[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 16/06/13 23:20, bad apple wrote: > > But really, EVERYONE on this list, check your router for UPnP right now > and if it's on (it will be by default) kill it right now. Trust me (or > Simon, or anyone else competent for that matter) on this. Not sure I'm competent in this matter, as it is down to managing other people's networks, but I can discuss my choices. 1) I have UPNP disabled. I don't need it. 2) I don't allow management from the Internet (at least that default was right). I see no advantage, I can generally ssh in to a box inside and connect from inside if I really want to break my router config when I'm away from home. 3) I don't allow management of the router from the Wireless LAN Since I was allowing anyone to connect to the WLAN interface, opinions differ on that matter, but I saw it as a courtesy to guests to my house to make it as easy as possible to connect. Guests definitely don't need to reconfigure the router. If your WIFI is secured, and you usually use a laptop that goes places, this might not be for you. Running an open access point carries some risk, and is something that has recently been revoked, I would add not due to abuse. On the other hand it may add "plausible deniability", if your IP address is accused of something. Part of running an open access point was the assumption that my own devices on the network must anticipate potentially hostile traffic, so they would expose minimal services (something I've been changing recently, as I experience with some fun multimedia protocols), be regularly patched, etc. 4) I don't run the embedded IGMP proxy. I can see this might be more controversial, but I don't currently need IGMP, and I probably would do it some other way if I did. 5) I don't use any of the embedded programs if I can avoid it, with the exception of the DHCP server (and that because I want to be able to allocate addresses when everything on the wired network is down). Boxes that stay put use static addresses, so don't rely on the DHCP service being available. I don't trust the vendor to issue fixes, and there appears to be no easy way to be notified of new firmware updates, and they haven't released any updates for this router hardware for nearly 7 years. 6) I disable the firewall functionality. It comes with HTTP proxy type service. This would be a router based program, which could be communicated to (via a browser inside the network) from malicious actors from the outside, which might have vulnerabilities (see also point 5). It does NAT, it does simple QoS, it does DHCP for mobile clients (originally I did this from a Debian box, but switched it back). 7) I disable SNMP The routers functions are simple, my home LAN simple enough not to need this. I note the last firmware update fixed a password disclosure over SNMP vulnerability. Replacing this router is on the cards, because it lacks support for IPv6, and apparent lack of support. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq