn on the authentication. No devices will be able to join regardless of password.

    • Martin Green
      June 5, 2015 at 5:06 pm

      Hey Zack, I used to do this, but stopped long ago since MAC whitelisting only provides a false sense of security. Any sniffer can detect the MAC address of any devices you use to connect to your network. After that it is a simple matter to spoof one or more of those MAC addresses and your router will happily let them through.

    • Tina Sieber
      June 6, 2015 at 1:57 pm

      I didn't forget about MAC filtering. This is what I wrote: "DISABLE Wireless MAC Filter. Briefly, MAC addresses are easy to spoof and thus MAC filtering isn’t worth the effort."

  7. Martin Green
    June 5, 2015 at 4:18 pm

    I can't believe you missed one of the most important and basic router security practices. DON'T USE WPS. In fact, not only don't use this proven insecure router feature, but completely disable it. Although some routers are still insecure because they have WPS EVEN IF YOU DISABLE IT, most with current firmware will be much more secure if you turn it off completely.

    http://www.alphr.com/realworld/374104/why-you-shouldnt-use-wps-on-your-wi-fi-network

    • Tina Sieber
      June 6, 2015 at 2:39 pm

      Great point, Martin and I'm not sure either how I was able to miss that one. Just added a paragraph to address this vulnerability. Thanks for pointing it out!

      • Martin Green
        June 7, 2015 at 2:37 pm

        Just one comment about your added paragraph. The reason WPS is so easy to crack with brute force is that only the first four digits of the eight digit code need to be deciphered to break into the router. Instead of the roughly one million possible 8bit codes, an attacker only needs to try about 11,000 combinations.

Leave a Reply

Your email address will not be published. Required fields are marked *