9

Having read about the large number of routers infected by Wifatch, I've realised I don't know how to check whether my router has been infected with this or more malicious malware or what I'd do about it.

Besides changing the default password and checking whether the firmware needs updating for security reasons, what important things should everyone do to secure their router and how could you test that security? Is it simply a case of relying on manufacturers to provide firmware patches for any issues?

I have a Billion Bipac 7800N router, but I'm interested in advice that would also benefit friends and family with different devices, as I'm their de-facto security "expert"!

James Bradbury
  • 2,017
  • 19
  • 27
  • 1
    Replace it with a Linux or OpenBSD box. That way your security won't depend on a company which doesn't care about you nor about the security of their software. – André Borie Oct 05 '15 at 12:12
  • 3
    Great idea. When are you available to pop round and teach my Mum how to be a competent Linux sysadmin? ;-P – James Bradbury Oct 05 '15 at 12:19
  • Once it's configured it can be left untouched for years *and* still be more secure than most home routers, so you don't actually need any skills. But besides the basic Linux distribution, have you looked at PFSense or OpenWrt which retain the ease of use of most routers by providing a web interface? – André Borie Oct 05 '15 at 13:36
  • Thanks, they do look good. However, even if you can easily install it on a small, cheap PC or even a router I suspect hardware would be the blocker for the majority of people. I'm interested it what can be done with what people are already using. – James Bradbury Oct 05 '15 at 14:26

4 Answers4

4

I always do the following for my home gateway (router + modem) or router (if separate, although I haven't seen a modem that doesn't also include a router in at least a decade):

  1. Change administrative password, you can write it on a piece of paper taped to the gateway.
  2. Set security settings to highest level. Usually, this means turning off all external ports and external administration. Why would you want this?
  3. From your LAN, visit www.grc.com and run their IP scanning test. Look for any problems and reconfigure to correct them.
  4. Turn on logging and monitor it from time to time. Watch China, Russia and bot nets regularly knock on your front door.
  5. Kill anything that does pass through from outside to inside unless you really need it, and then consider carefully if you really need it.
  6. If you're running a server, use a DMZ and isolate from your internal LAN. Turn on pass through ports to DMZ server only as needed. If you can't DMZ or run the server there, pass through ports or, consider a simpler proxy server in a DMZ that can handle all incoming connections and check for validity, consistency, security and forwards to internal systems.
  7. Access to your LAN from outside should be by VPN (preferred), ssh (adequate) or both (belt and suspenders).

Assume any port you leave open to the world has a very high likelihood of being compromised, and thereby compromising your LAN. Again, do you really need an open port (unless VPN)?

Andrew Philips
  • 1,411
  • 8
  • 10
  • 1
    That's a lot of work, but very impressive with your coverage of the details. – SDsolar Jul 24 '17 at 19:10
  • Would you also recommend replacing the vendor's firmware with an open-source firmware, if the router supports it? – pacoverflow Apr 02 '18 at 17:43
  • @pacoverflow that’s a great point. Many of the routers don’t have their s/w updated often (esp for security bugs), so loading up an open source router version works great. It’s hard to find routers to accommodate this type of s/w, though. – Andrew Philips Apr 03 '18 at 04:13
  • I like how the newer Linksys (now Belkin) routers will auto-update. But the flip side is that they rely on using DNS to access deeper pages of their own configuration setup. You can't win. – SDsolar Apr 20 '18 at 15:56
2

The very first thing to do is set the main router to use Comodo SecureDNS so nobody outside can even see the domain names visited by your computers.

All you have to do is put in 

8.26.56.26 
8.20.247.20

as the DNS server entries in the DHCP settings in the router.

The second thing is to have everybody install HTTPS-Everywhere in their browsers. Even non-techies can do that much.

These two steps will make it so even the ISP can't tell what they are doing.

You need to change the router's password for administration to something only you know (NOT the same as for WiFi access).

You do not want your router to allow remote administration, period.

And finally, disable uPnP. It allows inside items like baby monitors to be accessable from outside by smartphones. Plus it lets outsiders peek, too. In one case, someone was talking to a toddler through the monitor's speaker and scaring him.

If you want to see how widespread this is, go to http://www.shodan.io/

SDsolar
  • 977
  • 1
  • 6
  • 25
  • -1 for referring to snake oil as bad as GRC. He is pretty much universally hated by the security community by and large. [Obligatory attrition link](http://attrition.org/errata/charlatan/steve_gibson/). – forest Apr 20 '18 at 07:53
  • Yeah, it is definitely better to use Zenmap from outside instead. His service port scanner is the only thing he does that I don't consider snake oil, though. But I sure remember the old days of low-level formatting and how Spinright saved the day back then. Today, snake oil, pure and simple. – SDsolar Apr 20 '18 at 15:54
  • True. Though his port scanner does tend to miss a lot of things, but it's not quite as bad as his other stuff. – forest Apr 21 '18 at 13:12
0

If you router is infected, it will complicated to check if it is infected (have you heard of rootkits?). I wrote about protecting my router on my new blog: https://securityoversimplicity.wordpress.com/.

What i did to secure my router was scanning it, both private and public side addresses for open ports. Inside, i did not find anything. As for outside, i found that my router was running a CWMP server (remote management). Disabling this required elevated privileges that i managed to achieve. This does not rule out an infection since, if my router is part of a botnet i can only tell it if the internet is slow. Nowadays, backdoors do not keep open ports, they start connections to C&Cs. What you can do is get a raspberry pi and put it between the internet and the router, while capturing the traffic. You must then analyze it of course.

Stay safe ;)

BrunoMCBraga
  • 466
  • 4
  • 12
-1

First off I want to state that I am in no way a "Apple fanboy" but while listening to an episode of Security Now with Steve Gibson, they made an interesting note that Apple routers have not been part of any of the recent "router exploits", i.e. Linksys and others. Apple keeps there router hardware pretty well locked down and up to date. On top of that, follow your advice and make sure the default password is always changed. If it has other avenues of entry, i.e. SSH, test for that and at a min make sure its password is changed.

user92592
  • 544
  • 1
  • 5
  • 13
  • 1
    Steve Gibson is da man. Upvote for mentioning his name. But be sure to check my answer to this - GRC (Gibson Research Corp) is mentioned as a final check, and the steps I prescribe will take care of most of the best practices that can be controlled by the router and one browser extension – SDsolar May 16 '17 at 21:48
  • @SDsolar You know that he's a charlatan that no one in infosec takes seriously, right? – forest Dec 01 '18 at 03:34