Network Best Practices

Router Configuration

To harden/protect the router, before connecting the device to the ISP/outside, the following recommendations should be implemented:

  • Change the default username
  • Change to a strong password/passphrase
  • Update the firmware
  • Disable Web administration, to prevent access from outside your network.
  • Disable UPnP (Universal Plug n Play), to prevent apps/devices from opening ports in the firewall, without your knowledge.
  • Disable WPS (Wireless Protected Setup)
  • Disable Port Forwarding
  • Backup the configuration

Segment Your Network

Segmenting your network is good practice by adding an additional layer of security. This involves isolating Guests & IoT (Internet of Things) devices from your main/primary network.

Network segmentation can be implemented by adding a second router, or using a router with the ability to configure each port to be a different network segment.

Once such smart router is the Ubiquiti Networks EdgeRouter X

Disable the Ubiquiti Discovery Service

Ubiquiti devices were being exploited and used to conduct denial-of-service (DoS) attacks using a service on 10001/UDP. (2019)

Responses to the port 10001 exposure also reveals the name, model, firmware version, IPs, MACs, and sometimes the ESSID if it is a wireless device.

The default WAN firewall policies added by the Basic Setup wizard will block all probes to UDP/TCP port 10001, and will prevent the EdgeRouter from being discoverable on the WAN.

  • ubnt-discover Controls whether the EdgeRouter is able to discover nearby Ubiquiti devices.
  • ubnt-discover-server Controls whether the EdgeRouter is discoverable by other nearby devices.

You can disable the Ubiquiti Discovery Service from the CLI:

[email protected]:~$ show configuration
[email protected]:~$ configure 
[email protected]# set service ubnt-discover disable 
[email protected]# set service ubnt-discover-server disable
[email protected]# commit 
[email protected]# exit
[email protected]# disconnect