Best practice for home router configuration

I always do the following for my home gateway (router + modem) or router (if separate, although I haven't seen a modem that doesn't also include a router in at least a decade):

  1. Change administrative password, you can write it on a piece of paper taped to the gateway.
  2. Set security settings to highest level. Usually, this means turning off all external ports and external administration. Why would you want this?
  3. From your LAN, visit www.grc.com and run their IP scanning test. Look for any problems and reconfigure to correct them.
  4. Turn on logging and monitor it from time to time. Watch China, Russia and bot nets regularly knock on your front door.
  5. Kill anything that does pass through from outside to inside unless you really need it, and then consider carefully if you really need it.
  6. If you're running a server, use a DMZ and isolate from your internal LAN. Turn on pass through ports to DMZ server only as needed. If you can't DMZ or run the server there, pass through ports or, consider a simpler proxy server in a DMZ that can handle all incoming connections and check for validity, consistency, security and forwards to internal systems.
  7. Access to your LAN from outside should be by VPN (preferred), ssh (adequate) or both (belt and suspenders).

Assume any port you leave open to the world has a very high likelihood of being compromised, and thereby compromising your LAN. Again, do you really need an open port (unless VPN)?


The very first thing to do is set the main router to use Comodo SecureDNS so nobody outside can even see the domain names visited by your computers.

All you have to do is put in

8.26.56.26 
8.20.247.20 

as the DNS server entries in the DHCP settings in the router.

The second thing is to have everybody install HTTPS-Everywhere in their browsers. Even non-techies can do that much.

These two steps will make it so even the ISP can't tell what they are doing.

You need to change the router's password for administration to something only you know (NOT the same as for WiFi access).

You do not want your router to allow remote administration, period.

And finally, disable uPnP. It allows inside items like baby monitors to be accessable from outside by smartphones. Plus it lets outsiders peek, too. In one case, someone was talking to a toddler through the monitor's speaker and scaring him.

If you want to see how widespread this is, go to http://www.shodan.io/