How do I secure my router?

Helping people with computers... one answer at a time.

Ask Leo! » Networking » Small Business and Home Networking

Your router is your first line of defense against malicious attacks from the internet. But is your router secure? I'll review the important settings.

I'd like to know how to clear the history of my Linksys Cisco router. I'd also like to know how I can protect it from hacking and who else besides the people that know my router's WPA code can view browsing history.

•

There are a couple of misconceptions in your question, which I'll clear up in a second.

The more general topic is an important one: how do you make sure that your router is secure? After all, as your firewall it is your first line of defense against malware trying to get at your computer from the internet.

You'll want to make sure there aren't big gaping holes.

And sadly, by default, there are.

•

Router Logging

First, most routers don't maintain a history, so there's nothing to erase, and nothing for anyone to view. Most routers just ... route. However there are sometimes ways to enable a certain amount of logging, and we'll look at that below.

"If you do nothing else to your router, change the default password ..."

While the concepts below apply to almost all consumer grade routers, I'll be using my own LinkSys BEFSR81 Router, and LinkSys WAP54G as examples. You'll need to "translate" the examples to the equivalent settings on your own router or access point.

Change The Default Password

If you do nothing else to your router, change the default password now. Change it to be something strong - obscure passwords like "I2tX3ZPz2hMszg" are perfect. (If you don't have a random password generator, GRC's Ultra High Security Password Generator is a great tool.)

Password Dialog on LinkSys router

The reason for this is simple: this is a gaping security hole.

Every router and access point is shipped with the same default password. For LinkSys, if your login is a blank username and a password of "admin", everyone knows it. And anyone can then login to your router and undo any and all of the security steps we're about to take. There is also now malware that takes advantage of the default passwords on routers to make changes without your knowledge.

Disable Remote Management

"Remote Management" is a feature whereby your router can be administered remotely - in other words from anywhere out on the internet.

LinkSys Filters
LinkSys Remote Management

While this setting (coupled with a very strong password) might make sense for a handful of people, for most folks there's absolutely no need to administer the router from anywhere but the local machines connected to it. Make sure that remote management setting is off.

Turn Off Logging

OK, more correctly, this is "make sure logging is still turned off", since if a router supports any kind of logging at all, it'll likely be off by default.

LinkSys Logging Options

Disable the logging, and no information will be kept on the router, or sent to any other machine.

Turn Off Universal Plug and Play

Universal Plug and Play (UPnP) is a technology that allows software running on your machine to perform services like port forwarding without your having to go in and configure the router manually.

It seems like a good idea, right?

Turn it off.

LinkSys UPnP setting

It turns out that malware can also be UPnP aware, and can make all sorts of malicious changes to your router without your being involved or aware.

(Note: UPnP is unrelated to Windows Plug and Play hardware detection; it's just another unfortunate collision of similar names.)

Add a WPA Key

It's time for another password, this time to secure and encrypt your wireless connection.

Wireless Encryption Password

First: use WPA, preferably WPA2, not WEP. WEP encryption turns out to be easily crackable.

Second, select a good, secure key/password/passphrase (the terms are roughly interchangeable here). A passphrase generated by the GRC Password Generator would be a good choice. You only need to enter it once here, and once on each machine that is allowed to connect to your wireless network.

Having a strong WPA key ensures that only machines you allow on your network can see your network, your traffic, and your router.

Don't Forget The Physical

All of your routers security settings can be reset in a flash if someone has physical access to the device. Almost all routers have a "reset to factory defaults" mechanism - typically by holding a reset button for a certain amount of time. If someone can walk up to your router and do that, then all the security settings you've just enabled may be instantly erased.

Only you can judge whether or not you need this extra level of physical security, but make sure to consider it.

(This is an update to an article originally published March 8, 2009.)

Article C3669 - December 16, 2010

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

You may also be interested in:

Change Your Password - No, not that one... You probably need to change a password, but not the one you think.
What are these access attempts in my router log? Any device sitting on the internet is subject to a constant stream of "internet background noise". It's why you really want to be behind a firewall.
Does sharing a router make me vulnerable to those I share with? Being on the same local network as another machine implies a certain level of trust. Without that trust, additional security steps are called for.

Recent Comments

23 Comments

Here's a nice writeup on logging on Netgear routers:

http://kb.netgear.com/app/answers/detail/a_id/1014/~/using-netgear-router-logs

They start out: "Router log features vary by model. Advanced, business-oriented routers such as the FVS328 have extensive logging features, such as monitoring for specific types of attack, and reporting to a security monitoring program. Home routers such as the WGR614 and WGT624 only have only basic features such as router reboots, and reporting when people go to sites that you blocked."

Posted by: Bob in upstate NY at December 21, 2010 10:26 AM

I had a Linksys router too, but recently got a Netgear router. What I liked about this router is that besides the security wpa2 password security, it blocks also any other connections except those that have an approved Max address. Together both those items blocks all the non authorized connections. It also is far easier to setup.

Posted by: Paul at December 21, 2010 10:37 AM

A good tip to add to this is to only access the router via https - I have a Cradlepoint and a Linksis and both have the setting for that, usually under admin. That way when you send your password over the internet it is secured. In the case of the craddlepoint I have to physically type https in the browser - the linksys pulls it up automatically...

Posted by: Sandy Smith at December 21, 2010 11:23 AM

Whether you should broadcast your SSID has been hotly debated. After much reading/research in this area I broadcast mine. Here is some interesting reading on it...

http://technet.microsoft.com/en-us/library/bb726942.aspx

Posted by: Sandy at December 21, 2010 3:22 PM

where do i find these screens?

Check the documentation that came with your router. It's different for each, but typically starts with a special "url" (like http://192.168.1.1 - but it may be different) that you enter into your browser. The router documentation will have the specifics.

13-Oct-2011

Posted by: ron at October 13, 2011 10:27 AM

See all 23 comments...

Post a comment on "How do I secure my router?":

Name: (Required - will be included when your comment is published.)

Email Address: (Required - will not be published.)

Remember Me? YesNo

Comments: (You may use HTML tags for style)

Before commenting, please...

READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored.
Comment only on the article. Use the search box at the top of the page if you have a question about something else.
NO PERSONAL INFORMATION in the comment. No email addresses. No phone numbers. No physical addresses.

Anything that looks the least bit like spam will be deleted. Links to unrelated sites or links that appear to be primarily promotional will be deleted, or the comment will be deleted.
Don't ask me to recover lost passwords or hacked accounts. I can't. Those comments will be deleted.
I can't respond to every comment. And I can't vouch for the accuracy of others who do.

Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
READ THE ARTICLE. A comment that shows you didn't will be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...

Question? Ask Leo!
The Tip Jar: Buy Leo a Latte!

Categories | Full Archive
By Date | Business Card | About

Advertisements do not imply my endorsement of any product or service.

Copyright © 2003-2012 Puget Sound Software, LLC and Leo A. Notenboom
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure

http://ask-leo.com/how_do_i_secure_my_router.html