Modern Guide to Securing Home Networks

Published March 17, 2020, 1:15 a.m. by Admin

This post will guide you through the basics of setting up and hardening your home network to make intrusion and exploitation more difficult. Please note that the following guide is aimed at the average home user. If you run a larger network or are a more high profile target then a lot of these steps still apply and hold true, but you will need to take additional steps beyond the scope of this blog post.

Basics


Change your default SSID/ESSID
Your SSID/ESSID (Service Set Identifier / Extended Service Set Identifier) is the name your router broadcast to devices looking to connect to a network. A default SSID would be something like linksys or dlink. The problem with leaving your SSID as the default is that a hacker can easily use it to correlate which type of router and which version you might be using. Once an attacker knows your router and version they can employ specific exploits against you with a higher degree of success or simply just google the default password (this works a lot more then it should).

Therefor changing the default SSID to something different makes determining your router more difficult.

If you want to be really funny though you should change your SSID to another routers default SSID. For example if you have a linksys router you should rename it to dlink. A lot of times hackers will just assume that you didn't change your default SSID and will probably try employing tactics specific to the router you're masquerading as. This is a very simple and rather hilarious way of frustrating potential intruders.

Avoid using routers supplied by ISPs
These routers tend to be a lot less secure and come with a few other drawbacks such as hard coded remote support credentials, customized firmware that rarely gets patched or gets a significantly slower release cycle.

Turn off any “Remote Management” and Disable WPS (Wi-Fi Protected Setup) features
These features have a history of being exploited and chances are you really don't need them on. Additionally it's not a bad idea to disable network sharing on your devices and any other features you don't need.

Change default admin password
Trust me it's super easy to get a list of all default router passwords. On top of that make sure your router password is complex enough so that it cannot be easily brute forced.

No internet facing web interface
Your routers web interface doesn't need to be accessible to any device that isn't directly connected to it locally. So if it is disable it.

Restrict which devices can connect to the routers web interface
Personally I don't do this as there's little gain and the entire process is somewhat time consuming. But if you really want you can configure a device on your network (such as your main PC) to get assigned the same IP address and then configure your router to only accept people connecting to it's web interface via that device only.

Ensure that your router enforces HTTPS
Honestly if your router's web interface doesn't enforce HTTPS or doesn't support HTTPS then don't use it, it's 2020 no excuses. Also don't forget to terminate your sessions when done and to clear your session cookies.

Don't use insecure protocols such as WPA or WEP
Even if you employ every single tactic above but employ a protocol such as WEP then your network is insecure. Security is only as strong as it's weakest link and both WPA and WEP have been shown to be vulnerable to brute force attacks and other attacks. At the very least you should be using WPA2, if your router doesn't support WPA2 or any of your devices don't support WPA2 then just throw them out at this point as WPA2 debuted in 2004. However one must also note that some routers now have broken WPA2 implementations, so if you're serious about security you should buy a router that supports WPA3. WPA3 was released in 2018 and claims to have significant improvements over WPA2. These improvements include stronger encryption, increased difficulty for brute force attacks, and even individualized data encryption.

Create a separate network for your guests
It's hard to control what other people do once you give them access to your network. Their device could be compromised which could allow an adversary to gain credentials to your network, they might share your network's password unintentionally or without having malicious intentions. Why not just eliminate the risk completely and save a separate network for your guests?

Minimize the amount of services exposed to the internet
This is especially important if they are services that you don't use or haven't enabled yourself (ie: telnet, ssh, UPnP, HNAP). Remember that the internet is constantly getting scanned and indexed by services like shodan, so if your router is vulnerable to a new telnet exploit, believe me good hacker will know and jump on the opportunity. If it's a service that you don't use or don't need to use remotely disable it. Don't forget to make sure all services are updated to the newest version and are patched.

A good way to go about this is to run a port-scan on your IP(s) to ensure that any non essential services are disabled.

Port Forwarding
Port forwarding is used by routers to forward all traffic on a specific port to a specific device on the network. The more ports you have forwarded the more potential attack vectors available on your network. Like I mentioned above if you don't need this service to be internet facing then just disable it. If it does then make sure you understand the service and the risks associated and make your own decision. Don't forget to keep these services updated and patched.

Keep your router's firmware up to date
Patches for certain versions of router firmware are released to address minor to serious security vulnerabilities in your device. So if you know how then patch your device.

Choose an ISP that assigns dynamic IP addresses
Note: Some networks benefit greatly from using static IP addressses, for example if you are hosting a website from your network then it is more beneficial to use a static IP. If you are hosting services from your network then chances are you could skip this section.

If you have a static IP address and somebody gets your IP address, there are a few things they could do such as boot you offline (skid), try to exploit your routers firmware, try to exploit other services running on your network. All around there really isn't much of a benefit to other people having your IP address, but stuff happens. The logic behind this is that if somebody gets your IP address from the internet and wants to execute an attack against you they will have a much smaller window of opportunity to perform their attack. On top of that you could easily create a cron job on your router that performs a DHCP release and renewal so that your IP address is changed every X amount of times.

Although there is a formula for guessing the next sequence of an IP address after a DHCP release and renewal to a certain degree of precision. However this requires knowing the renewal interval and the ip range of the users ISP.

Additionally another way to circumvent this is to try and fingerprint the users network. To fingerprint someones network run a portscan and then hash it's output.
For example if you ran a simple nmap against some network and received the following output, you could easily hash it and get a unique fingerprint for that network.

PORT STATE SERVICE VERSION 80/tcp open http? 443/tcp open ssl/https? 8080/tcp open http-proxy? 8443/tcp open ssl/https-alt?


Now all you have to do is perform the last 2 steps against every single IP address in an ip block. This can help you re-identify an individual. However the more generic a users services are the more generic the fingerprint.
If the output of your scan isn't unique honestly don't bother, and if the renewal cycle is really short chances are by the time you're done the scan another renewal will have taken place so again don't bother.

To learn more about fingerprinting you should read my blog post on it ;)


Advanced


Network segmentation can be used to isolate risky devices
If you have several IoT devices I highly recommend you take this precaution as security researchers have proven time and time again that these devices are insecure and excellent entry points into a network. A lot of modern routers now have VLAN capabilities so isolating these devices is an excellent way to contain threats so that they can't spread from device to device across your network.

Install Custom Firmware
Using custom firmware on your router can provide significant advantages over the more common manufacturer defaults. They allow you to have more control over your router so that you can develop your own optimizations, add your own scripts (such as the DHCP release renewal cron job mentioned above), and they're far more obscure reducing the chances of exploits being developed against them. Plus flaws are usually patched much quicker as these are mostly community-maintained passion projects aimed at enthusiasts which makes them far more advanced.

The following firmware projects are Linux based, open source, and community-maintained firmware projects.
OpenWRT
DD-WRT
Asuswrt-Merlin (for Asus routers only)

Note: Installing and maintaining custom firmware on a router requires much more technical knowledge then everything else discussed above and will probably void any warranties from the manufacturer. In more extreme cases your device could be rendered unusable

Setup a firewall
Honestly having a dedicated hardware firewall for a residential or most small networks isn't practical and will have minimal impact on security. I think for most people using programs such as iptables or ufw (ufw just simplifies iptables) with a few rules relevant to your setup should be sufficient.

Check on your Network sometimes
Generally it's a good idea to login into your routers web panel and just verify everything is normal. If you have a small network brush over your list of connected devices and just verify that you know all of them. If you don't recognize one disconnect it, if you sense foul play then change your Password and disconnect all devices.

You don't have to do this often as I'm sure you all have better things to do with your time. But still do this at least a few times a year.

Spoof your Router's MAC Address
If you want to hide your routers manufacturer and firmware properly you need to spoof it's MAC address as a quick google search can be used to determine it's origin. This requires some tinkering and it's best to just set up custom firmware when doing this.


False Security:


MAC Address filtering
Routers with this enabled only permit whitelisted devices to connect to the network. The way a device is whitelisted is via their MAC address. The logic behind this was to make sure that only known devices we're allowed to connect to a network at any given time. However in reality MAC filtering is just high maintenance and an overly convoluted security mechanism that can be easily circumvented. In order to bypass MAC filtering all you have to do is plug in a wifi card that supports monitor mode, listen for traffic between the devices connected to the network you're trying to breach and then once you do that you should have the MAC address of a device that is already connected to the network. Now all that's left is to install a program like macchanger which is available in most Linux distro repositories and masquerade as the device you found earlier.

Another con that's often overlooked is the sheer manual labor required to properly maintain a network with MAC filtering as you need somebody to maintain the whitelist. Every single time you want to add a printer, connect a person, or any device to the network you have to go login into your routers interface update the white list. This quickly becomes a chore and network admins become lazy which can lead to more drastic consequences in the future.

But don't just take my word for it, let me tell you exactly how to bypass MAC filtering.
First off using airmon-ng put your WiFi adapter in monitor mode. If any processes start complaining, kill them. (ie: NetworkManager)

airmon-ng start wlp3s0 kill [pid]


Next run airodump so that we can locate the wireless network and it's connected client(s)

airodump-ng –c [channel]–bssid [target router MAC Address]–i wlan0mon


The output from airodump should provide you with the MAC Address of currently connected devices.
We have everything we need so lets disable monitor mode.

airmon-ng stop wlp3s0mon ifconfig wlp3s0 down #older devices ip link set wlp3s0 down #newer devices


Now it's time for the fun part, change your MAC address back to the MAC address of one the currently connected devices. Using the macchanger command.

macchanger -m [New MAC Address] wlp3s0


Excellent now let's just raise the interface and you should be good.

ifconfig wlp3s0 up #older devices ip link set wlp3s0 up #newer devices



Hiding your SSID
The logic behind this was that by broadcasting your networks ESSID/SSID it will be invisible to hackers. This is far from the truth as these networks are still easy to detect.