mirror of
https://github.com/Lissy93/personal-security-checklist.git
synced 2024-12-29 01:06:09 -05:00
Updates Network Section: Adds lots of WiFi Router Tips
This commit is contained in:
parent
0d9fed1d16
commit
3b1a83a19b
@ -225,7 +225,7 @@ This section covers how you connect your devices to the internet securely, inclu
|
||||
--- | --- | ---
|
||||
**Use a VPN** | Recommended | Use a reputable, paid-for VPN. This can help protect sites you visit logging your real IP, reduce the amount of data your ISP can collect and increase protection on public WiFi. However VPNs alone do not make you anonymous or stop tracking, it's important to understand their [limitations](/5_Privacy_Respecting_Software.md#word-of-warning-2). <br>[ProtonVPN](https://protonvpn.com) and [Mullvad](https://mullvad.net) may be good options for many, but for an unbiased comparison, see: [That One Privacy Site](https://thatoneprivacysite.net). Select a service with a good reputation, that does not keep logs, and is not in the [5-eyes](https://en.wikipedia.org/wiki/Five_Eyes) jurisdiction
|
||||
**Change your Router Password** | Recommended | After getting a new router, change the password. Default router passwords are publicly available (see [default-password.info](https://default-password.info)), meaning anyone within proximity would be able to connect. See [here](https://www.lifewire.com/how-to-change-your-wireless-routers-admin-password-2487652), for a guide on changing router password
|
||||
**Use WPA2, and a strong password** | Recommended | There are different authentication protocols for connecting to WiFi. Currently the most secure is [WPA2](https://en.wikipedia.org/wiki/IEEE_802.11i-2004), since WEP and WPA are moderately [easy to crack](https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wep-passwords-with-aircrack-ng-0147340/). Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words. You can set this within your routers admin panel
|
||||
**Use WPA2, and a strong password** | Recommended | There are different authentication protocols for connecting to WiFi. Currently the most secure is options are [WPA2](https://en.wikipedia.org/wiki/IEEE_802.11i-2004) and [WPA3](https://www.pcmag.com/news/what-is-wpa3-more-secure-wi-fi) (on newer routers). WEP and WPA are moderately [easy to crack](https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wep-passwords-with-aircrack-ng-0147340/). Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words. You can set this within your routers admin panel
|
||||
**Keep router firmware up-to-date** | Recommended | Manufacturers release firmware updates that fix security vulnerabilities, implement new standards and sometimes add features/ improve the performance your router. It's important to have the latest firmware installed, to avoid a malicious actor exploiting an un-patched vulnerability. <br>You can usually do this by navigating to [192.168.0.1](192.168.0.1) or [192.168.1.1](192.168.1.1), entering the admin credentials (on the back of you of your router, not your WiFi password!), and follow the instructions, see: [Asus](https://www.asus.com/support/FAQ/1005484/), [D-Link](https://eu.dlink.com/uk/en/support/faq/routers/mydlink-routers/dir-810l/how-do-i-upgrade-the-firmware-on-my-router), [Linksys (older models)](https://www.linksys.com/us/support-article?articleNum=140365), [NetGear](https://kb.netgear.com/23442/How-do-I-update-my-NETGEAR-router-s-firmware-using-the-Check-button-in-the-router-web-interface) and [TP-Link](https://www.tp-link.com/us/support/faq/688/). Some newer routers update automatically
|
||||
**Implement a Network-Wide VPN** | Optional | If you configure your VPN on your router, firewall or home server, then traffic from all devices will be encrypted and routed through it, without needing individual VPN apps. This reduces the chance: of IP leaks, VPN app crashes, and provides VPN access to devices which don't support VPN clients (TV's, Smart Hubs, IoT devices etc)
|
||||
**Protect against DNS leaks** | Optional | When using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider or secure service. For OpenVPN, you can add: `block-outside-dns` to your config file (which will have the extension `.ovn` or `.conf`). If you are unable to do this, then see [this article](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html) for further instructions. You can check for leaks, using a [DNS Leak Test](https://www.dnsleaktest.com/)
|
||||
@ -233,11 +233,18 @@ This section covers how you connect your devices to the internet securely, inclu
|
||||
**Secure DNS** | Optional | Use [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) which performs DNS resolution via the HTTPS protocol, encrypting data between you and your DNS resolver. Although DoH is [not perfect](https://www.netsparker.com/blog/web-security/pros-cons-dns-over-https/), it does remove the need for trust - see [CoudFlares 1.1.1.1 Docs](https://1.1.1.1/help) for more details
|
||||
**Avoid the free router from your ISP** | Optional | Typically they’re manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't recieve regular security updates. Consider an open source router (such as [Turris MOX](https://www.turris.cz/en/mox/overview/)) or a comercial router with [secure firmware](/5_Privacy_Respecting_Software.md#router-firmware)
|
||||
**Whitelist MAC Addresses** | Optional | You can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately connect to your network, even if they know your credentials. Note that a malicious actor may be able to bypass this, by cloning their address to appear the same as one of your trusted devices, but it will add an extra step
|
||||
**Don't Reveal Personal Info in SSID** | Optional | You should update your network name, choosing an SSID that does not identify you, include your flat number / address, and does not specify the device brand/ model. It may be beneficial to avoid something very unique, as services like [Wigle](https://www.wigle.net/)'s WiFi map can link an SSID directly back to your home address. This may also slightly aid in deterring an opportunistic attacker, as it indicates the router is being conscientiously administered. See, [how to update SSID](https://www.lifewire.com/change-the-wifi-name-ssid-on-a-router-818337)
|
||||
**Opt-Out Router Listings** | Optional | WiFi SSIDs is scanned, logged and then published on various websites (such as [Wiggle WiFi SSID Map](https://www.wigle.net/)), which is a serious privacy concern for some. You can [opt-out of many of these listings](https://www.ghacks.net/2014/10/29/add-_nomap-to-your-routers-ssid-to-have-it-ignored-by-google-and-mozilla/), by adding `_nomap` to the end of your SSID (WiFi network name)
|
||||
**Hide your SSID** | Optional | Your routers Service Set Identifier is simply the network name. If it is not visible, it may receive less abuse. However understand that finding hidden networks is a [trivial task](https://www.acrylicwifi.com/en/blog/hidden-ssid-wifi-how-to-know-name-of-network-without-ssid/) (e.g. with [Kismet](https://www.kismetwireless.net/)). See, [how to hide SSID](https://www.lifewire.com/hide-your-wireless-network-from-your-internet-leeching-neighbors-2487655)
|
||||
**Disable WPS** | Optional | Wi-FI Protected Setup provides an easier method to connect, without entering a long WiFi password, it often involves a physical button on your router, entering an 8-digit PIN, or tapping an NFC. It may be convenient, but WPS introduces a series of [major security issues](https://www.computerworld.com/article/2476114/the-woops-of-wps--wi-fi-protected-setup--raises-its-ugly-head-again.html), allowing an attacker to bypass the password, and gain easy access into your network. See, [how to disable WPS](https://www.howtogeek.com/176124/wi-fi-protected-setup-wps-is-insecure-heres-why-you-should-disable-it/)
|
||||
**Disable UPnP** | Optional | Universal Plug and Play allows applications to automatically forward a port on your router, saving you the hassle of forwarding ports manually. However, it has a long history of [serous security issues](https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/), and so it is recommended to turn this feature off. See, [how to disable UPnP](https://lifehacker.com/disable-upnp-on-your-wireless-router-already-1844012366)
|
||||
**Use a Guest Network for Guests** | Optional | Do not grant access to your primary WiFi network to visitors, as it enables them to interact with other devices on the network (such as printers, IoT/ smart home devices, network-attached storage/ servers etc). Even if it is someone you trust, you cannot guarantee that their device has not been compromised in some way. Some routers offer the ability to enable a separate 'guest' network, which provides isolation and is able to expire after a given time frame. For a more comprehensive network, the same outcome can be achieved using [a VLAN and separate access point](http://alduras.com/wp/guest-wifi-network-why-vlans/). See, [how to enable guest network](https://www.lifewire.com/guest-network-for-home-tutorial-818204)
|
||||
**Change your Router's Default IP** | Optional | Modifying your router admin panels default IP address will makes it more difficult for malicious scripts in your web browser targeting local IP addresses, as well as adding an extra step for local network hackers
|
||||
**Kill unused processes and services on your router** | Optional | Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, [any service that’s not used should be disabled](https://www.securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php) to reduce attack surface
|
||||
**Disable UPnP** | Optional | Universal Plug and Play may allow you to save time with Port Forwarding, but it opens doors to many [security risks](https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/). It can be disabled from your routers admin panel
|
||||
**Don't have Open Ports** | Optional | Close any open ports on your router that are not needed. Open ports provide an easy entrance for hackers. You can use a port scanner (such as [AngryIP](https://angryip.org)), or a [web service](https://www.yougetsignal.com/tools/open-ports/)
|
||||
**Disable Unused Remote Access Protocols** | Optional | When protocols such as PING, Telnet, SSH, UPnP and HNAP etc are enabled, they allow your router to be probed from anywhere in the world, and so should be disabled if not in use. Instead of setting their relevant ports to 'closed', set them to 'stealth' so that no response is given to unsolicited external communications that may come from attackers probing your network
|
||||
**Disable Cloud-Based Management** | Optional | You should treat your routers admin panel with the upmost care, as considerable damage can be caused if an attacker is able to gain access. You should take great care when accessing this page, ensuring you always log out, or considering Incognito mode. Most routers offer a 'remote access' feature, allowing you to access the admin web interface from anywhere in the world, using your username and password. This greatly increases attack surface, and opens your network up to a host of threats, and should therefore be disabled. You could also take it a step further, disable the admin interface over WiFi, meaning the settings can only be modified when using a direct Ethernet connection. Note that disabling cloud management may not be possible on some modern mesh-based routers
|
||||
**Route all traffic through Tor** | Advanced | VPNs have their weaknesses- you are simply moving your trust from your ISP/ mobile carrier to a VPN provider- Tor is much more anonymous. For optimum security, route all your internet traffic through the Tor network. On Linux you can use [TorSocks](https://gitweb.torproject.org/torsocks.git) or [Privoxy](https://www.privoxy.org/), for Windows you can use [Whonix](https://www.whonix.org/), and on OSX [follow thsese instructions](https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/), for Kali see [TorGhost](https://github.com/SusmithKrishnan/torghost). Alternativley, you can use [OnionPi](https://learn.adafruit.com/onion-pi/overview) to use Tor for all your connected devices, by [configuring a Raspberry Pi to be a Tor Hotspot](https://lifehacker.com/how-to-anonymize-your-browsing-with-a-tor-powered-raspb-1793869805)
|
||||
**Disable WiFi on all Devices** | Advanced | Connecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and connect each device via Ethernet, and turning off WiFi on your phone and using a USB-C/ Lightening to Ethernet cable will protect against WiFi exploits, as Edward Snowden [says here](https://twitter.com/snowden/status/1175431946958233600?lang=en).
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user