Ask HN: What does your “Router Security Checklist” look like?

27 points by jmbake ↗ HN
What does your "Router Security Checklist" look like? i.e. What actions do you take to ensure your wireless router is secure as possible?

http://routersecurity.org/checklist.php is really great, but kind of verbose. My attempt to boil it down to a simpler checklist: https://github.com/jonmbake/router-security-checklist.

13 comments

[ 2.7 ms ] story [ 41.3 ms ] thread
Don't change the password. Find a router that uses pairing instead of passwords.

Don't check for updates. Find a router that updates itself automatically.

It's a marathon, not a sprint. Find a company that writes their own firmware and uses the same firmware for multiple generations. This shows that they are willing and able to invest in security.

Or just check if the brand is Google or Apple.

According to recent news, Apple has discontinued Airport development and will most likely stop selling routers in the near future :/
> Find a router that uses pairing instead of passwords.

Can you elaborate on that? I've never seen a router that doesn't use passwords. Does this mean to use WPA2-PSK vs WPA2?

I was talking about the admin password; I guess that wasn't clear. You still need a WPA password (unless you use WPS, but apparently that's even less secure).
It's a good list. I just hate those things now.

I worked as a wireless router firmware developer for a while and as a result... I don't use them anymore. The whole industry is just producing unfixable tire-fires.

Different level of caring, but if security is important to you, put cable/dsl/fiber ntu in bridge mode.

Get a pcengines apu (or your favourite sbc), install your favourite os (ubuntu or debian for me). Don't bother with ui, just use a few nftables rules.

It actually worked out cheaper for me than the netgear thing shaped like a stealth fighter.

The other thing which really annoyed me was my ISP periodically updating settings on their stock router. Yeah, they can do that remotely if you use their unit and there's usually no good way to turn it off.

Can you expand on this a little bit? What does it buy you?

Is this setup (the linux APU in bridge mode) so that the NTU could get hacked but your internal network would still be secure behind the APU?

What protects the APU from getting hacked like a traditional router would? Just easier to secure yourself?

Did you just purchase wireless access points separately? Did you buy a seperate switch?

I've wanted to do something like this for awhile but I wasn't sure what all was involved, or if it was that much more secure.

The short answer is that if you build an x86 box based on crappy linux and updates then your security is based, fundamentally on the primitives which secure eveything else in the world.

It doesn't mean that it's the best. An x86/x64 ssh bug hurts everyone. But it means that everyone in the world gets fucked, more or less, and you don't have to worry as much.

Relying on random companies to secure your gateway puts you in the hands of random companies who not only do not care but also do not make theor own stuff and now lack the basic competence to do so.

  - SELinux Enabled
  - Sysctl tuning applied
  - Inbound/Outbound/Forward iptables rules enabled
  - ipset iptables rules enabled
  - iptables intercept rules to route all ntp/dns over VPN
    to VPS nodes.
  - Unbound DNS overriding many spammy domains
  - tinc vpn enabled to multiple VPS nodes.
  -- Each VPS node load balancing to multiple datacenter open resolvers that
     are NOT OpenDNS or Google.
  - ip route blackhole about 20k bad networks from firehol on github
  - syslog to internal host
  - Surricata IDS logging to syslog
  - tc cbq traffic shaping enabled
  - haproxy L4 vips for sending select traffic to select squid proxies.
  - power conditionor / ups enabled, one for router, one for cable modem.
Those are the basic things. My router is always Linux running on commodity hardware with dual gig interfaces for clear physical demarcation.
Does anyone know anything for somehow providing useful information/action out of Surricata IDS logs? I have stuff routed to my syslog, but just always forgot to check for anything interesting.
Got any suggestion to have ipset(s) persistent over reboots?
can you share a guide on implementing this that you have used?

including hardware and specific OS used?

Nothing. Why even bother? My devices connect to untrustworthy networks all the time anyway.

I just don't trust the local network in the first place.

Checking that I can flash custom firmware comes before anything else.