05-25-2011 09:05 PM
I have owned three LinkSys Wireless routers since May 2007: two WRT54G (V6 and V8) and my current E3000 V1. All have provided configuration options which can make if very difficult, if not impossible, for unwanted access to my WiFi routers.
All changes should be made while your system is connected to one of the Ethernet ports on the router and not via WiFi due the change made item #3 of "General Suggestions".
All items bracketed by "<>" are the titles of LinkSys Admin web pages or sections within web pages. Don't forget to click "Save Settings" on one web page before going to another web page or your changes will be lost.
Please note that not all of the LinkSys router Web Admin pages may use the Web-page/Section titles as used in this suggestion.
Make sure you know the MAC/Physical Address of your Wireless adapter as it will be needed for item #3 of " WiFi specific suggestions". Assuming you have a Microsoft Windows based system, use a "Command Prompt" to issue command "ipconfig /all" to determine the MAC (aka Physical) Address of your Wireless adapter while WiFi connected to a router.
After making all suggested changes, repeat the processes to make sure the changes were saved.
1) In < Administration/Mgmt > change the default password from Admin to one of your choosing.
2) In <Local Mgmt Access> Disable HTTP access and Enable HTTPS access. After this changed is saved, you must reconnect to the router via URL https://192.168.1.1 note the use of httpS vs. http (no S) for a secured connection to the admin web pages of the router.
3) In <Local Mgmt Access> Disable Wireless Access to Admin web pages. Must use Ethernet port on Router.
4) In <Remote Mgmt Access> Disable Remote Management AND Disable UPnP - UPnP (a known protocol flaw Allows Router Hijacking if enabled).
WiFi specific suggestions.
1) In <Wireless/BasicSettings> Disable SSID broadcast. This will prevent "driveby" intruders from seeing the SSID of your LinkSys router. Make sure you change the default SSID to one of your choosing.
2) In <Wireless/WirelessSecurity/Security> set your Security level to WPA or WPA2 (WPA2 preferred). Do NOT use WEP as it's encryption algorithm can be cracked in less than 5 seconds. This will protect your transmissions between your system and the router. The E-series routers provide support for both WPA/WPA2 depending on the client config. My WRT54G routers would only support WPA or WPA2.
3.) In <Wireless/WirelessSecurity/Algorithm> select AES not TKIP as security consultants have recently discovered a crackable flaw in TKIP encryption.
4.) In <Wireless/WirelessSecurity/Key> select a Pass Phrase that you and all authorized systems must used for the secured connections to your router.
5) In <Wireless/WirelessMACFilter> Enable MAC Filtering and "Only allow PC's" whose MAC addresses are defined in the <Edit MAC Filter List>. These two changes will require that you register the MAC/Physical Addresses of all Wireless clients which you authorize to connect to your router secured network. Failure to register a system's MAC/Physical Address will deny that system access to your network even if they have the correct AES Pass Phrase and SSID.
Solved! Go to Solution.
05-25-2011 09:53 PM
05-31-2011 09:32 PM
Although I agree with some of the technical issues associated with all wireless communication, I still believe that any configuration provisions you can take on both your wireless router and wireless clients to subvert potential attacks is beneficial. Personally in my environment, my ThinkPad T43 is the only wireless device in my home network behind my E3000 and is predominately inserted in it's docking station and connected to my home network by it's 1Gb Ethernet adapter vs. it's WiFi adapter (disabled) which greatly reduces "drive by" detection of it trying to contact my E3000 Wireless router. In addition, all PC based clients on my home network have ZoneAlarm Internet Security software installed for secondary firewall and primary AntiVirus/AntiSpyware protection.
05-31-2011 09:50 PM
06-01-2011 10:34 PM
GV. So that you fully understand the reasoning behind my original recommendations let me state the following:
1. Most of the "Drive By" incidents in my neck-of-the-woods are done by "teeny-bops" trying to find unsecured WAPs that will gain them access to porn sites, not your hi-tech identify theft criminals. Thus the provisions for preventing them from "seeing" the SSID of my router, even though it requires a WPA/WPA2 secured connection and specific pass phrase.
2. Indiana Penal Code states that unauthorized access to the property of another person constitutes an act of theft.
3. Unauthorized is further defined as "... not having been given specific consent...".
4. The same Penal Code assigns NO dollar amount loss. No Grand Theft vs. Petty Theft, theft is theft.
5. I was involved as a State's witness in a landmark case concerning this Penal Code, and the defendant did not have a leg to stand on. Guilty as charged.
Any individual in the state of Indiana who accesses the WAP router of another person/business/gov-institution, without having been given specific consent is guilty of THEFT.
06-02-2011 02:10 AM
06-10-2011 03:17 AM
I'm a bit stunned by this. I agree that not broadcasting the SSID is probably fairly trivial, but- as with everything else in life- multiple layers of security are better than one. If you assume most crime is casual/ opportunistic, then my bike- locked with 2 locks- is safer than the bike next to it which is only secured with 1 lock. If someone specifically wants my bike they'll bring whatever they need to steal it, so no number of locks will protect it.
I would say the best things to do are; (1) change your SSID- NOT your house number! (stops anyone identifying your house) (2) switch on MAC address filtering (3) stop broadcasting your SSID (4) switch on the highest possible level of encryption (5) change the admin password.
I'm not thinking of someone parked outside 24*7 deliberately trying to attack my router. I'm thinking of someone casually trying to pick up unsecured networks, who will revert to the least secure (they're probably parked up waiting for a friend and don't want to use their mobile data). Or Google driving past scooping up data "accidentally". No amount of wireless security is going to stop someone deliberately attacking your router, but this is unlikely so you may as well make it as secure as possbile (also, the issue of the iPhone constantly trying to connect is fatuous, and your fault for having an iPhone . My Nokia N8 doesn't try to connect continually, neither did my 5800XM. They just connect when in range and when they need to)
06-10-2011 05:12 AM