Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hardening a Home or Small Business Network Against Compromise


  • Please log in to reply
19 replies to this topic

#1 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,105 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:10:50 AM

Posted 20 September 2017 - 10:25 AM

How do various people do this?

 

I'm not talking about sophisticated networks with lots of equipment, hardware firewalls, etc., but your typical home modem-router (or modem plus router) or similar that might be used in a very small private office.

 

I really don't do all that much these days as most defaults seem to be more than adequate to the task.

 

I do make sure that:

 

1.  Remote access to the router admin function is off.

 

2.  That the admin user id be changed from the default of "admin" when that's possible.  If the password is "password" (which, BTW, I have not seen in ages) I make sure to change it to something else that is memorable for the user but virtually impossible for a random passerby to guess.  The trend over the last few years is the admin ID is "admin" (and often unchangeable) and the password is the serial number of the device.

 

3.  Set up all WiFi with WPA/WPA2 and a password that's easy for the user to remember but virtually impossible for a random passerby to guess.  Encryption set to AES.  If the router supports guest WiFi I always set up that network so that the user need not expose their actual home/office network to guest users.

 

4. Go to the ShieldsUp! page at GRC.com to see what, if any, ports are visible to the world at large.  (I'm not quite so nervous about Ping as Mr. Gibson is so long as everything else passes).

 

Just these simple steps have prevented any (successful, anyway) attacks for as long as I've been employing them.  But since I've been employing them for a very long time now I figure there's got to be something new that I should be doing that I'm not.

 

What do others do?

 


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


BC AdBot (Login to Remove)

 


#2 Kilroy

Kilroy

  • BC Advisor
  • 3,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:09:50 AM

Posted 20 September 2017 - 11:16 AM

The only real change I would make is to use the Guest network function of the router for IoT devices.  That way if one of your IoT devices is compromised the worst they can do is mess around with your other IoT devices and not your computers.

 

Other than that you should change your router password, even if it the serial number.

 

I think the current wireless recommendation is WPA2 and only other security if connecting equipment won't connect to WPA2.



#3 britechguy

britechguy

    Been there, done that, got the T-shirt

  • Topic Starter

  • Moderator
  • 8,105 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:10:50 AM

Posted 20 September 2017 - 11:26 AM

Other than that you should change your router password, even if it the serial number.

 

Seriously, why?  These are some of the most "unguessable" passwords I've ever encountered.

 

Now, mind you, if the idea is to make it impossible (or nearly impossible) for anyone who might have physical access to the router to ever be able to log in as admin then I immediately do this, but I check with the client as to what they want in this regard.

 

I've had a nightmare scenario where I did change it to something else and later the user could not log in to the router and I had done some pretty extensive tweaking.  I could not log in, either, since I virtually never (except for very select clients and at their request) keep any passwords that I change for anything.  I don't want the responsibility of having that information and my brain certainly doesn't retain it after a very short period of time, and the more arcane the password is to me the shorter the time my brain retains it.  I can't retain a serial number without writing it down if I'm working out of reaching distance for the router.

 

I will choose WPA2 if it's available standalone, WPA/WPA2 if only available in combination.  

 

An additional question:  In instances where you are hooking up a straight router to a DSL modem (or cable modem, I guess, but I haven't encountered one of these - they've always been modem-routers in my experience) is there anything in particular you should be looking to do as far as the modem itself?


Edited by britechguy, 20 September 2017 - 11:28 AM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#4 Kilroy

Kilroy

  • BC Advisor
  • 3,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:09:50 AM

Posted 20 September 2017 - 11:59 AM

There shouldn't be anything you need to do on a modem only setup.  Any security is what the ISP determines.  They do make cable modems that are just cable modems.  I replaced mine yesterday after Comcast bricked my previous one with an update.

 

If you don't already own your modem this is probably something to look into.  The modem I purchased was $50, that cost would be covered in less than half a year for what most cable companies charge.  If you do purchase your own modem, you will have to call the cable company to have it set up, it isn't plug and play.  You connect it and the cable company has some configuration to allow it to work.  I was back online in 15 minutes.  Modem fees are a big money maker for cable companies.  Make sure you check your bill after your return their equipment to make sure they aren't charging you.



#5 britechguy

britechguy

    Been there, done that, got the T-shirt

  • Topic Starter

  • Moderator
  • 8,105 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:10:50 AM

Posted 20 September 2017 - 12:37 PM

Kilroy,

 

         Thanks.  In this case the situation is not my own, and I am well aware of the cash cow that is modem/modem-router rental from most ISPs.  I've considered changing over to Comcast and if I decide to do so I will definitely be buying my modem-router myself.  You are correct about the cost being covered in a very short time, particularly if one opts for factory refurbished or used.

 

          In this case I will be setting up at a client site where they have a very small telco which is the only ISP available and where the only equipment provided to the customer is a DSL modem.  I'll be going in and setting up the router and LAN (which they'll be connecting to via ethernet) as well as internal and guest WiFi networks.

 

          I posted this topic because it's so easy to put oneself on autopilot for certain things and not revisit them.  It's been a while since I've solicited opinions on whether there's something more or better that I could be doing with setting up this sort of very small-scale LAN using equipment that's designed for the home or small office.  I figure someone will pipe up with a, "You're forgetting about {fill in the blank}!!," for anything that I'd obviously overlooked or somehow never considered.  There's no better way to gather new perspectives than to ask for them!


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#6 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:50 PM

Posted 20 September 2017 - 12:57 PM

 

Other than that you should change your router password, even if it the serial number.

 

Seriously, why?  These are some of the most "unguessable" passwords I've ever encountered.

 

Because sometimes someone find and post online a list of those "default" passwords or find a way to calculate them by reversing the algorithm used to create them or something like that!

 

Long time ago one of the ISP's around where I live used the router model as SSID and didn't bother to change that or the default wireless password when setup things for its clients, latter someone posted online a list of default wireless passwords for those routers. I tested that and easy connected to a neighbors wireless network using the original wireless password leaked to the net.


Edited by SleepyDude, 20 September 2017 - 01:01 PM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#7 arlattimor

arlattimor

  • Members
  • 591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beaufort, SC.
  • Local time:09:50 AM

Posted 20 September 2017 - 01:48 PM

I would add one more thing that will ensure only authorized systems are on the network and that would be to enable your ACL (Access Control List) or MAC Filter list brother. Enabling your ACL  or Mac Filter list with only systems that are authorized to be on the network puts the last nail in the coffin.


Edited by arlattimor, 20 September 2017 - 01:50 PM.

A. Lattimore

CCNA, CWNA, MCITP, MCSA, MCT, MCP, Security+, Server+, Linux+, Network+, A+, CNST

Network Security Engineer

 


#8 Kilroy

Kilroy

  • BC Advisor
  • 3,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:09:50 AM

Posted 20 September 2017 - 02:30 PM

The problem with MAC and ACL lists is that they must be maintained.  If it your equipment and you set it up, that is fine, but if you're setting it up for someone else you're better off leaving it open.

 

I support my parents equipment.  They are in their 70s and I'm ten hours away.  I got hosed when I configured an Amazon Echo Show for them and found out they switched ISPs and removed the router I had in place with the old ISP.  That wasn't the best part.  The install technician set their desktop computer, which is in the same cabinet as the modem/router, with a wireless connection.  So, when I changed their wireless SSID back to what I had on the old router I could no longer connect to their computer with TeamViewer.  Talking my father through anything on the computer can be a very painful experience.



#9 arlattimor

arlattimor

  • Members
  • 591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beaufort, SC.
  • Local time:09:50 AM

Posted 20 September 2017 - 03:13 PM

I am sorry BC, but I am going to have to disagree with you on this one.  This is why you document your network so that situations like this can be easily resolved. This is for a client i.e. a professional installation, not a mom & pop setup. As such this information should be documented, and network diagram provided in the case of expanding the network in the future. Considering that brightechguy will be the engineer/installer this is information he should be providing to his client. 

 

It's is not that hard to add a MAC Address to an ACL list wether brightechguy or the client does it this is just my opinion BC. 


A. Lattimore

CCNA, CWNA, MCITP, MCSA, MCT, MCP, Security+, Server+, Linux+, Network+, A+, CNST

Network Security Engineer

 


#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:50 AM

Posted 20 September 2017 - 04:37 PM

 

What do others do?

 

Disable the UPnP protocol. Prefer to port-forward any application/port myself.


How Can I Reduce My Risk to Malware?


#11 britechguy

britechguy

    Been there, done that, got the T-shirt

  • Topic Starter

  • Moderator
  • 8,105 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:10:50 AM

Posted 20 September 2017 - 06:02 PM

 

 

Other than that you should change your router password, even if it the serial number.

 

Seriously, why?  These are some of the most "unguessable" passwords I've ever encountered.

 

Because sometimes someone find and post online a list of those "default" passwords or find a way to calculate them by reversing the algorithm used to create them or something like that!

 

Long time ago one of the ISP's around where I live used the router model as SSID and didn't bother to change that or the default wireless password when setup things for its clients, latter someone posted online a list of default wireless passwords for those routers. I tested that and easy connected to a neighbors wireless network using the original wireless password leaked to the net.

 

 

Again, I'm talking about the newer devices that use a serial number here.  This is not at all the same situation.  Trying to map the millions of serial numbers to any single instance of a device is not something that is at all likely to occur.

 

I generally change these because no one can remember them without picking up the device and looking at it (but as often as not that's a very good thing).  I have yet to see a serial number password "guessed" or hacked.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#12 britechguy

britechguy

    Been there, done that, got the T-shirt

  • Topic Starter

  • Moderator
  • 8,105 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:10:50 AM

Posted 20 September 2017 - 06:09 PM

I am sorry BC, but I am going to have to disagree with you on this one.  This is why you document your network so that situations like this can be easily resolved. This is for a client i.e. a professional installation, not a mom & pop setup. As such this information should be documented, and network diagram provided in the case of expanding the network in the future. Considering that brightechguy will be the engineer/installer this is information he should be providing to his client. 

 

It's is not that hard to add a MAC Address to an ACL list wether brightechguy or the client does it this is just my opinion BC. 

 

And I'll have to disagree with you, at least partially, on this one.  Even in many offices they do not want any unnecessary difficulty added when it comes to adding devices to the WiFi network at a future point in time, and having a MAC Address ACL is something virtually no one who doesn't already understand them wants to deal with unless they want really tight security.

 

Turning off WPS and setting up a WiFi network with a password that is reasonably resistant to random guessing is more than enough in most instances.

 

To me this is all about taking reasonable precautions against drive-by/walk-by access.   If you've got a really dedicated hacker who's determined to get in they'll do it.

 

P.S.  I always turn of UPnP.  But these days it's generally off by default.

 

In this particular instance, the very location of the facility puts it well outside much drive-by or walk-by traffic of any kind.  I'm not going for absolutely impenetrable here, but trying to balance ease of use for those with "inside information" against keeping out everyone else.


Edited by britechguy, 20 September 2017 - 06:09 PM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#13 arlattimor

arlattimor

  • Members
  • 591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beaufort, SC.
  • Local time:09:50 AM

Posted 20 September 2017 - 06:40 PM

I'm sorry brother, but I am going to have to disagree with you. I could understand your viewpoint if this were a large network. Then you would have to deal with the administrative overhead of dealing with many systems. But by your own admission, this is a small network. Better to err on the side of caution. Adding MAC Addresses to an ACL is something that takes less than a minute to do and is easily taught to a client if they are administrating the network themselves. You can never compromise on security, especially if this is a business network.    


A. Lattimore

CCNA, CWNA, MCITP, MCSA, MCT, MCP, Security+, Server+, Linux+, Network+, A+, CNST

Network Security Engineer

 


#14 britechguy

britechguy

    Been there, done that, got the T-shirt

  • Topic Starter

  • Moderator
  • 8,105 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:10:50 AM

Posted 20 September 2017 - 06:47 PM

I'm sorry brother, but I am going to have to disagree with you. . .  You can never compromise on security, especially if this is a business network.    

 

Well, then we'll have to disagree.  This isn't a compromise, it's dealing with the full picture.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#15 arlattimor

arlattimor

  • Members
  • 591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beaufort, SC.
  • Local time:09:50 AM

Posted 20 September 2017 - 06:49 PM

:thumbup2:  :thumbup2:  :thumbup2:  :thumbup2:


A. Lattimore

CCNA, CWNA, MCITP, MCSA, MCT, MCP, Security+, Server+, Linux+, Network+, A+, CNST

Network Security Engineer

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users