How do you protect your home network from online and local threats?

[torstein]

This is what my household has setup, but I am curious what the rest of you have done?
Do you have hardware firewalls? Do you have enterprise-grade routers? Have you installed Pihole? do you have DoH? Do you use Quad9, NextDNS, OpenDNS and the like? AiProtect or not? Do you run antiviruses and software firewalls? Do you have DPI-software running?

HOME ROUTER:

• ASUS AX86U
  • Install merlin updates as they are released
  • New login user name and password on router

HOME NETWORK SECURITY:

• WPA3-only
  • long and random password
• Locked down the router
  • disabled upnp
  • disabled port forwarding
  • disabeld port triggering
  • disabled web acccess from wan
  • disabled Ping from wan
  • disabled DMZ
  • disabled WPS
  • disabled anonymous login to FTP share
  • disabled guest login for Network Place Share
• NextDNS installed on the router to protect all our home devices:
  • threat intelligence feeds
  • newly released AI Driven Threat Protection in beta
  • google safe browsing
  • cryptojacking protection
  • DNS rebinding protection
  • IDN homograph attacks protection
  • typosquatting protection
  • Domain Generation Algorithms Protection
  • block Newly Registered Domains
  • block Parked Domains
  • block Top-Level Domains
  • block CSAM
• AiProtect fully enabled
  • malicious Website Blocking
  • vulnerability protection
  • infected device prevention and blocking
• VPN
  • OpenVPN server to remotely log in to and manage my home network
  • OpenVPN Connect (to said server) or MullvadVPN (wireguard) for use on public WiFis
• Skynet
  • On the fence on this one. Not sure if I'm the target audience. I leave it default and untocuhed. Only use community malware protection feature

HOME DEVICES:

• Computers and smart phones
  • Firewall enabled on latest macOS in system settings
  • iOS - install latest release immediately (auto-update)
  • macOS - install latest release immediately (auto-update)
  • 1Password on all devices
• Internet practices
  • Latest Safari with ITP enabled (my daily driver)
  • Latest Firefox with auto-update (my backup browser)
  • Latest Chrome (spouse)
  • Ad, tracker and malware blockers
    • uBlock (Firefox and Chrome)
    • Wipr (Safari)
  • Force HTTPS on all sites in all browsers
  • DuckDuckGo search engine
  • Healthy suspicion of URLs. Click only on links we've asked for. Rarely click on email links, unless trusted sender.
• Communication
  • iCloud email and iCloud drive
  • Gmail
  • Apple Messages and Signal (for my Android friends), both E2E-encrypted
  • FaceTime for video
• Media
  • Smart TV disconnected from internet
  • Apple TV with latest release installed immedialtely
• Backups
  • Time Machine network backups for our laptops to a mac mini server
  • Backblaze backing up the Time Machine sparesbundles on the mac mini

PUBLIC WiFi such as airports, hotels, cafés

• VPN
  • OpenVPN Connect latest release to connect to my AX86U on macOS and iOS for a secure encrypted tunnel
  • MullvadVPN as backup in case my own VPN-server won't connect (happens rarely, but does from time to time) on macOS and iOS

 

[BreakingDad]

HOME ROUTER:

• ASUS AX86U
  • Install merlin updates as they are released - tick
  • New login user name and password on router - tick

HOME NETWORK SECURITY:

• WPA3-only
  • long and random password - WPA2, I find WPA3 doesn't work on all devices
• Locked down the router
  • disabled upnp - untick, with 7 pcs , 2 linux boxes, and god knows how many consoles, phones and tablets etc, this is just not practical for me.
  • disabled port forwarding - untick - I need this for minecraft server I run
  • disabeld port triggering - tick
  • disabled web acccess from wan -tick
  • disabled Ping from wan - tick
  • disabled DMZ- tick
  • disabled WPS- tick
  • disabled anonymous login to FTP share- tick
  • disabled guest login for Network Place Share - tick
• NextDNS installed on the router to protect all our home devices:
  • threat intelligence feeds - n/a
  • newly released AI Driven Threat Protection in beta- n/a
  • google safe browsing- n/a
  • cryptojacking protection- n/a
  • DNS rebinding protection- n/a
  • IDN homograph attacks protection- n/a
  • typosquatting protection- n/a
  • Domain Generation Algorithms Protection- n/a
  • block Newly Registered Domains- n/a
  • block Parked Domains- n/a
  • block Top-Level Domains- n/a
  • block CSAM- n/a
• AiProtect fully enabled
  • malicious Website Blocking - tick
  • vulnerability protection - tick
  • infected device prevention and blocking - tick
• VPN
  • OpenVPN server to remotely log in to router -n/a
  • OpenVPN or Mullvad for use on public WiFis -n/a
• Skynet
  • On the fence on this one. Not sure if I'm the target audience. I leave it default and untocuhed. Only use community malware protection feature - tick, use fully, + personal whitelist + country blocks on all the dodgy ones.

HOME DEVICES:

• Computers and smart phones
  • Firewall enabled on latest macOS in system settings - n/a, use windows with fw, defender and malwarebytes premium, run eset/hitmanpro scans weekly or when required
  • iOS - install latest release immediately (auto-update) - n/a
  • macOS - install latest release immediately (auto-update) -n/a
  • 1Password on all devices - tick
• Internet practices
  • Latest Safari with ITP enabled (my daily driver) - n/a
  • Latest Firefox with auto-update (my backup browser) - tick
  • Latest Chrome (spouse) - tick
  • Ad, tracker and malware blockers
    • uBlock (Firefox and Chrome) - tick
    • Wipr (Safari) - n/a
  • Force HTTPS on all sites in all browsers - untick, not enough compatibility
  • DuckDuckGo search engine - untick, tried it, don't like it + i'm a google fanboy
  • Healthy suspicion of URLs. Click only on links we've asked for. Rarely click on email links, unless trusted sender. - tick
• Communication
  • iCloud email and iCloud drive - n/a
  • Gmail - tick
  • Apple Messages and Signal (for my Android friends), both E2E-encrypted - n/a
  • FaceTime for video - n/a
• Media
  • Smart TV disconnected from internet - untick, tracking stuff turned off in settings, system running through adguardhome on a pi4
  • Apple TV with latest release installed immedialtely - n/a
• Backups
  • Time Machine network backups for our laptops to a mac mini server - n/a
  • Backblaze backing up the Time Machine sparesbundles on the mac mini - n/a
  • I backup through rsync on connected network drives.

REMOTE / PUBLIC WiFi

• VPN
  • OpenVPN Connect latest release to connect to my AX86U on macOS and iOS - n/a
  • MullvadVPN as backup in case my own VPN-server won't connect (happens rarely, but does from time to time) on macOS and iOS - n/a
  • Cyberghost VPN when required for torrents etc.

DNS = 9.9.9.9 on my pc, ISP DNS with kid safe filters, and manual additional block list through adguardhome on a PI on all child devices. The wife - 1.1.1.1, The older stepson - 1.1.1.1 all devices.
Malwarebytes Premium on all PC's,

Issued all family members with a tinfoil hat, wrapped whole house in foil, and built a 9ft wall around house with roaming wild animals in the yards.

Enjoyed that, thanks.

 

[itpp20]

I have a sign on my frontdoor with the neighbors wifi passphrase, I never seem to have a problem

 

[Treadler]

I have a sign on my frontdoor with the neighbors wifi passphrase, I never seem to have a problem

Great work!

(Choked on my coffee!)

 

[coxhaus]

I use a Cisco NAT router on IPv4 only using QUAD9 as my DNS. I block all in bound traffic as I have no ports open to the outside. I run no remote access in any way. I use Bluetooth for home automation.

My main threats are OS, Web, Email and off-site Apple devices.

 

[torstein]

You block ALL incoming? doesnt that basically shut you off from the web?

 

[degrub]

No, you block all unsolicited traffic.

 

[torstein]

No, you block all unsolicited traffic.

So firewall default setting then? (Im asking to learn)

 

[Paliv]

So firewall default setting then? (Im asking to learn)

Yes by default the firewall blocks all unsolicited incoming traffic. Usually extra firewall security is only necessary when you have open ports or you are trying to control outgoing traffic. Some people like to filter outgoing traffic to block ransomware or worms/rats, but this is less important in a home setting.

 

[torstein]

hmm, I don't have any open ports, at least not put in by me, and I don't need to control outgoing traffic. I wonder, is Skynet wasted on me?

 

[Paliv]

hmm, I don't have any open ports, at least not put in by me, and I don't need to control outgoing traffic. I wonder, is Skynet wasted on me?

That is a matter of opinion. Some people feel more comfortable with it. I tried it for a bit and decided it was unnecessary after the first false positive I had to deal with. It depends on your appetite for risk and the work you are willing to do for risk mitigation.

 

[torstein]

People who feel more comfrotable with it, but don't configure it in any way such as blocking incoming or outgoing connections, is that for the community maintained malware-lists, or something else?

 

[Paliv]

People who feel more comfrotable with it, but don't configure it in any way such as blocking incoming or outgoing connections, is that for the community maintained malware-lists, or something else?

I believe mainly for the malware/cnc server list filters if you use it at default.

 

[torstein]

How did you know you had false positives?

 

[Paliv]

It was when there was an issue with GitHub being blocked, I believe. There was also a Microsoft service blocked at one point if I remember correctly. For most people false positives are rare. But, if one happens and I’m not there then things get circumvented in less than ideal ways.

 

[treefu]

This is what my household has setup, but I am curious what the rest of you have done?
Do you have hardware firewalls? Do you have enterprise-grade routers? Have you installed Pihole? do you have DoH? Do you use Quad9, NextDNS, OpenDNS and the like? AiProtect or not? Do you run antiviruses and software firewalls? Do you have DPI-software running?

HOME ROUTER:

• ASUS AX86U
  • Install merlin updates as they are released
  • New login user name and password on router

HOME NETWORK SECURITY:

• WPA3-only
  • long and random password
• Locked down the router
  • disabled upnp
  • disabled port forwarding
  • disabeld port triggering
  • disabled web acccess from wan
  • disabled Ping from wan
  • disabled DMZ
  • disabled WPS
  • disabled anonymous login to FTP share
  • disabled guest login for Network Place Share
• NextDNS installed on the router to protect all our home devices:
  • threat intelligence feeds
  • newly released AI Driven Threat Protection in beta
  • google safe browsing
  • cryptojacking protection
  • DNS rebinding protection
  • IDN homograph attacks protection
  • typosquatting protection
  • Domain Generation Algorithms Protection
  • block Newly Registered Domains
  • block Parked Domains
  • block Top-Level Domains
  • block CSAM
• AiProtect fully enabled
  • malicious Website Blocking
  • vulnerability protection
  • infected device prevention and blocking
• VPN
  • OpenVPN server to remotely log in to and manage my home network
  • OpenVPN Connect (to said server) or MullvadVPN (wireguard) for use on public WiFis
• Skynet
  • On the fence on this one. Not sure if I'm the target audience. I leave it default and untocuhed. Only use community malware protection feature

HOME DEVICES:

• Computers and smart phones
  • Firewall enabled on latest macOS in system settings
  • iOS - install latest release immediately (auto-update)
  • macOS - install latest release immediately (auto-update)
  • 1Password on all devices
• Internet practices
  • Latest Safari with ITP enabled (my daily driver)
  • Latest Firefox with auto-update (my backup browser)
  • Latest Chrome (spouse)
  • Ad, tracker and malware blockers
    • uBlock (Firefox and Chrome)
    • Wipr (Safari)
  • Force HTTPS on all sites in all browsers
  • DuckDuckGo search engine
  • Healthy suspicion of URLs. Click only on links we've asked for. Rarely click on email links, unless trusted sender.
• Communication
  • iCloud email and iCloud drive
  • Gmail
  • Apple Messages and Signal (for my Android friends), both E2E-encrypted
  • FaceTime for video
• Media
  • Smart TV disconnected from internet
  • Apple TV with latest release installed immedialtely
• Backups
  • Time Machine network backups for our laptops to a mac mini server
  • Backblaze backing up the Time Machine sparesbundles on the mac mini

PUBLIC WiFi such as airports, hotels, cafés

• VPN
  • OpenVPN Connect latest release to connect to my AX86U on macOS and iOS for a secure encrypted tunnel
  • MullvadVPN as backup in case my own VPN-server won't connect (happens rarely, but does from time to time) on macOS and iOS

If you have enough memory available on your router, you could also run the original granddaddy of security monitoring solutions - snort

opkg install snort

and most importantly, look at the output on a regular basis.

 

[torstein]

If you have enough memory available on your router, you could also run the original granddaddy of security monitoring solutions - snort

opkg install snort

and most importantly, look at the output on a regular basis.

Dont tempt me with another rabitthole, Skynet is already giving me anxiety