Many questions from a home user new to Peplink, enterprise routers and home networking


#1

Hello all, I’ve been slightly intimidated about posting here as the community level of router understanding is several notches above mine. I’ve looked at every FAQ on here, read the firmware 7.0 manual,searched high and low in the forums, I’ve spent many hours searching online, and even have a Network+ cert book I consult. I am just lost in certain areas still, and could use a few points in the right direction. I apologize for the length of this post in advance!

Some background: I had a new, garbage Comcast default Cisco router that was compromised. Don’t know the exact date, but a backdoor for it was announced by Homeland Security in mid-December, which is around when things started going wrong. Long story short: DNS hijacking, wireless hacked, entire home network infected, terror, data loss, etc. I captured a USB copy of the kit they/it/he used and I have a pretty good sense of what went down.

Routersecurity.org was my source for purchasing the Surf Soho Mk3. I find myself out of my element as I try to configure a trustable, safe setup. Here is what I’ve done:

The obvious stuff:
Admin pw changed to long and random.
Blocked the LAN ip access to my modem.
Blocked LAN ip in Outbound rules.
I also blocked some ports that I have read I don’t need but are exploited vectors:
445, 135-139

I enabled the router’s default defense system (anti-xmas tree etc.).
I made admin console accessible by https, LAN-only on a random port.
I change the router IP frequently (along with blocking rule to match).
Changed DHCP renewal time to 30m and admin session logout times to very low, though it doesn’t assign a random ip across the entire range for some reason (each port gets the same IP each renewal).

Because I was hacked with something like aircrack-ng, I do not need or want WiFi. So AP is off.

I have disabled VOIP and Instant Messaging applications as I won’t be using them on this box.

Now, I have so many questions that I think it would overwhelm anybody reading this. So I’ll pick a few that bug me the most:

  1. As a home user, do I need to be concerned with OSPF on LAN? I read a bunch on this, I don’t think weight balancing is an issue with just me being the user, but what about security?

  2. Why are my event logs so empty? I’d like to have much more logging as portrayed in the SOHO manual, but I don’t quite understand how to make this happen. Where do I point the logging server to? Do I have to create firewall rules for every thing I want to log?

  3. I’ve put the most effort into understanding how I could benefit from VLANs. The premise issimple enough, but all advanced users seem to have some sort of VLAN setup. I have one WAN connection and an untagged LAN. I don’t quite grasp the benefit of VLAN in a security sense.

  4. I am using the router DNS nameserver and router DHCP options, and have DNS forwarding enabled. Is this safe? Are there other services or protocols I should consider disabling or restricting? I’m worried that I am missing something.

Are there any “must do” actions you always config on your home routers that you can share?

Many thanks for reading!


#2

hey you’re very welcome to post questions here!
I follow Michael Horowitz (of routersecurity.org) on Computerworld, he’s got some really good articles.

I’ll let other more technically inclined members answer your specific questions. Just wanted to jump in and share two articles from our knowledgebase that helps you tighten your router’s overall security.


#3

I’m a big fan of Michael Horowitz’s blogs. His post here is a good place to start http://routersecurity.org/pepwavesurfsofo.php

I think we should encourage Peplink to do a tips and tricks post on securing home networks lets ask @ericwong and @Alan to put it on the to do list.

In partial answer to your questions:

  1. OSPF on LAN - no I don’t think you need to worry about that from a security perspective. Although OSPF can be potentially compromised to falsify network streams, to do so the attacker would need to already be connected to your LAN so you’d have bigger things to worry about.

  2. Peplink event logs show the most useful level of information for a typical user. If you want more detail you need to enable syslogging to a syslog server. You can run up your own on the LAN using https://www.graylog.org/ as VM on a spare PC. This could do with a guide I think at some point Peplink…

  3. VLANs separate (and isolate) groups of devices. I run separate VLANs for my guest wifi network so that guests cannot access my personal VLAN or my devices on it. I also have a VLAN that all my IoT devices sit on (Hive heating control, Alexa) and another with my CCTV cameras. The benefit is that devices on these VLANs can only access the internet and can not access any of my PC’s or servers on my ‘Services VLAN’ unless i have explicit firewall rules in place to allow it. If someone managed to hack my heating controller over the internet and get remote access to it all they would be able to subsequently access is the internet - the rest of my devices in my home would be invisible to them. Same with the IP CCTV cameras.

  4. What services should you disable? This really needs a moment or two of thought - more than I have now, but router security is a good place to start for Michael’s checklist. Basically you want to disable any and every service you’re not using to reduce attack vectors. A good tips and tricks article would advise on that.

Good luck!
Martin


#4

Thank you for the welcome eric, I have already taken those posts from the Knowledgebase into account, with some extras on top. I’ve looked through all the articles on here, but most of them are intended for network professionals. I don’t know what to do with load balancing and so on! Thanks for replying!

Martin, thank you. I actually got the recommendation for this model from routersecurity.org and have attempted to adhere to his advice where I know I’m not going too far out of my comfort zone. The problem with tweaking a bit too much is a wrong or naive solution can cause a lot of damage. I naturally want to hack things to bits but history has taught me I am not very good at putting them back together. Coming from the level of hack I suffered (I can go down a list of where/how I got hit, it was a marvel to behold) I am extremely cautious.

I guess if I ever get my wireless back up I might have use for VLAN, I just thought there might be a “trick” to it. Are there some ports the veteran routerer always blocks? Is it worth it setting up SMTP? Is having FTP bypass checked safe, are people actually sending FTP packets to me and I have no idea? You know, advice for Level 3 Dummies.

I agree that Peplink could use something of a stepping stone guide beyond the N+ level PDF they give you and the “change your password” simplicity they hand to beginners. I bought my unit from 3gstore, and they gave me a more helpful 5 step guide that I would have had a hard time finding blind online (for instance, blocking your modem’s IP, basic stuff like that).

Everything else I have really cobbled together from searches and my big A+/N+ books, but I often don’t know where to start. Graylog looks very promising, I will have to check it out, always skeptical of hosting services and prefer not to send PII unless I really have to. It does look easier than setting up my own server for logging. My question was more: How did the router’s internal logs report all that data as show in the manual? How can I configure my router to report that from its own in-built logs? My logs show nothing but signins and WAN IP up/down pretty much.

Thank you all for your help.