The topic is an important one: how do you make sure you have a secure router? As your firewall, it’s your first line of defense against malware trying to get at your computer from the internet.
You want to make sure there aren’t big gaping holes. And sadly, very often and by default, there are.
Here are the most important steps to a more secure router.
Become a Patron of Ask Leo! and go ad-free!
My router versus your router
I have to start with a caveat: there are hundreds, if not thousands, of different routers. Different brands and different models with differing capabilities, power, and, of course, at differing cost.
Most importantly, they have different administration interfaces.
What that means is, I can’t tell you exactly how to make changes to your router, step-by-step. The concepts I’ll cover apply to almost all consumer-grade routers, and I’ll be using an old and popular LinkSys BEFSR81 router and LinkSys WAP54G access point as examples.
You’ll need to “translate” the examples to the equivalent settings on your own router or access point. Make sure you have access to the documentation that came with your router, or locate the user’s manual online.
1. Change the default password
If you do nothing else to secure your router, change the default password. Change it to be something long and strong. If your router supports it, a passphrase of three or more words might be ideal.
The reason for this is quite simple: it’s a common gaping security hole.
For many years, almost every router and access point from the same manufacturer was shipped with the same default password. For LinkSys, if your login is a blank username and a password of “admin”, as outlined in its manual, then anyone and everyone knows it. And anyone can log in to your router and undo any or all of the rest of the security steps we’re about to take.
Then, any malware that takes advantage of the default passwords on routers can make changes without your knowledge.
Fortunately, in recent years, most — though sadly, not all — router manufacturers have been getting smarter. If the instructions that came with your router included checking a sticker on the actual router for the admin password, and that looks like a strong password, then the security hole is significantly smaller. Now only those people who can walk up to your router and look at that sticker can get in.
I’d change the password anyway.
2. Disable remote management
“Remote Management” is a feature that allows your router to be administered from anywhere on the internet.
While this setting (coupled with a very strong password) might make sense for a handful of people1, for most folks there’s absolutely no need to administer the router from anywhere but the local machines connected to it.
Make sure the remote management setting is off.
3. Turn off Universal Plug and Play
Universal Plug and Play (UPnP) is a technology that allows software running on your machine to configure services like port forwarding (a way of allowing computers outside your network access your local computers directly) without you having to go in and administer the router manually.
It seems like a good idea, right?
Nope. Turn it off.
It turns out malware can also be UPnP aware, and can make malicious changes to your router without your involvement or awareness.
(Note: UPnP is unrelated to Windows “Plug and Play” hardware detection; it’s just another unfortunate collision of similar names.)
4. Add a WPA2 key
It’s time for another password, this time to secure and encrypt your wireless connection.
First, use WPA2, not WEP. WEP encryption turns out to be easily crackable2, and even WPA (without the 2) has been shown to be vulnerable.
Second, just as you did for the router’s administration password, select another good, secure key / password / passphrase (the terms are roughly interchangeable here). You only need to enter it once here, and once on each machine allowed to connect to your wireless network.
Having a strong WPA2 key ensures that only machines you allow on your network can see your network, traffic, and router.
5. Disable WPS
WPS, or Wi-Fi Protected Setup, doesn’t live up to its name – it’s not very “protected” at all.
WPS was intended as a way to make setting up a protected Wi-Fi network easy. WPS would, with the push of a button, set up Wi-Fi encryption between the router and clients that supported it.
The problem with WPS is that the protocol is flawed in such a way that it is vulnerable to a brute force attack. A malicious entity within range can force their way onto your network, bypassing any encryption keys you might have set up.
WPS is enabled by default on many routers. Turn it off.
6. Turn off logging
This has less to do with configuring a secure router and more to do with maintaining your privacy.
This is also about making sure logging is still turned off, since if a router supports any kind of logging at all, it’ll likely be off by default.
Disable the logging, and no information will be kept on the router or sent to any other machine. This should also clear any log the router has.
It’s worth pointing out that most consumer-grade routers do not have the capacity to actually keep complete logs themselves. If they keep anything, it will only be a shorter, partial log. When enabled, some will offer to send the log to one of the computers on your network for storage. Simply disabling logging will not erase any logs stored elsewhere.
7. Secure your router physically
As we’ve already seen, even if the default administrative password is unique to your device, it’s still visible to anyone with physical access to the router who can see the sticker on which it’s printed.
In fact, your secure router may not be secure at all if anyone can just walk up to it.
All of your router’s security settings can be reset in a flash if someone has physical access to the device. Almost all routers have a “reset to factory defaults” mechanism (typically by holding a reset button for a certain amount of time). If someone can walk up to your router and do that, all the security settings you’ve enabled may be instantly erased.
Only you can judge whether or not you need this extra level of physical security, but do consider it.
8. Check for firmware updates
Routers (and access points) are really just small computers dedicated to a single task: handling network traffic. Normally the software — referred to as “firmware”, since it’s stored within the device’s hardware — is solid and just works.
Unfortunately, security vulnerabilities are sometimes discovered, requiring you to update your router’s firmware to stay secure. This usually involves downloading a file for your specific router and using its administration interface to install the update. Some routers can fetch and install the update directly. Either way, the update is a manual step you need to take.
Checking to see if there’s a firmware update for your router is also a manual step. Some routers perform the check at the push of a button in the administration interface. If not, you need to visit the manufacturer’s support site, look for information pertaining to your specific model, and determine if a newer version of the firmware is available.
Two steps that aren’t steps
Each time I mention this article, folks make two additional suggestions for Wi-Fi specifically that, in fact, do not improve security at all. In fact, they may harm security by providing a false sense of added security.
The first is MAC address filtering. I discuss this in more detail in Is MAC Address Filtering a Viable Wireless Security Option? but the bottom line is that, like a cheap padlock, MAC address filtering only keeps out honest people. If someone wants to access your network, MAC address filtering is easily bypassed.
The second suggestion is to turn off SSID broadcast on wireless networks. Even when not being broadcast, the SSID is still visible, unencrypted, in the packets of traffic sent to and from the router. Disabling the broadcast, once again, does nothing to prevent someone with the skills from easily discovering it. I discuss this in more detail in Does Changing or Disabling the Broadcast of My Wireless SSID Make Me More Secure?
When it comes to Wi-Fi, putting a WPA2 password on the connection is currently your best security measure.
•
Each week I publish several articles like this covering a variety of tech topics and solutions. Subscribe to Confident Computing -- more articles that help you solve problems, stay safe, and increase your confidence with technology, delivered to your inbox once a week.
Hope to see you there soon,
Podcast audio
Download (right-click, Save-As) (Duration: 9:27 — 4.4MB)
Subscribe: Apple Podcasts | Android | RSS
Hi Leo,
If you have a wireless router (both router and wireless access point functions built-in to the same device), there’s one more setting you might want to consider.
On these devices there’s usually an option to disable wireless administration. This means that you can only make configuration changes while connected via ethernet cable. That way, even if someone gains access to your wireless network, all attempts to gain access to the router will be ignored.
Sounds like a very good idea kptech if there is a setting like that.
Hi Leo,
I don’t know how to configure my settings so the encryption is WPA. if says my encryption is wep right now. This means that it is easier to hack correct? I had no choice on encryption options when I set up the router. I was wondering how to change the settings of the router (if it is via installation disk or something else)?
09-Mar-2009
Also, visit the router manufacturer’s website to see if an upgrade to the firmware is available. Getting such an upgrade and installing it can sometimes add WPA2 capability.
if this is a wireless router, you may also want to enable Wireless MAC filtering.
10-Mar-2009
Wireless MAC filtering is the only way to go as both WEP and WPA encryption have been hacked. MAC address filtering ensures that only computers with the MAC address you specify in the router can connect to it.
10-Mar-2009
Forgot to mention that it’s also good practice to stop broadcasting your SSID.
10-Mar-2009
As I understand it, it’s in fact a very bad practice.
If your router is hiden by not broadcasting your SSID, then ALL devices connecting to it need to anounce themselves. That anounce is something like this: deviceName.password@networkName or something similar.
That call is NEVER encrypted. In fact, it’s impossible to ancrypt that. All devices set to connect to that network must call the hotspot periodicaly, typicaly, every 2 minutes or so. The call always contain a list of every network to whitch that device ever connected to.
This open you to the so called “evil twin” attack where someone simulate one of the trusted networks.
It also open another attack vector: A sniffer may catch your call and replicate it. This may allow an attacker to connect to your network masquarading as you…
MajorDad, you obviously didn’t even read the full article as Leo addressed both your points specifically. The point of Leo’s articles are to inform and dispel misinformation. After doing so, the misinformation continues.
Reid. This article was from 2009, as were major dad’s comments. The article was updated recently (5/16) apparently incorporating the info into the article.
Please help me. I am a single mother and my teen is not doing as needed and I need help. Her device is what I need to get operator control through router. Please help
You can’t get control access to a device or a computer through the router.
Don’t forget to update the firmware of the router occasionally.
Regarding the original question on CISCO, they do make a home-level router: Zonealarm Z100G which has antivirus, antispyware and a robust firewall BUILT-IN to the hardware. The AV and Antispyware is updated automatically like that on your computer. I have been using the Z100G for a year and it has cut 99% of the spyware and viruses off that I used to get at my computer. Further, it blocks hack attempts at the router rather than letting them flow to my computer for software blocking. (I can see the IP addresses of these hack attempts in the log.) This router acts much like the Enterprise Cisco router most of us are used to using at work.
Leo,
I have two Linksys routers, one a standard W54 wireless and one that a Verizon or Sprint aircard plugs into for remote site internet access. From the standpoint to who can access either wirelessly, am I wrong to rely only on router mac address filtering? Logic would suggest the router will only talk to the two laptops whose mac id’s are entered into the router table. Greatly appreciate your newletter and expertise…mike
12-Mar-2009
How does one change the password? Where are the controls and settings for the router? Mine is a 2Wire system.
13-Mar-2009
I has a belkin fsd7230-4 model type
and it stopped working after some time
so i got a new router which is cisco wrt54g but how do i know when i search for devices.. which one my new router really is? right now i dont know if im using my routers route or some other routers route.
i just want to use mine and secure it
please inform me what im doing
13-Mar-2009
Verizon FiOS’s wireless router uses the WEP type key. Within the “Advanced” settings there appears to be a means to select WPA rather than WEP. Has anyone using FiOS done this successfully? Any glitches or warning? Curious before I go there.
I currently have my FiOS router set up with WPA2. I don’t recall offhand how to do it, but it can be done.
The Physical security of routers becomes more
stronger than now if that resetting button
is removed completely and instead one small electronic Item is added to the hardware of the router and that Items job is to reset the router when it receives a special signal from a key
provided with each router, when key is pressed it sends the required reset signal just as
that used for cars to open and close the doors.
then no one can do resetting unless he has the
key. I don’t know why the manufacturers has not
though of that yet.
thanks for your articles.
mohamad ahmad
Using Dlink wireless 615 can I set up router to ask for passphrase each time a client wishes to connect, like after reboot? my laptop see’s the router and connects automatically, But I’d like to discourage clients that have had access in past, just being to log on use bandwidth in a conference envirnment.
How do I secure my Verizon FIOS router/modem from other users within my network? I’m hardwired to it but the others in my household use it wirelessly. I would like to know if they can still “tap” into my computer. Thanks.
They just can’t “tap” into your computer. They, and you, can’t do it even if they are hardwhired to your router.
ONLY if you explicitely set some folders as shared, then, they can see and access those, but absolutely nothing else. Even in this case, you may only grant read access, impose per user quotas (if allowed write privileges) and some other limits.
There is no way for them to even see anything else on your computer, or for you to see anything else on theirs. If it’s not explicitely shared, it’s not accessible.
Maybe I’m starting from a few steps behind, but what this doesn’t tell me, and I don’t know, is how to access my router settings.
25-Jun-2010
Good article on WEP vs. WPA
http://www.onlinecomputertips.com/networking/wep_wpa.html
hi i got a question.
i changed the password like you told me to but i didn’t change the username. now i login to my router because i don’t know the username. what should i do??
Here’s a nice writeup on logging on Netgear routers:
http://kb.netgear.com/app/answers/detail/a_id/1014/~/using-netgear-router-logs
They start out: “Router log features vary by model. Advanced, business-oriented routers such as the FVS328 have extensive logging features, such as monitoring for specific types of attack, and reporting to a security monitoring program. Home routers such as the WGR614 and WGT624 only have only basic features such as router reboots, and reporting when people go to sites that you blocked.”
I had a Linksys router too, but recently got a Netgear router. What I liked about this router is that besides the security wpa2 password security, it blocks also any other connections except those that have an approved Max address. Together both those items blocks all the non authorized connections. It also is far easier to setup.
A good tip to add to this is to only access the router via https – I have a Cradlepoint and a Linksis and both have the setting for that, usually under admin. That way when you send your password over the internet it is secured. In the case of the craddlepoint I have to physically type https in the browser – the linksys pulls it up automatically…
Whether you should broadcast your SSID has been hotly debated. After much reading/research in this area I broadcast mine. Here is some interesting reading on it…
http://technet.microsoft.com/en-us/library/bb726942.aspx
where do i find these screens?
13-Oct-2011
Leo, I would be interested in your views on WPS (WiFi Protected Setup), what the risks are with it, and so whether it should be turned off (if possible!!). Thanks
09-Jun-2012
I really appreciate this article, changed from WEP to WPA. This is a Verizon DSL router, an Actiontek. You just go into the wireless section, choose WPA, and add a password.
While in the router, even though NAT was enabled, noticed that the firewall was indicating not on. Never have noticed that before nor had a problem. Elsewhere Leo mentioned routers having built in firewalls, but maybe people need to check and see if it says the firewall is on?
Or conversely, is there an additional firewall of some sort plus the one you can enable? And if you have the Windows firewall enabled, is that too much? So far, no problems, but I am a bit confused, any help would be appreciated.
14-Jul-2012
how can i protect my wireless network when everybody knows my wireless password keys?
@Aung Naing
If many people know your wireless key, you could change it. You can find out how to to this either by reading the documentation that came with your router or on the manufacturer’s website.
Hey Leo. if logging was on is there any way to delete the logs? Could people still view the logs even if there off?
Please respond asap
09-Oct-2012
Hi leo i have a router/ EMTA from comcast any way to lock it down more than it is? the model is Arris tg862 its there most commonly used one.
You’ll have to check the documentation that came with that router, or ask Comcast. IF they allow you to configure it (sometimes ISPs that provide the router don’t) then there should be a way to access the configuration screens for it via your browser. Exactly how that works differs for every router, so I can’t really get you details.
Thank you for this article. I have a Linksys WRT54G Router (which is
what you mentioned in your article, I believe….). I was able to verify MOST of
the settings that you had mentioned (which were already set that as you suggested). HOWEVER, I could not find a setting for WPS. I *did* find a setting for “SecureEasySetup” (which is enabled by default). However, I could not figure out what that setting is (and the online help does not seem to mention this setting. Can you clarify this? Thank you!!
I don’t know for certain but I would assume that SecureEasySetup is WPS by another name, and should be disabled.
Thank you… I thought that the WAP54G that you use would be similar enough to the WRT54G that you might have been more definitive… but I took your advice here…
I have D-Link. I don’t even know how to access all these settings??? and where I can change password. Years back when I bought it, I just plugged it in I think.
My DLink is at 192.168.0.1 I think that might be the default IP address. So try typing that into your internet browser and see if you get in to the log in screen. Failing that, go to a command prompt (Start Menu, Run, CMD) and type ipconfig. Look for Default Gateway. That should be the IP address of the router.
The default log in for my router is “admin” with no password. Try that. If you get in, it’s time to start securing it, like Leo suggests.
Any router that is DD-WRT or Tomato firmware supported should have its firmware flashed with those. If you’re concerned about security. Search the net for router backdoors. Most have them built in from the factory. My routers- Dlink are not supported. And Dlink is made in China and known to have the backdoor. But flashing with DD-WRT or Tomato should make your router more secure and remove the factory backdoor.
Hello, I use Comcast and I would like to know how to do the above step to secure my router. I have tried but cannot locate any of the places to change the password. Also Comcast provides Norton, that I use and they do remotely connect to my system to help me keep secure. PLEASE help. I want to secure all things on router, especially the password that I cannot find.
Thank you
Unfortunately I can’t. For one thing you haven’t told me what router you have (there could be many different makes and models provided by Comcast, and how you do this could be different for each one). It’s also possible that you can’t – some ISPs lock access to the routers they provide. I’m not saying this is the case, but when a company like Comcast provides the router it’s something that would not surprise me.
First go to Comcast and get information on how to access your router’s configuration, if it’s allowed. Then look up that model on the internet for a users guide to the settings. Then look for the settings that mirror what you see in this article.
I’ve got these choices on my Motorola SBG 6580:
WPA
WPA-PSK
WPA2
WPA2-PSK
which one is best?
thanks.
WPA2 uses the strongest encryption algorithm of the choices listed. The PSK version is a simplified version for home use which is slightly less secure. Some home routers only work with the PSK version. So you might want to experiment. Try WPA2 straight, and if that works great. If not, you can switch to WPA2-PSK and still be safe. Although, in your case, the message says your router can handle straight WPA2.
Sounds good, thanks. Just enabled WPA2 and disabled WPS. I didn’t find anywhere to turn off logging, so hopefully it was off by default as mentioned.
Rats. I was not able to change to WPA2…I guess I had forgotten to click Apply, and now when I try to switch from WPA2-PSK to WPA2 I get this message: “RADIUS Server IP address is invalid.” On my settings it shows: “RADIUS Server 0.0.0.0, RADIUS Port 182, RADIUS Key [blank] ” So maybe, like you said, I can’t use straight WPA2. At least I was allowed to disable WPS.
Hello Leo, i read some article and some tips doing router backdoor, My question is how to know that my router can backdoor?
I don’t know what you mean by “doing router backdoor”. Make sure you follow the security tips above.
Leo, I’ve been using WPA2-PSK for ages on a router bought deliberately to handle the security upgrade. No problems.
Now I’m trying to assist a 71 year old lady connect her new/reconditioned Apple Pro to her USB Router. The Apple Pro appears to have inserted a layer between the router name and the ordinary password and demands a WSP2 password. Am I correct in suspecting that the older USB modem cannot handle a WPA2 password or is there something more cryptic about the Apple Pro. She can connect with random modems at cafes etc, but not with her own.
I’ve suggested a 10 to 20 character password of upper and lower case and numerals, one that is not listed in the dictionary, is that description characteristic of a WPA2 password? If not could you suggest a typical example please? Thanks, Reg.
That’s a fine password approach. As to why it’s not working – it’s hard to say. Open WiFi hotspots don’t use a password at all, so those would work easily. It’s possible her USB modem doesn’t support WPA2 (older ones may not). Try just plain old WPA.
an AT&T router can most likely be configured through http://192.168.1.254
If this is incorrect, look for a printed IP address on the box.
2-Wire AT&T routers used to support the local-only domain name gateway.2wire.net. However, a recent software update removed this.
My router has these protocols as options.
HTTP
HTTPS
FTP
Telnet
SMTP
DNS
NetBIOS
POP3
IMAP
NNTP
IRC
H323
All Other Protocols
NETBIOS was already disabled, and I disabled telnet, IMAP and POP3 on my own. What else should I disable?
For internet-side incoming connections? None of those should be needed. For outgoing connections, none of those should be blocked.
I Didn’t even realize these checkboxes were underneath a horizontal line titled “Outbound Protocol Control”. Thank you for clarification.
Note that UPnP is required to use Chromecast dongle with your TV.
Hi Leo.
I’ve been able to do almost everything you recommended, so I’m mostly happy. But I can’t find any way to disable logging on my Belkin N300 router. Is it possible that it can’t be done?
No info on the subject through Belkin that I can find. I’ve had the router over 30 days so I have to pay them for info now. If I just forget about it, how serious is that? Also, is it always advisable to disable logging? What if someone does something unpleasant with the router? How would I find out about it with logging disabled?
Regards.
Robert
I heard Sysco was one of the safest routers to use….Is this true?
And if some one was hacking in it would record the IP address is this true?
Could u please list the top 5 routers that would be safest ones to purchase.
Thanks,
Lily
Clearly WPA2 is best, but even if Mac filtering isn’t full proof_isn’t it wise to use all enforcements available. It shouldn’t really be a matter of comparison between the two unless there is a reason you cannot have both enabled at the same time it seems kind of a no brainer_ Do both, and every other misc security measure setting avail to help, as long as they don’t conflict or cancel out the other.
MAC filtering is similar to adding a small padlock closing the door over the heavy lock, or adding a “Don’t pass” sign in front of your driveway. It’s a small additional hurdle that will dissuade the casual snoop.
And for those of you who believe that you don’t need to secure your wireless router, since “no one” would want to break into it…
http://www.mirror.co.uk/news/world-news/watch-swat-team-raid-grans-4068768
Wwhy couldn’t I retrieve my yahoo mail.
No idea. You’d have to give me some clues, like what happens when you try and/or the full text of any error messages.
OK, all settings fixed. And thanks. Now my Samsung 2165w wants to become a “cloud printer” and to do that needs to join my wi-fi network. No control panel, so entering the password isn’t possible. It has a WPS button and that’s what Samsung recommends (there’s really no choice!). So if I go ahead and link the printer into the network using WPS, does that destroy the connections of all the computers that log in to wi-fi using the password?
I know you can toss of the answer, and I truly am thankful. But can you teach me to fish a bit by referring a couple of references that will take me from total ignorance to being able to ask more clear questions in this area?
Regards,
Carls
What are your thoughts on choosing “Mixed WPA-PSK/WPA2-PSK” for wireless security? This was the default for my modem router. I’m wondering if I should leave it at that setting. Thanks.
It’s fine. Technically WPA2 is more secure, but for most home routers WPA is plenty.
all my equipment comes from charter internet. i have a little black rectangular box with 4 green lights and one red light on it. is that my router and can i change the password? or should i?
That’s probably the router, and yes you should secure it. As to how, you’ll have to ask Charter for assistance.
Do you recommend the Windows Utility “Who Is On My WiFi?” If yes, is the free version enough? The story of why I’m looking for something like that is below. I do not have a technological background so I’m learning as I go. I’ve made mistakes with freeware, so before I download anything, I check AskLeo. I didn’t find it through a search on your webpage.
=================
We live in Hong Kong. We changed routers a month ago after our router was infected with the “Moon Worm.”
I had reset the router (which had come with our apartment). But WiFi access had become very slow.
Then I tried to re-load the firmware. It wasn’t available for that model on the router website. When we called the company, they hung up on us. (We tried both Cantonese and English.)
So we got a new router. We continued to have the same problems — wildly intermittent WiFi. Speed tests showed it to be normal 1/2 the time and then download access would plunge so that websites took a minute to load, if they did. Speed tests would time out.
We began to suspect that the internet provider had added a lot of users to this area and that it had been a coincidence that access speed had plunged at the same time I was dealing with the Moon Worm.
We called in the provider, who said it was our router and my laptop. I ran diagnostics on my laptop, and it was fine. I have no trouble accessing the Internet at my husband’s office or in our house in the States.
Faced with the speed tests, the company finally agreed to switch our service to coaxial cable at a minimal cost, which took place yesterday. The speed is incredible most of the time. EXCEPT, there are still times when we cannot download websites and the speed tests time out. We do not have our TV connected to the cable. In our apartment, only two laptops and one phone are using the WiFi.
The technician told us yesterday that we should buy a better router.
But before we do anything else, we want to rule out that anyone or anything is using our WiFi account. It looks like the utility “Who Is On My WiFi?” will log who and when someone is accessing our WiFi account. Do you recommend it and will the free version be enough?
I’m on Comcast and they will not let me change the wireless Wi Fi Password. They supply it! It’s been a thorn from day one. I’ve considered an additional router, and did have an extra which died (a refurb, slightly out of warranty!). However that would seem to be moot, because if Comcast passes through then any Wireless would as well.
Looking at the configuration guide, I have as connected devices, under DHCP/Reserved IP, a computer which has both Wi Fi and eternet enabled. I can disable either. If I disable WiFi, which won’t be a problem for me, will that decrease the ability for it to be hacked via WiFI?
A second router is probably as safe as you can get. It would be essentially as safe as changing the password on your Comcast router.
On my sorta-new Netgear N600 Wireless Dual Band Gigabit Router, Netgear explicitly advises AGAINST changing the preset WiFi network name (SSID) and the network key (password). “The default SSID and password are uniquely generated for every device (like a serial number), to protect and maximize your wireless security.” And “NETGEAR recommends that you do not change the preset SSID or password.” They do provide the ability to change those items if you do not agree.
Your thoughts, Leo?
I think they’re concerned that after setting up what is presumably a secure random password, most people would change it to be something less secure.
HI Leo,
Thanks for all of your great advice. I have two questions concerning router security for which I cannot find answers. I would appreciate any thoughts you or your readers might have.
I have a ZyXEL PK5001Z wireless router provided through my DSL provider (CenturyLink). I have contacted both ZyXEL and CenturyLink for a user’s guide or router documentation to help me answer the questions, which I’ve discovered doesn’t exist, with both companies saying the other should provide. Here are my questions:
1) For both IPv4 and IPv6, I have the option to set the firewall at “low,” “medium,” or “high.” The default setting for both IPv4 and IPv6 is “low.” Do you think I should increase the firewall security setting? Neither ZyXEL nor CenturyLink can tell me more about these settings. The router is NAT enabled so maybe this is not that important? Any thoughts you have would be appreciated, this router is used in a small business with customer-sensitive data.
2) It does not seem that my DSL provider (CenturyLink) provides support for for IPv6, however the firewall for this option is enabled, and I think this is the default. However, the CenturyLink technical adviser told me that I should only have the IPv6 firewall enabled if my “IT person” had a very good reason for it (we are a small business, no IT person except me). Is there any reason to disable the IPv6 firewall? Having it enabled does not seem to be harming anything.
Thanks again for your thoughts!
Best,
Corey
1) No idea. Really silly that they can’t provide a manual. With NAT on, though, I’d not worry.
2) I’d leave IPv6 settings alone. They shouldn’t interfere with anything.
I have Verizon FiOS. To have full functionality of the guide for TV, one has to use the Verizon-supplied router (mine’s an Actiontec, but I think they use more than one kind, perhaps depending on the part of the country). I’ve set mine to WPA2 and changed the default password to a very long convoluted one. Unfortunately there seems to be a back-door that allows Verizon to see the password the user sets on the router. It’s possible that it’s usable only from the LAN side of the router (and not the WAN side), which would be much less worrisome.
My evidence for this back-door is that there’s a Verizon utility called the In-Home Agent that they encourage people to install on computer on the LAN. I installed the utility long after setting up the router and one doesn’t have to enter any credentials into the utility, yet that utility displays the current setting of the router password. If the ability to query the router for its password works from the WAN side too, then this is a huge security hole. I’m considering cascading my own router (with a separate, distinct password) off the Verizon-supplied Actiontec, and connecting my wired LAN to that, but that would be overkill if the router can’t be polled for its password from the WAN side. Do you have any idea what’s necessary?
This guide is okay. Just forget about turning off the logging part please (Leo?) , you’ll need that information to see if there are any prolonged “attacks” on your wan-nodes. If there is you’d wanna know about it because those attacks can cause bad latency and slow reaction times from your router. The example in the above-picture in the routers web interface is a function where you’ll send the logs to a so-called syslog server, which collects logs over the network, basically. It’s not that complicated. Just download a simple syslog-server, there’s one on sourceforge. Set it up on your client (just install it, thats it..) and set the ip in the router to point to you client (client being your normal computer..) And then you can read the logs there as the list filsl up instead and take appropriate action if necessary. It’s as simple as 123, I promise! have fun!
My neighbor says I can use his WiFi connection and gave me his password \am I breaking the law?
That is perfectly legal because you have permission. But it may not be wise. More in this article: http://ask-leo.com/is_it_safe_to_share_my_internet_connection_with_my_neighbor.html
Dear Leo,
thanks for the work.
i have set my router password to AES,
how can i ensure that when my computer is connected to that network, the user is unable t
o copy the password through wifi properties?
The password is not stored on the router. When you create the password, it generates a code on the router which cannot be used to recreate the password. When the password is entered upon login, it generates that code again. If it matches the original password, it logs you on.
Hi Leo,
After changing to https and desabling the wireless web access, i´having problems to enter again to my linksys administration web page having a wired conection. Can you give me any ideas on this?
Thanks in advance.
would like to know if there is any personal data stored on a sprint air card and can it be erased before returning
Aircards contain flash memory which is capable of storing data. As to what information is stored, I don’t believe mobile providers make that information available to the public. They would have some connection information related to connection such as connection times and possible some IP addresses visited. Sprint would have all that and more, so you wouldn’t have to worry about them. I would expect they clean the card before giving it to someone else if for no other reason than to protect them from privacy violation lawsuits.
While looking to obtain a Gigabit Speed Router.. I have noticed many routers use “Web Based” configuration setups.. (I found one major manufacturer the other day where the ability to disable this “Feature” although originally designed into the Wireless Router had been disabled at the Factory…
So, my Login and Keys are then in fact either routed thru or sitting on some Companies Server.. which then configures my router remotely as a part of how I set the data..(Passwords, Encryption Keys etc…
Doesn’t this mean all one need do is access the Web Server where the data may or may not be retained or sniff as the data is set to obtain my Security Data.?
Am I misunderstanding something? because to me.. that’s not security.. just Security Theater.
NS
My understanding of “web based” configuration is that the device provides a web page that’s accessible only on your local network. For example you might connect to http://192.168.1.1 (or something similar) in your browser to configure your router. That’s local to you only. Many routers then have the option to enable configuration access across the internet, which is something I strongly recommend you disable since that could be a way for someone somewhere else to gain access to your network.
I’ve not heard of the scenario that you describe – where you configure your router by going to a site on the internet. It’s always something local to the router itself.
Now, that being said, I do know of some ISPs that prevent local administrative access to the router – only they can configure it, and by definition that means they do it remotely. Presumably they have appropriate security in place to keep that access safe.
I live in Mexico and use Telmex DSL internet.
My router has a preconfigured password that is different on their different units. The password is pasted on the router itself so anyone wanting to get it would need to be physically present as far as I can tell. I have given that only to my daughter when she was visiting me here. Looking at the wireless connection it is WPA2-PSK so not too bad, huh?
I do turn off everything connected to my laptop every night so even if I do get hacked. they cannot get access then and it saves electricity.
Their service is generally good and I have been pretty happy with it.
Hi, Leo the problem is, If your router is affected, then frequent resetting and re configuring would not make the modem unsuable? Even if i re configure the router, i am having dns server connection problem often. I do not find any settings in my router page about, the solutions you give on disabling in some settings. Only configuring the router form is there. Where i could find upnp and remote settings.
which page would have it in my router. when i frequently visiting the page without doing nothing and saving, i also had access problem in getting to my gateway page, ie , router page. I get object protected. Rom pager is protected messages. I again had to reset and reconfigure. This has been going on for the past 20 days.
Is there any wifi virus scanners, so that i could get rid of any virus in router.
hoping to get a response to my problem.
I am securing my network and noticed that you suggest turning off UPnP, but before I do this I have to ask do I need UPnP to play the online game Words With Friends? I have users on my home network that play games like WWF and Candy Crush, in this case will I need UPnP enabled?
I don’t believe so.
Hi, very good article as has always been.
But after i changed the admin to some strong coded pw, and stored the same in the computer, and forgetting to back up the cfg file,suddenly the hdd went to deep sleep never to return.
the files including the pw files of bb and wifi gone. I could retrive the wireless pw, thro accessing the wifi, but could not remember the coded pw. If i reset , i had to reconfigure.
Is there any other idea of retrieving the router admin pw, of dlink router.
I would also recommend to use avast av for it has a provision to check your router also. If you get the tool separately well and good. But avast when scans report whether a router is vulnerable like rom O vulnerability etc and will advise.
changing the pw of admin is a must, but please do store a printed copy of it in safe place in case the system goes dead. I will also advise you to check with this link. It is free tool and would be useful
https://www.grc.com/x/ne.dll?bh0bkyd2
For more on the topic see my RouterSecurity.org website. Some other tips: use a Guest network whenever possible, test the firewall in your router, configure the router to give out safer DNS servers than those provided by your ISP and don’t use a common LAN-side IP address for your router.
Also, talking to a router via web interface may not be the wave of the future. Many routers can be configured via a cloud service and/or smartphone app.
“The second is turning off SSID broadcast on wireless networks.” – This can actually decrease security:
https://technet.microsoft.com/en-us/library/bb726942.aspx
I suggest that the biggest threat to your computer’s security IS from Malware and the like. So yes, changing your default password is undoubtedly the first step to securing your router, closely followed by all the other adjustments you suggested!
But I think you REALLY threw the cat amongst the pigeons when you said that anyone who has physical access to your router can reset it to its default settings and thereby undo all the changes you made to the router! I’m not sure that’s actually true? Because aren’t all the adjustments you suggest made via your router’s LAN IP address? If so, can this really be undone by anyone physically resetting your router with the rest button? If so, how do you suggest we secure our router’s physically? Put them in cupboards, locked with a configurable padlock??? Isn’t that just a wee bit OTT?
I changed the default password on my router’s IP address once but I haven’t checked that it is still what I set it to, so I must do that asap.
One place I work keeps the router in a locked cupboard specifically designed for networking devices. Of course, it can be broken into, but it would be obvious, so you’d know it was done, and you could easily change it back. If you are concerned, you could do the same thing at home.
Yeah, in a business setting – or any environment in which a mix of people may be coming and going – it makes sense to physically secure the router but, as I said, it’s really not something the average home user needs to be too concerned about.
Of course anyone with physical access can undo all that you’ve done. Your router’s LAN address has little to do with it. And yes, if physical access is a concern, then locking it up is the only solution I’m aware of.
Some third-party firmware such as DD-WRT enables reset functionality to be disabled – but it’s a somewhat extreme solution to something that, for most people, isn’t really a problem.
“Can this really be undone by anyone physically resetting your router with the rest button?” – Yup, resetting it restores the defaults settings, including the default password (which. obviously, comes in quite handy if you’ve forgotten the password).
While it’s a security weakness, it’s probably not something most people need to be too concerned about.
Regarding UPnP: Is this functionality required if using internet phone, since “outside” requests (calls) need to get in?
How about WAN ping blocking? My router allows toggling this, but I would imagine one would want to block ping requests in most cases.
Depending on how you use your network, you may or may not need UPnP or, alternatively, to manually forward ports if UPnP is disabled – and VoIP is definitely something that may need UPnP/port forwarding.
I actually leave UPnP enabled. As far as I know, UPnP vulnerabilities are not currently being exploited in the wild and so I consider the convenience/security trade-off to be worthwhile.
FWIW: I’ve yet to encounter a scenario where I needed UPnP.
There’re a number of things – media servers, VoIP phones, mobile printing, etc. – that may not work correctly with UPnP disabled (unless ports are diddled with manually). As I said, I consider the risks of having it enabled to be so small as to be not worth worrying about. Yup, there were a couple of vulnerabilities discovered in older versions of the stack – back in 2011 and 2013, I think – but those were addressed in newer implementations. I think the risks were very much blown out of proportion.
That said, there’s no reason not to disable it. If something stops working, it can easily be re-enabled or address via port forwarding.
UPnP: Typically no. While an outside call appears to come in, it’s typically via a persistent connection initiated by software on your machine (going out).
i have a BEC Technologies router installed by my provider. i used portforward to look up the factory settings and typed in user name and password. it didn`t work. i also left user name blank and typed in only the password. it still didn`t work. factory settings tell me user name and password are the same. i have two routers, when i use the standard IP i get my Belkin router. why can`t i access my BEC Technologies router? could my provider
have changed the settings? i seem to remember you saying providers don`t change them. if my provider changed the settings and they get hacked won`t that cause me and other customers problems?
Providers absolutely can and often do change them. You’ll need to talk to your provider.
I have a Motorola Surfboard SBG 6580 router/wifi. There is a 20 alpha-numeric factory password on the nomenclature sticker on the unit. I’m told this password is unique to my router/wifi. Is this safe to use? Is it sufficiently secure?
Thanks
Larry
Yes.
Very helpful! Just got a new router this past week and had not found my way around it. Thanks!
One thing, I am unable to find anything about logging or access log on my TP Link router or manual. Is there another term for this?
Also, a dumb question, under NAT I found Application Layer Gateway (ALG) with 8 things to allow or not allow (pass-throughs, etc.) They are all enabled by default. Have no idea whether to leave it this way. Any help appreciated.
Not all routers have logging capability.
It would depends on the specific 8 things I’m afraid.
If i once connected my pc to my bfs router when i was at his place can i see all the websites he visited now that i am back at my place and using my own router? Just because i was once connected fo his?
That’s not possible.
Nope.
My friend ask for my password to wifi her apple iPhone. I gave it to her. Can she see into all my family’s home computers now ? I also have apple iPhone can she access everything on my iphone?
No and no.
I have a wireless network. Anyone logged into my network can view my Wifi password when they browse my IP address. How can I prevent them from accessing my router settings? I do have a username and a password but when one browses my IP address, the router settings page displays them all- my username, password and my wireless ID and password. I have a “netis” router.
Unfortunately, if you give people access to your network, they can discover your network password, and the only way to prevent them from finding out the password is not to allow them access to your LAN.
You need to secure your router with an administration password, as outlined in the article.
I’ve had people tapping into my wifi (by driving past my house). I tried all of the so- called fixes, even tried putting router under the bed to partially block the signal. These culprits even tapped into my tv and was able to change my channels at random. They also destroyed my computer. How do I hardware my dsl modem to my tv and/or is there anything else I can do??
Changing the router password to something long and unguessable as suggested in the article should prevent drive-by tapping into your WiFi.
I’ve changed the passwords, disabled logging, remote administration, UPnP, and I’ve done everything I could find online that’s supposed to limit if not stop this, to no avail. At the moment I don’t have dsl or wifi because of this problem. I don’t know what else to do.
A good router password should keep people out of your network. Are you sure someone is stealing your bandwidth? If so a couple of possibilities come to mind. Perhaps your router is vulnerable and has a backdoor, in which case a different router might fix it. Another is that someone may have surreptitiously connected a cable to your network.
This is an excellent article but I can’t do anything it suggests because although my router works and all my devices are online, suddenly I’m unable to simply access my router settings. The IP is 192.168.1.1 for the Actiontec router; I get a log in pop up (not the normal router login screen) that won’t accept my correct credentials. Tried resetting the router to factory and same thing, I’m connected and online but can’t get into the settings, on various devices with various browsers. The message is “the server is asking for your credentials over an insecure (http) connection” … when I enter the credentials (now simply “admin” and “password” since I tried the reset) nothing happens. When I close the popup there’s a message “401 unauthorized. Authorization required.” This is a router less than 2 years old for which I had previously had no problem accessing the settings but it has been about a year since I needed to. The ISP is notoriously bad, when you call them with any issue the story is that their computer systems are impossible to figure out, and dealing with them is a nightmare. I wonder if anyone else is having a similar issue with accessing their router settings.
Router security is obviously a topic that many worry about. I share all the concerns and since our routers are our front lines of defense-I’m wondering if anyone knows the pro’s and cons of using a router with VPN firmware flashed onto the router would help protect a network, also where would they recommend placing the VPN router in the network- does multiple routers on the network’s internet input improve security? and would the outer most router be the VPN one-I obviously don’t know anything network design and protection but was recently hacked make me very concerned how to improve my network’s security like mentioned in the article but I would like to have as much protection and so the encryption VPN offers seems to add security as possibly the IP address protection seems that it could help.-Any help out there I could use any help.
To secure your router you must always keep your router up to date. Your router should be protected with WPA2 security key which will improve your security more. You should disable auto logging off the router. Your routers default SSID and password must be changed. {misleading URL removed} can help you if you don’t know how to secure your router.
Hi Leo, my landlord has two broadband internet subscriptions. She offers me that I can use one of her broadband connection which is subscribed in her name. Will it be safe to use her broadband internet subscription for business purpose if I buy and use my own router by changing her current router?
I’d be shocked if your landlord let you replace her router. Basically it all boils down to this: do you trust your landlord? If not, then the only way to use any connection she supplies is through a VPN.
Hi I am using a Wi-Fi connection of one my friends. Is it safe to use for personal purpose? As I am afraid that he might track town my credential for Social Media handles. I have checked about VPN Browsing Security here https://www.router-reset.com/does-satellite-internet-compromise-your-vpn/. And I feel its safe to use Wi-Fi though VPN. But I am bit confused. Please clear my doubt..
These articles discuss the risks of letting someone use your WiFi. The risks are similar, but greater, for using someone else’s WiFi. The bottom line is whether you trust them or not.
Is it Safe to Share My Internet Connection with My Neighbor?
If I Let My Neighbor Share My WiFi, Can They See My Network Traffic?
Hi, I am using Wifi of my hostel I am really concerned about using it in my personal purposes, is it really safe?
You want this article: How Do I Use an Open Wi-Fi Hotspot Safely?
This article explains how to say safe on a public WiFi:
How Do I Use an Open Wi-Fi Hotspot Safely?
Hi Leo,
I have just bought a wi-fi router for my home use. I had a question that do I need to switch it off at night when I am not using it? Will it be prone to malware attacks?
As long as you secure it properly as outlined in this article leaving it on is fine.
Can I do the things you mentioned about routers if I’m only renting them? I rent my router from Comcast/Xfinity. If I change anything on my router, will this mess up my connection to Comcast?
I don’t know how to access the features you mentioned about routers. How do I access the info on my router on my desktop computer?
Whether you rent or own is immaterial. What matters is whether or not you’re allows to access the settings. If you have the admin password, then you are. And, of course, you can change things that will mess things up, but that’s true for any router, and any computer for that matter. Exactly HOW you access it, as the article says, depends on the router.