Did you change your router’s default password when you set it up?
If not, or you don’t know what that means, please keep reading, let’s discuss how to lock down your router to keep attackers out of your network. To do this, we must cover some basics first and then I offer some quick fixes to harden your network, step by step.
Router vs. Modem
These two are different types of devices, but chances are you have both. The modem is a device used to receive internet signals from your ISP (Internet Service Provider) and many also have a dual function to serve as your router as well. However many attach WiFi (Wireless) routers to their modem and use it to route traffic, either wireless or using a wired connection (LAN or Ethernet cable).
Ethernet, LAN, VLAN, WLAN
LAN stands for Local Area Network, VLAN is a Virtual LAN, WLAN is a Wireless LAN, read more about these terms here. While we often refer to LAN and Ethernet cables interchangibly, there is some technical difference between LANs and Ethernet, but here I’m referring to physical cable/connections. If you are interested in knowing more, check here.
Wired vs. Wireless
Routers can be used to route traffic with wired (LAN or Ethernet) connections, route traffic wireless, or most often both. Wired connections are the most desirable if feasible, such as on a computer that stays in one physical spot in a home or office. Wireless is harder to secure as good as wired connections, but offers more convenience, as it is easy to connect a lot of devices at once without messing with cables. Wireless is easier for attackers to gain access to your network however, since no physical access is required, so read on to learn how to correctly adjust your wireless settings. Many people fail to take these basic security precautions and are left unnecessarily vulnerable.
2.4GHz vs 5GHz WiFi
Typical routers these days will broadcast both of these frequencies, and each can have its own name (SSID) and password, or they can be the same. The biggest thing to keep in mind when selecting which one to use is your distance from the router. 2.4 GHz penetrates walls and other obstacles easier and provides better range, while 5GHz offers faster connection speed and less interference, but less range. There is a 6GHz band also rolling out that follows the same principle, less distance but faster data transfer speeds. Use this information to select the right one for you based on the layout of your space.
Typical RJ45 Ethernet or LAN cable
Wireless Security Protocols
Read more details about the different WiFi Security protocols here
- Wired Equivalent Privacy (WEP)
- Wi-Fi Protected Access (WPA)
- Wi-Fi Protected Access 2 (WPA 2)
- Wi-Fi Protected Access 3 (WPA 3) (newest and most secure by default)
Hubs, Switches and Routers (oh my!)
Hubs are rarely used in any home or small office environment, but switches and routers typically are used. While they all have two or more Ethernet cable ports, and relay data, the biggest difference is the ‘intelligence’ of the device. Hubs are stupid and simply relay everything to every connection. Switches are often a row of Ethernet ports to connect computers, routers and other devices such as printers; a managed switch gives the user the ability to control each port from a dashboard at a very granular level. A typical 8-port managed switch runs around $40-100 and is sufficient for most home applications.
The router is the most common networking device used in the home, some even run multiple routers, these can be wired, wireless, but most commonly they are capable of both. They are essentially just a small computer with more networking ports. Routers, as you’ll read here, need some important configuration changes in order to keep them secure, especially wireless capable routers.
Change the Login IP Address of your Router (and don’t lose that IP address)
Most home routers come with the dashboard, or management panel login IP address of 192.168.1.1 or nearly similar. Attackers know this, and use this to attempt logins on your router. Changing this makes it a much harder guessing game for anyone trying to get into your router. Change at least one of the numbers, or all of them, to something random. Be sure to write this new IP address down or document in your password manager, do not lose this or your will have to reset your router in order to login. To access a typical router, you navigate to that IP address in your browser while on the same network and enter a username/password to access the dashboard of your router. This is where you can adjust your router’s settings, WiFi passwords, quality of service, and many other things. Something random like 10.0.7.8 will work fine, remember, this is a local IP address on your network, not a public IP address.
Change the SSID (name of your WiFi network)
Why change the Service Set Identifier (SSID), or name of your router? Routers ship with default names, often including the brand of router and possibly the model. This information can be used to attempt default username/passwords on your device and gain control of your network, locking you out. Furthermore, naming your SSID WiFi network with identifying information can also help an attacker gain useful information about you and your network. Name your network something that does not contain any of this type of information.
Example, a Netgear router may have a default SSID of ‘NETGEAR86’ which tells anyone that you have a Netgear brand router. With this information, someone could attempt to login to your router management dashboard with the default Netgear username/password of ‘admin’ and ‘password’ and take control of the router. If you name your network with information about you such as ‘Johnson Home’ then you help confirm that it is your network. This could be either trivial, or meaningful depending on your circumstances.
Additional to making your WiFi network SSID something generic and random like ‘XLB32’, you can also add on the terms ‘optout’ and/or ‘nomap’ which tells Google and others that conduct geolocation of wireless routers to not log your router’s location. (Those Google camera cars that drive around to capture street view, they collect more than pictures…) Whether this geolocation opt out is honored or ignored is up for debate, but I find it useful enough to include it on my own networks. Example name for your network could be ‘XLB32-optout-nomap’ which gives no useful information about you or your hardware to an attacker. Further, you can give the 2.4GHz and 5GHz networks slightly different names in order to quickly identify them, ‘XLB32-5-optout-nomap’ for example. Most routers limit the number of characters you can use in the SSID name, consider shortened generic names like ‘XLB5-optout-nomap’ and ‘XLB2.4-optout-nomap’ for your 5 and 2.4 GHz SSID’s.
For what it’s worth, since I’ve changed my WiFi network name to end in ‘optout-nomap’, my current SSID does not appear on Wigle.net, it instead has the name prior to that. This still does not prove that Google does not collect my router’s information, but it is a good sign.
Change the Default Login of your Router (This is a must!)
Routers ship with the default username (usually ‘admin’) and a default password (usually ‘admin’ or ‘password’), this login is to access the router’s management dashboard. (Not to be confused with the WiFi connection password) This information is typically printed on the router along with the serial number and FCC label. Attackers know this default information for all of the various routers, if you do not change this, anyone could login to your router and do anything they wish. Prevent this from happening by taking the very easy step of changing this information, and carefully documenting it so that you can access it later. Choose a unique username and a strong password, you could document this by using a password manager.
Update your Router Firmware periodically
Just like with any other computer (yes, your router is actually a small computer) you should update the system periodically. Updating the firmware fixes any known security vulnerabilities with patches, and other bugs are fixed as well. This is an easy step to keep your device up to date and protected. This is accomplished by logging into the router’s dashboard through a browser at the IP address you changed it to, using the unique username/password mentioned above. Search for ‘Updates’ or ‘Update Firmware’ type setting options, and ensure you have the most up to date firmware (updates) for your router hardware to stay better protected.
Enable the Router’s Firewall and consider using a VPN
Depending on your router, you should research that particular router’s firewall capabilities and employ them where possible. Additionally, you can configure VPNs on your router to protect any devices that connect to it behind a VPN. While I strongly encourage all to use something like pfSense as your home firewall instead, using a VPN at the router level is certainly better than nothing. Read more about setting up a home firewall with pfSense here, this is extremely robust software used on a dedicated device to lock down your entire home network behind a VPN. While this can be accomplished to a lesser degree with your router (see our section on Travel Routers to learn more), we strongly encourage you to give pfSense a consideration for your home or business network(s).
DD-WRT is arguably the most secure option to run on your router, is open source software, however not all routers support DD-WRT, so select your router with this information in mind. OpenWRT is another common protocol that is also open source, and one of the older ones that still works well. To find a list of routers that support DD-WRT explore here.
Speaking of routing, check out this route… not the gnarliest, but certainly still fun. (Snoqualmie Pass, WA)