This site focuses on the security of routers. Period. If you are interested in faster WiFi, look elsewhere. The site covers configuration
changes to make a router more secure, and, picking a router that is more secure out of the box.
Why devote an entire site to router security?
I used to be like you. That is, I would buy a router, it would work fine and I would ignore it for years. But, anyone who follows tech news has no
doubt heard of assorted router flaws. After some huge flaws, affecting millions of routers, caught my attention, I started following
the topic more closely. As a Defensive Computing guy, I eventually realized that I needed to upgrade my
own router security and get more up to speed on the topic.
I spoke on Securing a Home Router at the
HOPE conference in July 2014. This website is planned to contain all the information in that presentation
and be kept up to date with new developments. It's a journey of a thousand miles and I have only taken the first few steps.
Non-techies can start at the Introduction to Routers page, which discusses what a router is conceptually, describes
the hardware and the many ways to communicate with a router.
Router security may be a dull and boring topic, but it's important. As proof, see the page on what can happen if your router gets hacked.
As of June 2015, the list of configuration changes to increase router security is far from complete. The topic on selecting a secure router is
mostly complete, as is the checklist page which lists router security features to look for when buying a router. The
router bugs topic is more than complete enough to make its point - don't buy a consumer router.
A PDF of my HOPE presentation is available
at box.net (last updated Oct. 4, 2014). Audio is available
at x.hope.net (thanks to 2600). An article about the talk appeared in Toms Guide.
This site has NO ADS. If you see ads, either your browser, computer or router is infected with adware.
Picking a Router
The first step towards a secure router is choosing a router.
Many people use the device given them by their Internet Service Provider (ISP) which I think is a bad idea for a
number of reasons.
The next decision is buying a consumer router or a business class device. Don't buy a consumer router.
I am not alone in pointing out the sad state of router software/firmware.
Which router do I recommend? The Pepwave Surf SOHO router from Peplink. My only
relationship with Peplink is that of a customer.
How secure can a router get? Only as secure as its included features allow. For a list of router security features see my Security Checklist. The most expert person in the world can only make a router as secure as the included features allow.
Consumer Reports is no help in picking a secure router. Here's a screen shot from the ratings on their website. Each router is graded on security which they define as
"features such as encryption, remote administration default settings and filtering and firewall compatibility." Useless.
Finally, some thoughts on Apple routers and Google Wifi and OnHub routers and Routers for Dummies.
Secure Router Configuration - Start With This
When complete, this site will list dozens of tweaks to make a router more secure. But, at the least, make these changes:
- Change the password used to access the router. Anything but the default should be OK, but don't use a word in the dictionary.
- Turn off WPS
- Wi-Fi security should be WPA2 with AES (do not use TKIP)
- The Wi-Fi passwords need to be long enough to stall brute force attacks. Opinions on the minimum length differ, my best guess is that 14 characters should be
sufficient. A totally random password is not necessary, "999yellowtulips" is both long enough and easy to remember.
- Turn off Remote Administration. It may also be called Remote Management, Remote GUI or Web Access from WAN. (its probably
- Turn off UPnP and NAT-PMP to protect both yourself and the rest of the Internet. For more see the Turn
Off Stuff page.
- Test the firewall in the router at Steve Gibson's ShieldsUP! site (click the gray Proceed button). Start with the Common Ports test and pay special attention to the SSH (22) and Telnet (23) ports as these services are frequently abused by bad guys. The only good status for any port is Stealth (assuming remote administration is disabled). Next, do the All Service Ports test. Finally, do the Instant UPnP Exposure Test (orange button).
- If any of your Wi-Fi networks (a router can create more than one) use the default name (a.k.a. SSID) then change it. Also, if they use a name that makes it obvious
that the network belongs to you, then change it. More...
- Use a Guest Network whenever possible. If the router offers Guest Network configuration options, turn off all sharing.
- For extra credit, turn off wireless networks when not in use. Some routers let you schedule this, others have a Wi-Fi on/off button. If the router has an iOS or Android
app, the app may be able to do this. Many routers require logging in to their web interfaces to disable the Wi-Fi. In that case, a browser bookmark can ease the pain.
- A common router attack changes the DNS servers. This is extremely dangerous and normally invisible. The websites dnsleaktest.com and whoer.net tell you the DNS servers used by your computing device. They are your friend. Use one of them often to insure that the DNS servers have not changed. Maybe make it your web browser home page. For dnsleaktest.com, check everything it tells you: the IP address, hostname, ISP and country of the DNS server(s) you are currently using.
- Register the router with the hardware manufacturer on the chance that they notify you of security flaws or new firmware. Netgear offers a Security Advisory Newsletter that I registered for, but never heard anything from.
- Periodically update the firmware and eat your vegetables
Secure Router Configuration in Detail
- Suggestions for setting up a new router
- Setting a good router password (not WiFi password) is almost always the best first step for both new and
- Selecting a unpopular range of IP Addresses helps prevent many router attacks
- Don't let DHCP give out the full range of available IP addresses. Reserve some for static assignment.
- Turning off features you are not using reduces the attack surface (added June 18, 2015)
- Be smart about choosing an SSID/network name (added July 11, 2015)
- There is more to encryption than just choosing WPA2 (added July 13, 2015)
- Of course, upgrade the firmware (added Aug 19, 2015)
- Test if your router supports HNAP using the procedure on the Test
Your Router page. Hopefully it does not. (added Nov. 14, 2016)
- MUCH more to come ...........
When you are all done making configuration changes to a router, it is a good idea to back them up. Routers normally can export a file with the
current settings. On a Pepwave Surf SOHO router, go to the System section, click on Configuration, then click the Download button to Download Active Configurations. With a TP-LINK Archer C8, go to the Advanced
tab, click on System Tools, then on Backup and Restore, then the Backup button.