Best practices for the operation of your router
Your router, that box sitting in a corner of your house or office giving you Internet access, is in many ways more important than your laptop or mobile phone. It might not store any of your personal information directly, but sensitive data passes through it every time you access various online services and can be stolen or manipulated if the router is hacked.
Because it is exposed directly to the outside world, your router is frequently targeted by automated scans, probes and exploits, even if you don’t see those attacks. And compared to your laptop or phone, your router doesn’t have an antivirus programme or other security software to protect it.
It is easy to assume that a router comes out of the box with all security enabled – that is true to some extent, but they will always be generic settings so you can improve that security and reduce the chances of becoming a victim.
Below is a list of the most important ‘best practices’ for the operation of your router:
Avoid using routers supplied by ISPs
These routers are typically less secure than those sold by manufacturers to consumers.At RuralTech, we recommend business-grade DrayTek routers.
Change the default admin password
Changing the default password is the first thing you should do on any new installation.Your chosen admin password should be ‘strong’.
The router’s web-based management interface should not be reachable from the Internet.
For most users, managing the router from outside the LAN (local area network) is not necessary.
Even inside the LAN, it is good to restrict which IP (Internet Protocol) addresses can manage the router. If this option is available, it’s best to allow access from a single IP address that is not part of the pool of IP addresses assigned to computers via DHCP (Dynamic Host Configuration Protocol).
Turn on HTTPS access to the router interface, if available, and always log out when done.
Use the browser in incognito or private mode when working with the router so that no session cookies are left behind and never allow the browser to save the router’s name and password.
Change the router’s LAN IP address if possible
Most of the time, routers will be assigned the first address in a predefined netblock, for example, 192.168.0.1.If offered the option, change this to 192.168.0.99 or something else that’s easy to remember and is not part of the DHCP pool.
Choose a complex W-Fi password and a strong security protocol
WPA2 (Wi-Fi Protected Access II) should be the option of choice, as the older WPA and WEP are susceptible to brute-force attacks.If the router offers the option, create a guest wireless network, also protected with WPA2 and a strong password.Let visitors or friends use this isolated guest network instead of your main one.They might not have malicious intentions, but their devices might be compromised or infected with malware.
Disable WPS (Wi-Fi Protected Setup)
This is a rarely used feature designed to help users set up Wi-Fi networks easily by using a PIN printed on a sticker.However, a serious vulnerability was found in many vendor implementations of WPS a few years ago that allows hackers to break into networks.Because it’s hard to determine which specific router models and firmware versions are vulnerable, it’s best to simply turn off this feature on routers that allow it.Instead, you can connect to the router via a wired connection and access its web-based management interface and, for example, configure Wi-Fi with WPA2 and a custom password (no WPS needed).
The fewer services your router has exposed to the Internet, the better.
This is especially true if you haven’t enabled those services yourself and don’t know what they do. Services like Telnet, UPnP (Universal Plug and Play), SSH (Secure Shell) and HNAP (Home Network Administration Protocol) should not be reachable from the Internet as they can pose serious security risks. They should also be turned off on the local network if they’re not needed.
Keep your router’s firmware up-to-date.
All current routers undergo continuous development and new threats are evolving all of the time. New firmware may introduce new features but also essential security improvements and fixes.