Sunday, May 29, 2011

Securing my DSL modem

I had a BSNL modem installed at my home quite some time ago. The guy who installed it did the minimal configuration - just enough to connect to the internet. He did nothing on the front of basic security - hiding the wireless network, changing the default password, etc.

As with all standard modems, this one had a web interface at http://192.168.1.1 The interface was easy to navigate and through it I hardened a few of the settings. I am going to share them in this post.

The security measures that I describe will be available on any standard DSL/ADSL modem. The UI navigation will vary across different models. But the ideas - like changing your modem's IP from 192.168.1.1 to some non-standard value e.g. 10.2.3.44 will stay the same.

The changes are limited by my own experience and I'd appreciate if you could share any other security measures that you took. If you are happy with the way things are going on - your wireless network is not hidden, your modem's IP is 192.168.1.1, default password is "admin" - stay happy and go back to watching that skating cat video on youtube, while I download the entire LOTR trilogy on your connection :). If you want to get your hands dirty and learn a few things in the process, read on.

The author is not responsible for temporary/permanent loss of internet connectivity or inadvertent establishment of communication with alien life forms resulting from the changes described in this post.

Modem: BSNL Dataone - ZTE - ZXDSL 531B

Before moving on to the changes, I'd recommend that if you are going to do them as you read this post, please read the whole post first. And the changes don't come into effect until you save them or in some other cases restart the modem (changing the modem IP for instance). So if you want to experiment with the changes, do them one at a time - change the config, save it, check it and move on. Doing multiple changes and not knowing what went wrong is not worth the debugging time. You can also keep on saving changes as you move through the post, creating snapshots of the configuration file.

The first thing to do before messing around with any settings is to insure yourself against the destructive streak of the geek in you - the one which prods you with the "Go on, try it out, let's see if it blows anything up" thought. Hence I backed up the minimal configuration that was done by the BSNL guy.

Assumptions:
  • Every change requires you to save the config - goes without saying (I already said it, but that went without saying too). When restart is required, I will explicitly mention it.
  • Text in this font points to the corresponding navigation menu items as present in the modem web interface.
The changes over and above the default configuration are as follows:
  1. Backup the default configuration.

    - Management -- Settings -- Backup

    If you require to upload a backed up config file from your machine to the modem

    - Management -- Settings -- Update

  2. Make sure you've backed up the default configuration:
    Shooting yourself in the foot is one thing - not knowing that you've shot yourself until it's too late is another. Copy the backed up configuration file to an external disk or mail it to yourself.

  3. Change the default admin password from admin to something stronger.

    - Management -- Acccess control -- Passwords

    Restart the modem to verify that you've not locked yourself out. If you have, you can always
    reset the modem and upload the settings backed up in previous step. In my case, the reset button is below the modem as a round hole. Most standard modems have it labelled. Use the tip of a pen to reset it.

  4. Change passwords of other users:
    Along with the admin user, my modem has the following users:

    support - run diagnostics.
    user - run diagnostics and update the modem's software

    The users will vary across different modems, but knowing that you need to update their passwords is important.

  5. Change the modem's IP from 192.168.1.1 to something non-standard:
    Change it to an IP which does not end in .1 - make it a little hard for someone to guess the modem's IP. Obviously, if someone is on the same LAN as you are, he'd whip up a shell/Perl script and telnet-80 through all 255 IPs in the range to see if he gets a response.

    But the idea is to raise the bar. Restart the modem as you will loose connectivity the moment the IP change comes into effect.

    - Advanced Setup -- LAN

  6. Limit the DHCP range:
    By default all modems have DHCP server enabled - which gives the machines IPs from a specific range. My modem, for example, had the DHCP range of 192.168.1.2 to 192.168.1.254 - I am obviously not going to allocate 252 IPs. I have the range limited (post modem IP change) from 10.3.5.2 to 10.3.5.4.

    - Advanced Setup -- LAN

    - Enable dhcp server -- start IP address
    - Enable dhcp server -- end IP address

    Sadly, the DHCP server on my modem does not have the option of specifying IP address against a MAC address - that's a disadvantage of being limited by the UI. At the risk of digressing, this reminded me of the metaphor shear chapter of "In the beginning was the command line".

    If this was a standard DHCP server with the dhcpd.conf file accessible to the admin user, one could have added the following configuration:
    host linux-1 { 
        hardware ethernet 05:00:1b:5c:19:33; 
        fixed-address 10.3.4.22; 
    }
    host linux-2 { 
        hardware ethernet 06:00:1b:5c:19:33; 
        fixed-address 10.3.4.23; 
    }
    
    which would have led to fixed IP address for specific hosts + no foreign host could get IP address until its MAC address was added. Also useful if one plans to do IP specific filtering on web-proxies, iptables, etc.

  7. Change the modem's management IP:
    Management IP: The IP through which one can access the admin UI/command line. To play safe, keep the mangement IP outside the DHCP range but within the same subnet. For example,

    modem IP : 10.1.5.44
    dhcp range : 10.1.5.2 to 10.1.5.4
    subnet mask : 255.255.255.0
    mgmt IP : 10.1.5.23

    This makes it a little inconvinient for you to access the management interface if you got your IP by DHCP, but once you've done taken the initial security measures, how often will you access the admin UI? So when you want to make changes to modem config - configure that static IP, do the changes, and change the IP acquisition from static to dynamic.

    - Management -- Access control -- IP addresses

  8. Turn off the services that are not required:
    If you are not planning to monitor modem health via SNMP probes - why keep the port open for it? My modem has the following services:

    FTP
    HTTP
    SNMP
    TELNET
    TFTP

    Turn off the ones that you are not going to use. If you are always going to do configuration via a web browser, no need to have FTP, SNMP, Telnet, TFTP on.

    - Managmenet -- Access control -- services

  9. Change network authentication from "Open" to WPA/WPA2:
    I guess most of the modems are configured with a non-"Open" Wi-fi internet security. If not, change the network authentication to be either WPA/WPA2. More details on what they are and why they are better than open or WEP at this wikipedia link.

    Without getting into much details, as per the wiki link - WEP is better than Open. WPA is better than WEP. WPA2 is the IEEE compliant version of WPA with additional security features. WPA encryption options available on my modem: TKIP and AES. WPA2 can use AES which is stronger than TKIP. I don't have much knowledge on these protocols and their advantages and shortcomings. I trusted Wikipedia's word and configurated my settings. If you can shed more light on the topic based on your experience, your insights are much appreciated.

    I have "Network authentication: WPA2-PSK" and "WPA encryption: AES"

    - Wireless -- Security

  10. Change the SSID and hide your wireless access point:

    Rather the usual, dry and unimaginative - "Wireless network" or "My network" - do your thing and get an interesting name for the SSID (service set identifier - your wireless network name). NOT a security measure - but seriously, what sounds better - "I am connected to "wireless network 1" and watching a video of how yak butter is made. **Yawn**" or "I am locked on to the "Hellfire destroyer" and listening to Led Zep!!"

    Hiding your wireless network isn't going to cloak you in a blanket of invisibility and aid your escape from Gollum and the goblins. Using tools like Aircrack and NetStumbler one can discover hidden wireless networks. But again, the idea is to make it difficult for the other guy. Let him start up these tools and use them.

    - Wireless - Basic

  11. Turn on MAC filtering for wireless access:

    I found this to be a useful feature - accept wireless connection requests only from a pre-defined set of MAC addresses. Enable it, look up the MACs of the machines that are going to connect, save and check. If you enter the wrong MAC and find yourself locked out, you can always wire up your machine to the modem and change the settings.

    - Wireless - Basic - MAC filter
The above points are just basic measures - tip of the tip of the iceberg - you can do more to strengthen your bastion. Google is your friend.

Now go on. Play with that blinking box of yours. :)  

Update: If you forgot the admin password of your modem - you can get it from your modem's configuration settings that you backed up earlier. Explained here.

No comments: