How to secure the RT-AC66U?

[Wimo]

Hello!

I have a fresh RT-AC66U at home and I am configuring it now.

Before I use it as I plan, I would like to have some advices on how to secure it. The router AND the wi-fi networks.

I am using a Linksys WRT54GL for years, on DD-WRT, but after some reading here and elsewhere, plan to install the last Merlin firmware (thanks to you ) on it (RT-AC66U_3.0.0.4_372.30_2), because the DD-WRT don't seem to be ready enough now.

I have a modem-router which I will configure as a bridge to the RT-AC66U. I want to use my provider's modem-router as a simple modem if possible, and let the powerfull RT-AC66U take care of the rest.

Now, this is all I think to do to secure my router and wi-fi networks :
- change administration login
- change password, to a long one with special characters
- doesn't reply to ping from WAN (I have to look for that option if exists...)

- hide SSID's and give them some irrelevant name
- long passwords with special characters (I don't remember, WPA2 may limit us for that)
- WPA2 AES encryption

I have to look deeper in the Asus GUI to look for other ways to secure the router, but as I am not really aware of all options implication, you're welcome if you can help me improve security.

Thanks to you!

 

[Wimo]

- doesn't reply to ping from WAN (I have to look for that option if exists...)

Found it! ^^

Easy, but easier with an english interface (in french, there were some mistakes...).

I took a look at some others options I think interesting:

Enable Firewall -> Yes
Enable DoS protection -> Yes or No? Is it really that significative on CPU and/or RAM?
Respond Ping Request from WAN -> No

Time Zone? It is configured on -12:00, but it says "Not host time zone", so I don't know if I configure it with my time zone or not?

No Guest Network

Enable Telnet -> No
Enable SSH -> Yes (Default is "No", but it may be useful without troubling security, no?)
Allow SSH Port Forwarding -> No
SSH service port -> 22
Allow SSH access from WAN -> No (Important!)
Allow SSH password login -> Yes
Enable SSH Brute Force Protection -> Yes or No? (Like DoS protection, is it really that significative on CPU and/or RAM?)
Authentication Method HTTPS (Default is HTTP)
Enable Web Access from WAN -> No, or "Yes" if you want to configure port redirections (for example) from WAN
Only allow specific IP -> No

 

[RMerlin]

This is a pretty good shortlist. I would also disable WPS if you want to improve security even more (Asus's WPS implementation isn't as bad as it was a few years ago in the majority of home routers) as you probably won't be needing WPS.

I would recommend that you keep the SSID broadcast enabled however. Hiding it doesn't increase security in any way (and in some cases it actually reduces security as some computers end up broadcasting the SSID name as they try to connect to it), and it can lead to hard-to-find issues. A hidden SSID would still show up on any Wifi analyzer, it just would show a blank name - it won't hide the fact that the router is there.

You could also disable UPnP if you want to aim for paranoid, however it can make some things more difficult to handle (such as torrenting). I use a very recent version of miniupnpd (1.8.20130426), so it's kept up-to-date (the only changes in the version released after that are bugfixes), and has no known security issues that I'm aware of.

 

[RMerlin]

Found it! ^^

Easy, but easier with an english interface (in french, there were some mistakes...).

Même la traduction Anglaise a quelques petits accrocs

(Even the English webui has a few oddities)

Enable DoS protection -> Yes or No? Is it really that significative on CPU and/or RAM?

What this does is that it throttles certain packets types (icmp, syn, ack, etc...) to a maximum of 1/s. Personally I wouldn't enable that - it's not worth the trouble. If you were really DDoSed, then there is nothing your router could do about it - only your ISP could take care of the typical multi-gigabit DDoS attacks that are used these days.

Time Zone? It is configured on -12:00, but it says "Not host time zone", so I don't know if I configure it with my time zone or not?

Set it manually to the correct timezone.

Enable SSH -> Yes (Default is "No", but it may be useful without troubling security, no?)

IMHO, keep that enabled. It will only be accessible from the LAN side. So if someone is already on your LAN, it's already game over IMHO If you're still worried, then generate an RSA keypair, and disable password login - log using the keypair. Probably overkill for LAN-only access however if you trust everyone at home.

The Bruteforce protection will limit the number of connection attempts to the SSH port. It shouldn't have any noticeable impact on router performance.

Enable Web Access from WAN -> No, or "Yes" if you want to configure port redirections (for example) from WAN

IMHO a big no-no. If you really want to give yourself remote access, then configure OpenVPN, and use a VPN tunnel to connect back home. Avoid PPTP - it's easily cracked these days.

 

[Skripka]

you're welcome if you can help me improve security.

Thanks to you!

OP, what kind of security are you concerned about? Keeping people with physical access to the router from altering it or using your LAN? Keeping out bandwidth thieves from your LAN? Keeping out external attacks? Keeping people from sniffing your wireless traffic and reading your packets in transit?

Are you in a densely packed urban neighborhood, i.e. apartment building in New York City?

There's lots of different kinds of security...and depending on how likely you are to have a break in, and what manner of security you're concerned about there's many many many different methods you can take.

 

[Wimo]

This is a pretty good shortlist.

Thank you.

I would also disable WPS if you want to improve security even more (Asus's WPS implementation isn't as bad as it was a few years ago in the majority of home routers) as you probably won't be needing WPS.

That's right, I forgot about it, but I thought to disable it, because I don't use WPS.

I would recommend that you keep the SSID broadcast enabled however. Hiding it doesn't increase security in any way (and in some cases it actually reduces security as some computers end up broadcasting the SSID name as they try to connect to it), and it can lead to hard-to-find issues. A hidden SSID would still show up on any Wifi analyzer, it just would show a blank name - it won't hide the fact that the router is there.

I know it shows up on wi-fi analyzer, but it seems to me less "tempting" hidden than visible. But I take good note of your rightful explanations.

You could also disable UPnP if you want to aim for paranoid, however it can make some things more difficult to handle (such as torrenting). I use a very recent version of miniupnpd (1.8.20130426), so it's kept up-to-date (the only changes in the version released after that are bugfixes), and has no known security issues that I'm aware of.

I may use UPnP for my Synology NAS, but I don't think to have the use of it on my router. Do you use miniupnpd on JFFS?

Même la traduction Anglaise a quelques petits accrocs

(Even the English webui has a few oddities)

Ok, je n'ai pas encore eu le temps de tout explorer, j'ai plus eu un aperçu rapide des différents menus. Mais l'interface n'est déjà qu'à moitié traduite, alors avec les fautes en plus c'est largement plus compréhensible en anglais !

(Ok, I haven't scout about everything for now, I only had a brief look at it. The interface is only half-translated, and with the mistakes, it is rather understandable in english!)

What this does is that it throttles certain packets types (icmp, syn, ack, etc...) to a maximum of 1/s. Personally I wouldn't enable that - it's not worth the trouble. If you were really DDoSed, then there is nothing your router could do about it - only your ISP could take care of the typical multi-gigabit DDoS attacks that are used these days.

That's right.
It reminds me, the french company OVH is working on something interesting to protect from DDoS.

Set it manually to the correct timezone.

Ok.

IMHO, keep that enabled. It will only be accessible from the LAN side. So if someone is already on your LAN, it's already game over IMHO If you're still worried, then generate an RSA keypair, and disable password login - log using the keypair. Probably overkill for LAN-only access however if you trust everyone at home.

Default is "No", but it seems "overkill" to me too. And I like CLI from times to times.

The Bruteforce protection will limit the number of connection attempts to the SSH port. It shouldn't have any noticeable impact on router performance.

Ok, I didn't saw any options on it, like connections attempts authorised per minute...

IMHO a big no-no. If you really want to give yourself remote access, then configure OpenVPN, and use a VPN tunnel to connect back home. Avoid PPTP - it's easily cracked these days.

Ok, I did not know that. I connect to my NAS from WAN on https with a genuine certificate, thus it will be the same problem?

A big thank you for your detailed answers!

OP, what kind of security are you concerned about? Keeping people with physical access to the router from altering it or using your LAN?

Physical access is impossible, using my LAN is pretty difficult, even with the RT-AC66U big reach.

Keeping out bandwidth thieves from your LAN?

Risk near zero.

Keeping out external attacks?

Yes, that's the thing. The only way to be sure about it is to unsubscribe from Internet, but I want to have my privacy, like every other people. Not that I have secret things to hide, I just want to be peaceful, so I am looking for security to be an uninteresting target from WAN. Plus, I find it interesting to know how it works and to configure it. On every way, I am never the kind of guy to buy something, and to play power without configuring anything and without reading the manual (or part of it, I am not masochist ).

Keeping people from sniffing your wireless traffic and reading your packets in transit?

Yes, even if the risk is low for me, I think everybody using wi-fi should know about that.

Are you in a densely packed urban neighborhood, i.e. apartment building in New York City?

Not in New York City. I am in an apartment building. But without explaning personal details, the risk is low. WPA2-AES should be ok. But I take every advice interesting to strengthen wi-fi networks.

There's lots of different kinds of security...and depending on how likely you are to have a break in, and what manner of security you're concerned about there's many many many different methods you can take.

Yes, I know about that, you can take my demand like a general question about security for a nobody. If it were that important, I would not use this kind of hardware, not "public" hardware.

Thank you too.

 

[tun]

Also use MAC Filter Mode + strong password you will be safe

 

[spartan77777]

I recommend changing the SSH port some high up port non standard port too.
I used to have SSID hidden and MAC filtering and I no longer bother. If they are lame enough seeing those will not help them, if they are good hiding them will not help you.

 

[Wimo]

Thanks for sharing your thoughts.

 

[Quiller]

Experimenting wit SSH

in one reply RMerlin said:

IMHO, keep that enabled. It will only be accessible from the LAN side. So if someone is already on your LAN, it's already game over IMHO If you're still worried, then generate an RSA keypair, and disable password login - log using the keypair. Probably overkill for LAN-only access however if you trust everyone at home.

I have no idea how to generate that keypair and I suspect that my other issue is related to that keypair.

On my AC66U I have Authentication Method set to https, but when I log-in my browser (Chrome) puts a big red cross through the https, stating that the certificate isn't trusted. Now I'm pretty new to tinkering this deep with my new router and I have searched through a lot of articles on the net about this subject, but until now I haven't found the solution.

Can someone explain to me how to create that rsa keypair, how to implement it and how to get rid of that irritating big red cross through https.

I would be very thankful if someone could explain that to me.

 

[spartan77777]

How to create RSA key pair

1. Start with downloading putty. It includes 3 programs. Make sure to have putty.exe and puttygen.exe available. Not sure what pageant.exe is, I never used it.

2. Start puttygen.exe, select SSH-2RSA and click on Generate a public/private key pair. Go through the generation and then save the private and the public key in a safe place. Copy the public key from the window into buffer with Ctrl-C

3. Start putty, enter your IP address and port, make sure SSH is selected. Enter a saved session name.

4. From the tree on the right, click on SSH to expand, click on Auth, browse and select the private key file.

5. Now return to the very top option "Session" which is where we started in the first place. You already typed in the saved session name so, just click on save.

6. Click on open and establish the connection to router, navigate to Admin/System section and paste the key you saved into buffer, into the "SSH Authentication" Key field. Apply.

7. That is all. Next time you connect, it will take effect.

 

[RMerlin]

in one reply RMerlin said:

IMHO, keep that enabled. It will only be accessible from the LAN side. So if someone is already on your LAN, it's already game over IMHO If you're still worried, then generate an RSA keypair, and disable password login - log using the keypair. Probably overkill for LAN-only access however if you trust everyone at home.

I have no idea how to generate that keypair and I suspect that my other issue is related to that keypair.

On my AC66U I have Authentication Method set to https, but when I log-in my browser (Chrome) puts a big red cross through the https, stating that the certificate isn't trusted. Now I'm pretty new to tinkering this deep with my new router and I have searched through a lot of articles on the net about this subject, but until now I haven't found the solution.

Can someone explain to me how to create that rsa keypair, how to implement it and how to get rid of that irritating big red cross through https.

I would be very thankful if someone could explain that to me.

Those are two totally different things.

The untrusted SSL certificate is normal, and unless you are willing to purchase and implement a domain name at home and pay 150$ per year to purchase an SSL certificate, you can't do anything. This warning merely states that the certificate used by the router doesn't come from a recognized certificate authority, it has zero impact on security.

 

[Quiller]

SSH continued

Thx for the help. I managed to create the keys and pasted the public key to the SSH Authentication key field in the administration/system tab. However when I log-in with putty using the private key I get the message "Server refused our key". Is that normal?

I have to say that enabling https in the Authentication Method slows down my browser (Chrome) when switching tabs. It makes it very slow to refresh the pages and that can't be normal. Do you have any thoughts on that?

I like RMerlin's latest firmware a lot and I'm not updating to Asus' latest firmware. I'm waiting for RMerlin to come with the new version. Great job.

Since getting this router I managed to get the DLNA server to add music automatically without restarting the router and get the openvpn server working in combination with my iPhone. It's a nice learning curve but I know there's a lot more to this router. It's a great piece of hardware.

 

[Wimo]

Those are two totally different things.

The untrusted SSL certificate is normal, and unless you are willing to purchase and implement a domain name at home and pay 150$ per year to purchase an SSL certificate, you can't do anything. This warning merely states that the certificate used by the router doesn't come from a recognized certificate authority, it has zero impact on security.

I renew my StartSSL certificate three months ago for my domain name, always for free, and known by browsers.

 

[DaveMishSr]

1. Start with downloading putty. It includes 3 programs. Make sure to have putty.exe and puttygen.exe available. Not sure what pageant.exe is, I never used it.

2. Start puttygen.exe, select SSH-2RSA and click on Generate a public/private key pair. Go through the generation and then save the private and the public key in a safe place. Copy the public key from the window into buffer with Ctrl-C

3. Start putty, enter your IP address and port, make sure SSH is selected. Enter a saved session name.

4. From the tree on the right, click on SSH to expand, click on Auth, browse and select the private key file.

5. Now return to the very top option "Session" which is where we started in the first place. You already typed in the saved session name so, just click on save.

6. Click on open and establish the connection to router, navigate to Admin/System section and paste the key you saved into buffer, into the "SSH Authentication" Key field. Apply.

7. That is all. Next time you connect, it will take effect.

Thanks very much. I never knew how to secure a SSH session. Now I do and have!

 

[Quiller]

SSH solved

OK. It took me some time but I finally managed to add the public key to the router. I copied the key from the file stored on my hard drive where I should have copied the public key from the putty window, which is formatted differently.

HTTPS is still slow in refreshing though in my browser.

 

[RMerlin]

HTTPS will always be much slower. The router's CPU is weak by modern standards, and the web server is only single-threaded.

 

[laoma]

Asus AiCloud routers accused of poor security

Hi Merlin,

Noticed this http://www.bit-tech.net/news/hardware/2013/07/15/asus-aicloud/1

Do you know more info of this topic or is there a FW patch insight?

Thanks for your great work..

 

[RMerlin]

Hi Merlin,

Noticed this http://www.bit-tech.net/news/hardware/2013/07/15/asus-aicloud/1

Do you know more info of this topic or is there a FW patch insight?

Thanks for your great work..

http://forums.smallnetbuilder.com/showthread.php?t=11689

 

[slytho]

1. Start with downloading putty. It includes 3 programs. Make sure to have putty.exe and puttygen.exe available. Not sure what pageant.exe is, I never used it.

2. Start puttygen.exe, select SSH-2RSA and click on Generate a public/private key pair. Go through the generation and then save the private and the public key in a safe place. Copy the public key from the window into buffer with Ctrl-C

3. Start putty, enter your IP address and port, make sure SSH is selected. Enter a saved session name.

4. From the tree on the right, click on SSH to expand, click on Auth, browse and select the private key file.

5. Now return to the very top option "Session" which is where we started in the first place. You already typed in the saved session name so, just click on save.

6. Click on open and establish the connection to router, navigate to Admin/System section and paste the key you saved into buffer, into the "SSH Authentication" Key field. Apply.

7. That is all. Next time you connect, it will take effect.

Hi!

Unfortunately I can't get it working for me; I use 'SSH Secure Shell' as client software though.

1. SSH Secure Shell offers a wizard to create the key pair which I did.
2. I copied the content of the public key file into the n66u's according configuration field (i.e. I didn't use the client's own upload feature),
3. I set the n66u's "Enable SSH Brute Force Protection" to "yes" and
4. the secret key is managed by the SSH client itself (since it created it).

When I ssh to my router, it keeps asking for the password as if nothing had changed. Thus I disabled the password access method in the SSH client and only left "Public Key authentication" activated. But this causes an error message saying "Server responded: No further authentication methods available."

What am I doing wrong?