4. Configuration hintsFor security, do these things through the Linksys web interface
(probably at http://192.168.1.1 on
your network): Change your administrative
password. On 15 June 2004 it was widely
reported that turning off the remote admin feature doesn't work
— you can still get at the administration page from the wireless
side. This bug is still present in the 2.02 firmware, October 2004. It
means that if you leave your password at default, any script kiddie can
break in, steal your WEP, and scramble your configuration. The Linksys
people get the moron medal with oak-leaf cluster for this screwup. (I don't know if this bug is still present in the 3.x firmware. It
would be a good idea to check.) Make sure the DMZ host feature is
disabled, under
+->, or in newer
versions)->. It
defaults off. Port-forward specific services instead of
setting up a DMZ, and as few of those as you can get away with.
A good minimum set is 22 (ssh), and 80 (http). If you want to receive mail
add 25 (smtp). If you need to serve DNS queries, add 53. To serve identd
so remote MTAs can verify your identity, enable 113. Disable Universal Plug and
Play. Look under
. There is a radio
button for this under the "Password" tab; newer firmware
versions put it under
+.
UPnP is a notorious security hole in Windows, and up to
at least firmware version 1.44 there was a lot of Web scuttlebutt that the
Linksys implementation is flaky. While this won't affect operating systems
written by competent people, there is no point in
having traffic from a bunch of script-kiddie probes even reach your
network.
There are two more steps for older firmware versions only. You can
ignore these if you have 2.x or later firmware. Disable AOL Parental Controls.
Make sure AOL Parental Controls (under
) is turned off (off is
the default); otherwise the Linksys won't pass packets for your Unix box at
all. Newer versions of the firmware don't have this misfeature. Disable Stateful Packet
Inspection. If you want to run a server and are running
1.42 or earlier firmware, you also need to make sure stateful packet
inspection is off — this feature restricts incoming packets to those
associated with an outbound connection and is intended for heightened
security on client-only systems. On the
page, make sure
SPI is off. If you don't see a radiobutton for SPI,
relax — the feature isn't present in all versions of the firmware,
and in fact was removed in 1.43 for stability reasons.
|
|