
Ask HN: What does your “Router Security Checklist” look like? - jmbake
What does your &quot;Router Security Checklist&quot; look like? i.e. What actions do you take to ensure your wireless router is secure as possible?<p>http:&#x2F;&#x2F;routersecurity.org&#x2F;checklist.php is really great, but kind of verbose. My attempt to boil it down to a simpler checklist: https:&#x2F;&#x2F;github.com&#x2F;jonmbake&#x2F;router-security-checklist.
======
zxcmx
It's a good list. I just hate those things now.

I worked as a wireless router firmware developer for a while and as a
result... I don't use them anymore. The whole industry is just producing
unfixable tire-fires.

Different level of caring, but if security is important to you, put
cable/dsl/fiber ntu in bridge mode.

Get a pcengines apu (or your favourite sbc), install your favourite os (ubuntu
or debian for me). Don't bother with ui, just use a few nftables rules.

It actually worked out cheaper for me than the netgear thing shaped like a
stealth fighter.

The other thing which really annoyed me was my ISP periodically updating
settings on their stock router. Yeah, they can do that remotely if you use
their unit and there's usually no good way to turn it off.

~~~
drakenot
Can you expand on this a little bit? What does it buy you?

Is this setup (the linux APU in bridge mode) so that the NTU could get hacked
but your internal network would still be secure behind the APU?

What protects the APU from getting hacked like a traditional router would?
Just easier to secure yourself?

Did you just purchase wireless access points separately? Did you buy a
seperate switch?

I've wanted to do something like this for awhile but I wasn't sure what all
was involved, or if it was that much more secure.

~~~
zxcmx
The short answer is that if you build an x86 box based on crappy linux and
updates then your security is based, fundamentally on the primitives which
secure eveything else in the world.

It doesn't mean that it's the best. An x86/x64 ssh bug hurts everyone. But it
means that everyone in the world gets fucked, more or less, and you don't have
to worry as much.

Relying on random companies to secure your gateway puts you in the hands of
random companies who not only do not care but also do not make theor own stuff
and now lack the basic competence to do so.

------
wmf
_Don 't change the password._ Find a router that uses pairing instead of
passwords.

 _Don 't check for updates._ Find a router that updates itself automatically.

 _It 's a marathon, not a sprint._ Find a company that writes their own
firmware and uses the same firmware for multiple generations. This shows that
they are willing and able to invest in security.

Or just check if the brand is Google or Apple.

~~~
tedmiston
> Find a router that uses pairing instead of passwords.

Can you elaborate on that? I've never seen a router that doesn't use
passwords. Does this mean to use WPA2-PSK vs WPA2?

~~~
wmf
I was talking about the admin password; I guess that wasn't clear. You still
need a WPA password (unless you use WPS, but apparently that's even less
secure).

------
Canada
Nothing. Why even bother? My devices connect to untrustworthy networks all the
time anyway.

I just don't trust the local network in the first place.

------
LinuxBender

      - SELinux Enabled
      - Sysctl tuning applied
      - Inbound/Outbound/Forward iptables rules enabled
      - ipset iptables rules enabled
      - iptables intercept rules to route all ntp/dns over VPN
        to VPS nodes.
      - Unbound DNS overriding many spammy domains
      - tinc vpn enabled to multiple VPS nodes.
      -- Each VPS node load balancing to multiple datacenter open resolvers that
         are NOT OpenDNS or Google.
      - ip route blackhole about 20k bad networks from firehol on github
      - syslog to internal host
      - Surricata IDS logging to syslog
      - tc cbq traffic shaping enabled
      - haproxy L4 vips for sending select traffic to select squid proxies.
      - power conditionor / ups enabled, one for router, one for cable modem.
    

Those are the basic things. My router is always Linux running on commodity
hardware with dual gig interfaces for clear physical demarcation.

~~~
captaindiego
Does anyone know anything for somehow providing useful information/action out
of Surricata IDS logs? I have stuff routed to my syslog, but just always
forgot to check for anything interesting.

------
zamalek
Checking that I can flash custom firmware comes before anything else.

