Networks
This section covers how you connect your devices to the internet securely, including configuring your router and setting up a VPN.
0 out of 18 (0%) complete, 0 ignored
| Done? | Advice | Level | Details |
|---|---|---|---|
Essential | Use a reputable, paid VPN. This can help protect sites you visit from logging your real IP, reduce the amount of data your ISP can collect, and increase protection on public Wi-Fi. All EFers are eligible for a VPN license, please contact security-checklist@ethereum.org to get it. | ||
Essential | After getting a new router, change the admin password (it's not same thing as the Wi-Fi password). Default router passwords are publicly available, meaning anyone within proximity would be able to connect. | ||
Essential | When configuring a router, there are different authentication protocols for connecting to Wi-Fi. Currently, the most secure options are WPA2 and WPA3. Disable Wi-Fi Protected Setup (WPS) if it's enabled. Set a nice password with 3-5 words in it, easy to dictate and type. | ||
Essential | Manufacturers release firmware updates that fix security vulnerabilities, implement new standards, and sometimes add features or improve the performance of your router. Add a calendar event to check for updates once in 6 months. | ||
Essential | You should use a Wi-Fi network name in SSID that does not identify you, it shouldn't include your flat number/address or device model number. | ||
Essential | OpenVPN and WireGuard are open source, lightweight, and secure tunneling protocols. Avoid using PPTP or SSTP if you set up your own VPN. | ||
Essential | Traditional DNS makes requests in plain text, allowing for eavesdropping and web-filtering by your provider, which by default provides you with their DNS service. At least you should switch the DNS server. A popular option is CloudFlare's 1.1.1.1, which has instructions for many devices. If possible, use DNS-over-HTTPS which performs DNS resolution via the HTTPS protocol, encrypting data between you and your DNS resolver. | ||
Essential | Typically they’re manufactured cheaply in bulk, with provider-managed firmware that doesn't receive regular security updates. | ||
Essential | Modern mid- and high-end routers have tons of functionality: it could be running SSH, file sharing services, torrent client, etc. These services should never be exposed to the WAN/Internet and should also be disabled in the router admin. You don't want to depend on some older software versions included with router, these will lack updates and required maintenance patches. | ||
Essential | Close any open ports on your router. First, check the Port Forwarding or Virtual Server tabs in the router admin. Some routers also have a “Port Status” or “UPnP” (Universal Plug and Play) section that displays active ports. When protocols such as PING, Telnet, SSH, UPnP, and HNAP, etc., are enabled, they allow your router to accept connections from anywhere in the world. If your router has a device in a DMZ (Demilitarized Zone), it would have unrestricted port access from the Internet. Remove devices from the DMZ unless you run specialized server software on them. Disabling UPnP could also negatively affect torrent clients, some P2P applications, and online real-time games on devices in your local network. | ||
Optional | If you configure the VPN on your router, then traffic from all devices will be encrypted and routed through it, without needing individual VPN apps on each device. | ||
Optional | Do not grant access to your primary Wi-Fi network to visitors, as it enables them to interact with other devices on the network. You don't want people to connect to your NAS or mess with a smart TV in your main network. Set up a guest network with device isolation in router settings; this is a common option in all mid-to-high level routers. | ||
Optional | Modifying your router default IP address in the admin panel will make it more difficult for malicious scripts targeting local IP addresses, like 192.168.0.1, in hope to find an unpatched device with known critical vulnerabilities. | ||
Optional | Routers often have a remote management feature accessible via the internet. Most people don’t need this, turn it off to prevent unauthorized access. Disable cloud-based management, where you can control your router on manufacturer's website or in a mobile application. These expose your network to potential attacks. | ||
Optional | It's common to set your router's range to the max so that you can still watch 4K videos in that remote cellar, but if you reside in a smaller flat, your attack surface is increased when your Wi-Fi network can be picked up on the street. Look for options like “Transmit Power,” “Tx Power,” or “Signal Strength.”. Adjust the power to a level that still provides coverage for your flat but doesn’t reach unnecessary areas. Use a second, low-power access point with a reduced range for remote areas (e.g., your cellar) if you still need coverage there. | ||
Advanced | You can whitelist MAC addresses in your router settings, disallowing any unknown devices to connect to your network, even if they know your Wi-Fi password or have physical access to the cable. | ||
Advanced | Connecting to even a secure Wi-Fi network increases your attack surface. Learn about Wardriving. Disabling your home Wi-Fi and connecting each device via Ethernet sometimes is impossible, but you can disable Wi-Fi during specific times (e.g., overnight) using the router’s schedule settings. | ||
Advanced | If you want to run open source server software on your own hardware, but still have access from the Internet, make sure to set up a reverse proxy in front of exposed server ports. Any router running OpenWrt firmware can also benefit from installing HAProxy with Geoblock and Bad IP Lists. When properly auto-updated, they will block all known botnets from seeing your service. Other options to explore are Caddy and Traefik. |