Beefing Up Your ROUTER Security

Published April 11, 2017 at 11:30 PM
Updated April 11, 2017 at 11:30 PM

The cool people over at WordFence just posted a blog post indicating that many thousands of attacks on WordPress sites are coming from hacked home routers.  WordFence is the number one (highly recommended) security plugin for WordPress sites.

Their original post is here:

Their followup post about scanning your home router for the vulnerable port is here:

I posted a long comment on their blog, which they approved and published.  I gave 11 tips to secure your router.  A slightly edited version of that is below.  This does not describe the nature of the problem, so see their posts for that.  Briefly, though, this specifically refers to the router exposing port 7547, which is normally used for ISP management of the equipment, and exposing vulnerabilities which allow it to be attacked.

Much of what I give below relates to configuring your own router, regardless of what your cable modem is doing.  You may or may not be able to implement these steps on your cable modem, or cable modem / router provided by the ISP.  You should definitely make use of the vulnerability test that WordFence has provided.  If your cable modem or cable modem / router provided by the ISP is vulnerable, you should definitely take the corrective steps recommended by WordFence.  Your cable modem or cable modem / router may have already been hacked and may already be in use attacking WordPress sites.  This applies whether or not you install your own router in addition to the cable modem or cable modem / router as I recommend below.

Takeaways for users, in my opinion are the following.  If needed, ask a geek friend for help.

01) Put your own home router behind your cable / dsl modem between the modem and your home network.

Wiring should look like this:

internet -> cable modem -> your router’s WAN port -> pc’s either wired to your router’s LAN ports or wireless

If you’re really geeky, you could run alternate firmware like DD-WRT, Open-WRT, or Tomato.  This is not for the faint of geek heart and instructions are beyond the scope of this post.  If not using custom firmware, make sure the router you install has up to date factory firmware.

Using your own router won’t prevent malware from getting into the cable modem.  But it will help prevent it from breaching into your home network.  The following steps won’t guarantee that your router cannot become infected, but they will help make it much less likely.

02) Turn off all unneeded features in the router’s control panel and, in particular, anything that allows outside access to your inside network.

03) Make sure the DMZ is OFF.  DMZ stands for demilitarized zone.  The DMZ feature, if on, forwards ALL incoming traffic from outside that is unsolicited (ie attacks) to a specific address on the INSIDE of your network.  This is very dangerous.  Don’t use it.

04) Turn off ALL outside remote administration, be it web based (http, https), or ftp, or telnet, or just a general setting, or whatever.

05) Turn off all “servers” or “services” that expose any router features to the outside world.

06) Turn off UPNP.  This stands for Universal Plug And Play.  This allows things inside your network (like game consoles or javascript apps in your browser) to open holes (ports) in your router’s firewall without you knowing it which may let bad things sneak in.  If the router’s control panel shows any ports have been opened that you didn’t specifically ask for, close them.  Many routers won’t even show you this.  If you DO want specific ports open for games and such, you should open them manually and intentionally.

07) You may test your external IP address for open TCP ports within limits benignly using the “Shields UP” web service at GRC (Gibson Research Corp.).  I have no financial interest in GRC but I value their services.  Use this test only at your home, not in a corporate environment.

Go to this link:   (This link may change over time.)

Read the information about what the test will do.  If you understand and agree, click “Proceed”.

There are several tests you can run.  You may have to scroll down to see the menu.

First click “GRC’s Instant UPNP Exposure Test”.  This will check if your router responds to UPNP port opening commands from the OUTSIDE world.  The result should be a green banner saying it did not respond.

Click back to get back to the menu.  Scroll down if necessary.

Click the “File Sharing” button.

This will test for outside access to your PC’s hard drive.  The result should say “Unable to connect”.

Scroll back to the menu.  Click the “Common Ports” button.

This will test your external address for common open TCP ports.  The desired result is “TruStealth Analysis Passed” with data below showing green lights and all port numbers as Stealth.  This means your router did not respond to any queries.  It would be like if someone knocks on your front door and you don’t answer even if you’re home.

Scroll back to the menu.  Click the “All Service Ports” button.  Scroll down and wait for this to complete.

This will test your external address for open TCP ports 0 – 1055.  Again, the desired result is “TruStealth Analysis Passed” with all green lights and all ports shown as Stealth.  A closed port is an acceptable result, but that means when the remote computer probed that port number, your router said, “I’m here but go away, I don’t want to talk.”  No response at all is preferable.  An open port means that your router or cable modem is “listening” for connection attempts on that port number.  You should not see open ports.

Note that none of this has tested the port mentioned in this blog post.  Here’s how you do that.  Note also that these procedures test TCP ports, not UDP ports.

Scroll back down to the menu.  Below the buttons, there is a text entry blank.  Enter 7547 (the port number discussed in this blog post) into the blank.  Click the “User Specified Custom Port Probe” button.  This will probe this specific port number.

Again, the desired result is “TruStealth Analysis Passed” with a green light and this port shown as Stealth.

This will give you a pretty good idea if you have any COMMON ports open or if this specific port is open.  Note that, for all the ports which your cable modem passes unhindered to your router, you are testing the router.  If a port shows up as stealth, it’s being blocked either by your ISP (mostly not the case), your cable modem (mostly not the case) or your router (usually the case).  If a port shows up as closed or open, meaning there was a response, that response could be coming from your cable modem or your router or possibly the ISP if it’s closed.  

Note that most ports from 1056 – 65535 for TCP and ALL ports for UDP (also with numbers 0 – 65535) have NOT been tested.  You could use something like NMAP to do that, but it has to be done from the outside world.  Be careful, if your ISP thinks you’re launching an attack on someone, even yourself, you may find yourself disconnected from the net.  I have not had a problem running these simple scans on occasion.

The owner of GRC, Steve Gibson, hosts a podcast called Security Now.  It’s a good mix of consumer / prosumer security info.  It is not WordPress specific though.  It is not for security experts, although some listen, but takes info from security experts and makes it available to more average people.

Security Now Podcast

Back to the take away points for consumers.

08) Put your IOT things on their own router as described in the “Three Dumb Routers” philosophy.

You Yes You Should Care About IOT Security

IOT Category on Ron’s Tech Rant (this site)

Steve Gibson’s Three Router Solution

Router Configuration

09) If you hear a security notice through sources such as Security Now or others that your router has a security vulnerability, see if you can get a firmware update from the factory and install it.  I personally don’t like auto update, since I like to know when new firmware is installed.  Installing firmware will often clear the settings, so the router will have to be set up again.  I personally like DD-WRT firmware which is pretty solid if you have all its external services turned off.  This is beyond most people’s comfort level though.  The next best thing is up to date factory firmware.

10) Absolutely change your router’s default management password.  The BEST scenario is a long random (and unmemorable and untypeable) password stored in a password manager.  If you need something memorable and typeable, multiple words separated by numbers and / or symbols is best.  Write it down in a secure place or use a password manager to save it.

Remember, a bad actor could be in your home in the form of a malicious script running in a web page, or someone physically there like contractors, relatives, friends, or kids.  They could try to attack your router.  That would be an attack from inside your network.  If you have the option, make sure your router’s control panel times out after you’ve been logged in for a while but inactive in case you forget to log out.

If you want a memorable and typeable password, you could use this site but don’t use “correct horse battery staple” as the password.

Correct Horse Battery Staple

If you want a good long piece of randomness, you could use this site or the password generator in your password manager.

GRC Passwords Page

Be VERY careful about copying and pasting long passwords into the router’s control panel.  If it doesn’t accept all the characters, you’ll have a random length subset of the password that you don’t know.  If you can set it to let you see the characters, do that.  If you get locked out, you’ll have to physically reset the router and start over configuring it.  Do NOT type confidential passwords into the router when connected by wifi unless you’ve already set up WPA2 encryption.  See below.  Connect to the router with a LAN cable initially and turn your wifi off to configure it.

For one of MANY thoughtful discussions on passwords, try this.

Password Strategy Discussion

11) For your WIFI password, not the management or control panel password, use a long random string of characters and numbers.  The router should be able to accept 63 alphanumeric characters or digits.  It may not like symbols though.  Set it for WPA2 and AES encryption.  Do NOT use WPS or any quick and easy “push button” setup.  You should disable WPS and WPS Pin if you have a choice.  Save the password somewhere in a non obvious file.  Note that, if someone bad is seated at your PC, or steals your PC, you’ve got bigger problems than whether they can log into your wifi.  You should never have to type this password and almost never have to even copy and paste it.  If you have a password manager, store it in a secure note or something.

The possible exception to the long random advice is if you need to enter the password into something without a keyboard, such as a Roku or smart tv or dvd player, etc.  In that case, using an on screen keyboard and a remote control to enter a 63 character upper lower case alphanumeric password can drive you insane.  The best thing is to put that on your guest network or your IOT router.

If you need to “soften” your password, you could a) reduce it to say 30 random characters, and b) let it still include numbers but make all the characters upper case.  This would still make it unlikely that anything or anyone on your home network would break it, but it is not nearly as strong.  When you need to enter it using an on screen keyboard, look up the password on your pc if you saved an electronic copy.  Copy and paste it into a word document.  Start at the beginning and move 4 characters over with the arrow keys  Then hit carriage return (enter).  Keep dividing the password into 4 character chunks until you’re done.  Then, you can use the onscreen keyboard to enter 4 characters at a time.  By the way, at the time of this writing, entering too many characters into the password field of a Roku will scroll the cursor off the screen.  It’s still accepting characters, but you cannot see what you’re entering.  You can, if you’re careful, enter more characters than you can see on the screen.

Wifi Encryption Methods

If you need to let your friends log in, use a router with a guest network feature that ONLY connects to the internet.  The guests should not be able to access the router’s control panel.  You can give them a separate more memorable, and typeable password and can conceivably change it when they leave.

Hopefully this will be helpful.  I am not affiliated with GRC or Wordfence other than as a customer.  But I was inspired to post this in hopes that it will help clear up a somewhat confusing topic of home routers.