DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
New router - how secure?
- amadeus
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 25
- Thank yous received: 0
27 Nov 2014 12:56 #81938
by amadeus
New router - how secure? was created by amadeus
Hi,
I've got a new 2860 (+ 2xAP900) which I'm in the process of setting up.
There are so many intricate settings (which I expected), I don't know when I will be ready to go live with it. How do people test the security of their system?
thanks
I've got a new 2860 (+ 2xAP900) which I'm in the process of setting up.
There are so many intricate settings (which I expected), I don't know when I will be ready to go live with it. How do people test the security of their system?
thanks
Please Log in or Create an account to join the conversation.
- marjohn56
- Offline
- Junior Member
Less
More
- Posts: 84
- Thank yous received: 0
27 Nov 2014 22:54 #81949
by marjohn56
Replied by marjohn56 on topic Re: New router - how secure?
Security in what context, Wifi, WAN, LAN->WAN, VPN?
Basic rules are these:
1. if you are you running any LAN side servers, only forward the ports you need. There are several web tools out there that will do a port scan of your IP to tell you what ports you have open.
2. If you are running a VPN, then use the most secure type, lots of info out there on different VPN types, and don't forget strong passwords.
3. Wifi, use a random password generator for your wifi, or at least a passphrase that makes no sense.
4. Enable DOS defenses, I only use portscan and flood defenses.
5. Unless you need it, turn off respond to Ping from WAN.
6. Change your default admin password!
That's my default. I also have some IP blocks set up for HK and Chinese addresses.
I'm sure others can add to thise.
Basic rules are these:
1. if you are you running any LAN side servers, only forward the ports you need. There are several web tools out there that will do a port scan of your IP to tell you what ports you have open.
2. If you are running a VPN, then use the most secure type, lots of info out there on different VPN types, and don't forget strong passwords.
3. Wifi, use a random password generator for your wifi, or at least a passphrase that makes no sense.
4. Enable DOS defenses, I only use portscan and flood defenses.
5. Unless you need it, turn off respond to Ping from WAN.
6. Change your default admin password!
That's my default. I also have some IP blocks set up for HK and Chinese addresses.
I'm sure others can add to thise.
Please Log in or Create an account to join the conversation.
- amadeus
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 25
- Thank yous received: 0
27 Nov 2014 23:36 #81950
by amadeus
Replied by amadeus on topic Re: New router - how secure?
Thanks - some good tips there.
Is there any reason why you don't check all the DOS options?
Will the default firewall block everything nasty?
No gotchas on the default NAT settings?
Many thanks
Is there any reason why you don't check all the DOS options?
Will the default firewall block everything nasty?
No gotchas on the default NAT settings?
Many thanks
Please Log in or Create an account to join the conversation.
- marjohn56
- Offline
- Junior Member
Less
More
- Posts: 84
- Thank yous received: 0
28 Nov 2014 09:06 #81956
by marjohn56
Replied by marjohn56 on topic Re: New router - how secure?
I dont have a reason for not using all of the DOS options really. When I first got the 2860 I ticked everything. I've had some stability issues which seem to be resolved now with the firmware version I'm running but I guess I de-ticked those others at some point and never reset them. I suspect unless you have something really interesting to hide ( your not GCHQ are you? ) most hackers will not be botherinng to trry a DOS attack on you.
The default firewall will only block what it's told to. My port forward rules only expose my mail server ports and one that I use for my streaming when I am away from home, plus my VPN. I have addded some extra rules to block some chinese and HK addresses that were trying to either send mail or were trying to access my VPN.
A useful one I use is the following:
This adds all incoming packets to the log; it's not enabled all the time but allows me to see who is connecting. I usually use this in conjunction with my server logs. I will then add a block on that address or range of addresses in the case of the Chinese and HK filters.
As you can see, I only care about what comes knocking at the door, not about what happens within the LAN, I have no interest in blocking access to the WAN for anything, not even facebook!
OOTB the dafaults work well enough, NAT settings are fine depending on your LAN setup. I would suggest the following though.
Make sure you use the Bind IP to Mac for your servers and also under Applications is Lan DNS/DNS Forwarding, Add entries there for your local servers, for example I have some for several bits of kit, and one for my mail server so that a request from a PC or iPad or phone gets directed to the local address rather than the WAN address. So add an entry where the domain name is like this - lmail.draytek.com -and them the ip address points to the server, in my case 192.168.1.30. BTW, draytek is not my domain name
Hope that helps, shout if you need more.
The default firewall will only block what it's told to. My port forward rules only expose my mail server ports and one that I use for my streaming when I am away from home, plus my VPN. I have addded some extra rules to block some chinese and HK addresses that were trying to either send mail or were trying to access my VPN.
A useful one I use is the following:
This adds all incoming packets to the log; it's not enabled all the time but allows me to see who is connecting. I usually use this in conjunction with my server logs. I will then add a block on that address or range of addresses in the case of the Chinese and HK filters.
As you can see, I only care about what comes knocking at the door, not about what happens within the LAN, I have no interest in blocking access to the WAN for anything, not even facebook!
OOTB the dafaults work well enough, NAT settings are fine depending on your LAN setup. I would suggest the following though.
Make sure you use the Bind IP to Mac for your servers and also under Applications is Lan DNS/DNS Forwarding, Add entries there for your local servers, for example I have some for several bits of kit, and one for my mail server so that a request from a PC or iPad or phone gets directed to the local address rather than the WAN address. So add an entry where the domain name is like this - lmail.draytek.com -and them the ip address points to the server, in my case 192.168.1.30. BTW, draytek is not my domain name
Hope that helps, shout if you need more.
Please Log in or Create an account to join the conversation.
- takeo_ischi
- Offline
- Junior Member
Less
More
- Posts: 93
- Thank yous received: 0
28 Nov 2014 20:11 #81966
by takeo_ischi
DoS protection on a router is a bit of a gimmick. If somebody determined wants to take down your internet connection by saturating your line with information, then your router dropping those packets when it receives them won't make a difference; no other information will be able to get through.
On the other hand, DoS protection was causing me a few issues; the router thought that my opening lots of browser windows concurrently was a DoS attack and it blocked my PC.
Replied by takeo_ischi on topic Re: New router - how secure?
Is there any reason why you don't check all the DOS options?Amadeus wrote:
DoS protection on a router is a bit of a gimmick. If somebody determined wants to take down your internet connection by saturating your line with information, then your router dropping those packets when it receives them won't make a difference; no other information will be able to get through.
On the other hand, DoS protection was causing me a few issues; the router thought that my opening lots of browser windows concurrently was a DoS attack and it blocked my PC.
Please Log in or Create an account to join the conversation.
- amadeus
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 25
- Thank yous received: 0
28 Nov 2014 23:18 #81967
by amadeus
Replied by amadeus on topic Re: New router - how secure?
Marjohn56: wow - thanks for the great info. I'll read and digest. The luxury with having a (generally) working setup is that I can play with it and understand it before I put the new device live. Not sure I'll get through the entire manual tho!
Takeo_Ischi: Sure, I can appreciate that. TBH, I don't really understand each of the many options for the DOS options but it seemed to make sense to check them all. Now I know there could be some instability (which both of you have mentioned), I'll keep an eye on it.
My wife is out tomorrow morning so that's 4 hours of play time, running through the manual, trying to work out what some of the options do!
Thanks for taking the time to reply guys.
Takeo_Ischi: Sure, I can appreciate that. TBH, I don't really understand each of the many options for the DOS options but it seemed to make sense to check them all. Now I know there could be some instability (which both of you have mentioned), I'll keep an eye on it.
My wife is out tomorrow morning so that's 4 hours of play time, running through the manual, trying to work out what some of the options do!
Thanks for taking the time to reply guys.
Please Log in or Create an account to join the conversation.
Moderators: Chris
Copyright © 2025 DrayTek