To harden/protect the router, before connecting the device to the ISP/outside, the following recommendations should be implemented:
- Change the default username
- Change to a strong password/passphrase
- Update the firmware
- Disable Web administration, to prevent access from outside your network.
- Disable UPnP (Universal Plug n Play), to prevent apps/devices from opening ports in the firewall, without your knowledge.
- Disable WPS (Wireless Protected Setup)
- Disable Port Forwarding
- Backup the configuration
Segment Your Network
Segmenting your network is good practice by adding an additional layer of security. This involves isolating Guests & IoT (Internet of Things) devices from your main/primary network.
Network segmentation can be implemented by adding a second router, or using a router with the ability to configure each port to be a different network segment.
Once such smart router is the Ubiquiti Networks EdgeRouter X
- Each port is a separate network segment.
- Make sure to immediately update the firmware/EdgeOS
- Home-Network Implementation: Using the Ubiquiti EdgeRouter X and Ubiquiti AP-AC-LR Access Point by Mike Potts
- Ubiquiti Router Hardening
- EdgeRouter – OpenVPN Server
- Available from Amazon.com
- Security Now Episode 569 Notes – Page 7 of 14
- “Three Dumb Routers” …or… ONE SuperSmart Router!
- Ubiquity EdgeRouter X $50, 5 separate interfaces, w/power supply
- Update the firmware!
- Packet switching rate (~500 Mbits)
- “Normal Router” is a two interface NAT connected to a multiport hub or switch. On the LAN side, it has a single LOGICAL interface and five to eight physical interfaces.
- A “super smart” router has a separate network logical interface for every physical interface.
Disable the Ubiquiti Discovery Service
Ubiquiti devices were being exploited and used to conduct denial-of-service (DoS) attacks using a service on 10001/UDP. (2019)
Responses to the port 10001 exposure also reveals the name, model, firmware version, IPs, MACs, and sometimes the ESSID if it is a wireless device.
The default WAN firewall policies added by the Basic Setup wizard will block all probes to UDP/TCP port 10001, and will prevent the EdgeRouter from being discoverable on the WAN.
ubnt-discoverControls whether the EdgeRouter is able to discover nearby Ubiquiti devices.
ubnt-discover-serverControls whether the EdgeRouter is discoverable by other nearby devices.
You can disable the Ubiquiti Discovery Service from the CLI:
[email protected]:~$ show configuration [email protected]:~$ configure [email protected]# set service ubnt-discover disable [email protected]# set service ubnt-discover-server disable [email protected]# commit [email protected]# exit [email protected]# disconnect