Once the customer signed-up for UniFi services, the TM’s technician will do all the equipment installations in your premises/homes for you. Nice, BUT, the default WiFi router setup done by the technicians has very low security features:
* The router is not configured to drop ICMP packet, making an attacker able to ping those unprotected routers, telling him it’s alive and connected to the internet.
* The firewall is disabled.
* The router has remote access enabled. Making it worse, it has no authorised IP filter (has default config of 0.0.0.0, meaning anybody, anywhere, can log in to your router web interface). The web interface port number are also set to default.
* And the BIGGEST, BADDEST flaw: The router’s Administrator password is still the default ones!!
With the default configurations as above, even a child with a web browser sitting miles away could go into your routers!! I’ve done this personally, where I can easily scan a range of UniFi’s IP addresses, and log on to their routers.
I understood if the above setup is to ease TM’s effort to do some troubleshooting/support remotely for their customers. However, The least they can do is change the default administrators password for the WiFi routers! Change the password to something unique for each customer. They still can keep records of the users router’s password if they need to do troubleshooting/support purposes remotely.
Not all TM’s customers are technically savvy to secure their own home networking. So, the purpose of this article is to share/educate/guide some basic protection for your home network.
Secure your home network:
Login in to your router’s web interface. Open a web browser, go to http://192.168.0.1 . You will be prompt for admin username and password. Open your D-Link Router manual for more info.
1. Change your Router’s Administrator password.
* Go to ‘Maintenance’ tab, under ‘Admin Password’ section. Rename your password there.
2. Rename your Wireless Network Name/ SSID.
The default SSID has the customer’s name, i.e.: myfirstname@unifi. This possible could leads to privacy issues, as outsiders knows who’s using what ISP services (UniFi, Streamyx, etc).
* Go to ‘Setup’ tab, click ‘Wireless Setup’ menu on the left.
* Under ‘Multiple Wireless Network Name (SSIDS)’ section, click ‘Multiple Wireless Network Name Setup’ button.
* You will be taken to a page with ‘Wireless Network Name’ section. Rename your existing Wireless Network Name/SSID there.
3. Disable Remote Access to your router.
* Go to ‘Maintenance’ tab, under ‘Remote Management’ section. Un-check ‘Enable Remote Management:’ check box.
4. Enable Firewall
* Go to ‘Advanced’ tab, click ‘Firewall & DMZ’ menu on the left.
* Under ‘Outside Firewall Setting’ section, checked the ‘Enable WAN to LAN Firewall :’ check box.
* Then, checked all the check box inside the rows of ‘DOS ATTACK’, ‘POST SCAN ATTACK’ and ‘SERVICE FILTER’.
* The router is not configured to drop ICMP packet, making an attacker able to ping those unprotected routers, telling him it’s alive and connected to the internet.
* The firewall is disabled.
* The router has remote access enabled. Making it worse, it has no authorised IP filter (has default config of 0.0.0.0, meaning anybody, anywhere, can log in to your router web interface). The web interface port number are also set to default.
* And the BIGGEST, BADDEST flaw: The router’s Administrator password is still the default ones!!
With the default configurations as above, even a child with a web browser sitting miles away could go into your routers!! I’ve done this personally, where I can easily scan a range of UniFi’s IP addresses, and log on to their routers.
I understood if the above setup is to ease TM’s effort to do some troubleshooting/support remotely for their customers. However, The least they can do is change the default administrators password for the WiFi routers! Change the password to something unique for each customer. They still can keep records of the users router’s password if they need to do troubleshooting/support purposes remotely.
Not all TM’s customers are technically savvy to secure their own home networking. So, the purpose of this article is to share/educate/guide some basic protection for your home network.
Secure your home network:
Login in to your router’s web interface. Open a web browser, go to http://192.168.0.1 . You will be prompt for admin username and password. Open your D-Link Router manual for more info.
1. Change your Router’s Administrator password.
* Go to ‘Maintenance’ tab, under ‘Admin Password’ section. Rename your password there.
2. Rename your Wireless Network Name/ SSID.
The default SSID has the customer’s name, i.e.: myfirstname@unifi. This possible could leads to privacy issues, as outsiders knows who’s using what ISP services (UniFi, Streamyx, etc).
* Go to ‘Setup’ tab, click ‘Wireless Setup’ menu on the left.
* Under ‘Multiple Wireless Network Name (SSIDS)’ section, click ‘Multiple Wireless Network Name Setup’ button.
* You will be taken to a page with ‘Wireless Network Name’ section. Rename your existing Wireless Network Name/SSID there.
3. Disable Remote Access to your router.
* Go to ‘Maintenance’ tab, under ‘Remote Management’ section. Un-check ‘Enable Remote Management:’ check box.
4. Enable Firewall
* Go to ‘Advanced’ tab, click ‘Firewall & DMZ’ menu on the left.
* Under ‘Outside Firewall Setting’ section, checked the ‘Enable WAN to LAN Firewall :’ check box.
* Then, checked all the check box inside the rows of ‘DOS ATTACK’, ‘POST SCAN ATTACK’ and ‘SERVICE FILTER’.
tq
ReplyDelete