To harden/protect the router, before connecting the device to the ISP/outside, the following recommendations should be implemented:
- Change the default username
- Change to a strong password/passphrase
- Update the firmware in all devices
- Disable Web administration, to prevent access from outside your network.
- Disable UPnP (Universal Plug n Play), to prevent apps/devices from opening ports in the firewall, without your knowledge.
- Disable WPS (Wireless Protected Setup)
- Disable Port Forwarding
- Backup the configuration of all devices
Segment Your Network
Network segmentation can be implemented by adding a second router, or using a router with the ability to configure each port to be a different network segment.
Once such smart router is the Ubiquiti Networks EdgeRouter X
- Each port is a separate network segment.
- Make sure to immediately update the firmware/EdgeOS
- Home-Network Implementation: Using the Ubiquiti EdgeRouter X and Ubiquiti AP-AC-LR Access Point by Mike Potts
- Ubiquiti Router Hardening
- EdgeRouter – OpenVPN Server
- Available from Amazon.com
- Security Now Episode 569 Notes – Page 7 of 14
- “Three Dumb Routers” …or… ONE SuperSmart Router!
- Ubiquity EdgeRouter X $50, 5 separate interfaces, w/power supply
- Update the firmware!
- Packet switching rate (~500 Mbits)
- “Normal Router” is a two interface NAT connected to a multiport hub or switch. On the LAN side, it has a single LOGICAL interface and five to eight physical interfaces.
- A “super smart” router has a separate network logical interface for every physical interface.
Disable the Ubiquiti Discovery Service
Ubiquiti devices were being exploited and used to conduct denial-of-service (DoS) attacks using a service on 10001/UDP. (2019)
Responses to the port 10001 exposure also reveals the name, model, firmware version, IPs, MACs, and sometimes the ESSID if it is a wireless device.
The default WAN firewall policies added by the Basic Setup wizard will block all probes to UDP/TCP port 10001, and will prevent the EdgeRouter from being discoverable on the WAN.
ubnt-discoverControls whether the EdgeRouter is able to discover nearby Ubiquiti devices.
ubnt-discover-serverControls whether the EdgeRouter is discoverable by other nearby devices.
You can disable the Ubiquiti Discovery Service from the CLI:
[email protected]:~$ show configuration [email protected]:~$ configure [email protected]# set service ubnt-discover disable [email protected]# set service ubnt-discover-server disable [email protected]# commit [email protected]# exit [email protected]# disconnect
Monitor Devices on the Network
You can monitor device availability, free space on drives, CPU and memory usage, temperature, etc.
- Keep an eye on your network – Observium Tutorial
- Observium is a low-maintenance auto-discovering network monitoring platform supporting a wide range of device types, platforms and operating systems.
- Windows: SNMP is deprecated. Instead, use the Common Information Model (CIM), which is supported by the WS-Management web services protocol and implemented as Windows Remote Management.