should you change routers ip address? for security

[GreatNate]

Iv had my lynksys router for about 2 months now I secured it buy encryption with a password. Should you change the routers default ip address? When I called lynksys to help me setup the router over the phone they said nothing about it??

 

[Brink]

Hi GreatNate,

Yes, for better security, you should change the default IP address. Just be sure to write it down so you have when you need to log in to the router.

 

[GreatNate]

It doesnt matter what numbers you put in right?

Anything else I should change for maximum security? I ONLY use this router for my PS3 so there will not be even one single computer connecting to this router, besides the desktop thats connected by a wire

currently its on wpa personal

Do I change the local ip address or the starting ip address?

anyone please help me, Iv screwed everything up. someone please help me

How do I change the ip address?????? I have a linksys router ANYONE!!!!!!!!!!!!!!​

 

[Barman58]

Hi,

First thing - can you still log into the router?

If you can then when you change the router address you have to use an allowed group.

I believe the linksys default is 192.168.2.1 you can change any of the numbers in the last two groups - I normally change the third set, (2 in the default setup).

If you cannot access the router you will need to reset the device to factory settings to start again. Check your manual as to what is the exact procedure for this but it normally involves pressing a reset button for a few seconds.

 

[Brink]

Nate,

Since we do not know your router's model number, you can also look up some information about your router from this link at Linksys to help.

Ask Linksys

Hope this helps,
Shawn

 

[johngalt]

default for older routers was 192.168.0.1. These days, in order to comply with VPN software, the routers started using 192.168.1.1. A lot of cable modems actually use 192.168.100.1, so avoid that one.

I myself created a completely whacked third and fourth octet, limiting my router from providing any more than 20 IPs (I only have 4 machines, 2 networked printers, 2 iPaqs and at most 2 visitors at any one time - but I have 6 older machines and do bring work home from clients' machines, so...) and have the router set a reservation list for all the active machines and the iPaqs and the printers so that those IPs never change....

If you don't play with your settings much, then your router is going to be able to assign 250+ IPs on the subnet - take, for example, the old default - 192.168.0.1. Now, the broadcast is on 192.168.0.254, so that one is out - and 0.1 is being used by the router. That leaves .2, .3, .4, ....250, .251, .252, .253, to be handed out. If you do a little research you can change your subnet mask from 255.255.255.0 to something else, meaning it can only offer a limited amount of IP addresses before it starts denying applicants. Furthermore, my settings allow me to specify the actual range of IP addresses I am allowed to hand out - so I reserved all my machines, say from 135-143, and then start handing out IPs from 150 to 160 for anyone who comes to visit and / or client machines.

Use a good *strong* password - don't let it contain parts of your name, DOB, address, tel#, etc....

Use strong Keys on your router, if it does not support automatic negotiation between your router and clients for wireless - use high security every which way, and for more users remote management is not needed - turn it off.

Finally, check the router every now and again to make sure that you don't need a firmware upgrade, and that all your settings are secure.

 

[mech]

Try turning on mac
addressing there should be a mac address on your ps3

 

[rive0108]

Iv had my lynksys router for about 2 months now I secured it buy encryption with a password. Should you change the routers default ip address? When I called lynksys to help me setup the router over the phone they said nothing about it??

I have a linksys router. Here is how I set the security-

1. Block anonymous internet requests
2.You can disable SSID Broadcast (I leave mine enabled though-as it makes it easier to reconnect to network in the event I repair/disconnect from network)
3. Do not use default Linksys SSID- change it
4.I use WPA TKP with a randomly manual generated 20+ digit string consisting of Numbers/symbols/letters/caps/lower case-Not an auto generated string (back it up, and
store it somewhere safe- like a encrypted/protected drive)
5.Enable MAC Filtering to allow only those IP's you add to the access list (i.e., networked computers)
6. Disable remote Admin/Disable Remote upgrade/Disable UPnP
7. Set alpha/numeric random password to router that is no less than 8 digits.
8. THIS IS VERY IMPORTANT!-TKIP re-keying Interval must be reset to 600 seconds (or less)

If you router offers WPA2 encryption use this as it is more secure than either WEP or WPA PSK.

 

[GreatNate]

why is it important to have a good ssid (I did not know that)

 

[Barman58]

Hi,

If you choose to hide the broadcast of your SSID, and if you still leave it at the default name someone could still "guess" it quite easily as the default names for the major router manufacturers are well known.

If you make it something unique to you and do not broadcast then this makes things more difficult for a potential hacker or leecher to gain access.

This also applies to the default router user names and passwords, there are sites on the net which actually list them,

This has been useful to me in the past when a user has locked themselves out of their router, and lost the manual so does not know the default after re-setting to factory defaults.

 

[rive0108]

why is it important to have a good ssid (I did not know that)

Not only is it important to change the SSID, it is also important to use encryption (use WPA2 if available), and configure MAC filtering for optimal security.

Put it this way, If you use an un-encrypted network ( or WPA/PSK, WEP), with the default SSID, and a key that can be easily broken with either a brute force attack or Dictionary attack, They can use your Network to hack into secured Areas (or surf child porn), and it will leave your ISP address behind as if you did it.:eek:....and Guess who's door the police will be banging on with an arrest warrant....

 

[GreatNate]

this makes no sense to me because I thought the ssid was the address? How could someone hack that just by knowing the name of your network? because they see your ssid anyways when they search for a network.

 

[Barman58]

Hi Greatnate,

A lot of routers (if not all) have a security measure whereby you can switch off the broadcasting of the SSID name, thus requiring that you have to know the SSID before you can connect, and enter your Security key.

 

[GreatNate]

but 99.9% of people dont hide there ssid, and how does it matter if its good or not. everyone will see it

 

[rive0108]

but 99.9% of people dont hide there ssid, and how does it matter if its good or not. everyone will see it

No one will see your SSID (network name) if you disable broadcast. There are many free programs that can hack WEP/WPA PSK (pre-shared keys). The trick to prevent someone gaining access to your network/piggingbacking is to:

1. Change the SSID from Linksys to say Qrtf1 (for example)
2. Do not use WEP, do not use a PSK key that is easily cracked like "protection"/ "Johns Computer"/"Home Network"/ "creative"/"micheal", (common phrases/names/anything found in a dictionary), etc., as WPA/PSK is as easily broken as WEP-unless you use a long randomly generated Pre-shared key like this-

i.e., 0z417swWM1'@((H#3$J]{,GOBW248+_@#fsdVXPq34012

and a router password like this:

i.e., 2j73Sq9obW

and it is very easy to enable MAC for only your networked devices- and block all others. If your router offers it use WPA1
Setting up your Wireless like this and disabling remote Admin, makes changing the Router IP superfluous-even if you broadcast your SSID. A long random key, and alpha numeric password make it virtually impossible to crack, and provides optimal security. Blocking anonymous requests to your router makes your computer invisable to any "pings" that are used on the Internet to locate Pc's/routers for the purpose of hacking, or attacking or in the event of unpatched vulnerabilites looking for systems to infect with malware. The router, even if located, will appear to be your PC on the Interent offering even more protection with the Hardware firewall as all attacks will be directed to it as opposed to your computer(s). This is something even hardwired PC's need for better security. Computers connected directly to the Modem are most suceptable to Pinging and hacking attacks.

 

[Ben2525]

There seems to be a mix of good/bad/miss information

changing your default router IP does nothing to secure your router since anyone on your network can either listen to network traffic and get the info or just brute-force IP scan.

Locking your router down to a list of MAC addresses can help, but anyone hacking your wireless network will just listen to the traffic and grab one of the mac addresses that are currently broadcasting data. Your router just ignores any mac address that doesn't match your list. but when your wireless device send data to your router, it broadcasts it's own mac address and someone can just read that and change their mac address to match yours.

Disabling SSID broadcast is a VERY good step in the right direction. It makes it quite a bit harder to figure out if there is a network to break into.

Anyone, who is set out to get free internet from someone, will just have some easily downloadable software that will listen to all wireless traffic and can pick up a network name by watching traffic patterns. If you use a wireless device, it has to communicate with your router and that traffic can be listened to.

Now that you're not broadcasting your SSID, you need to password protect your connection. WPA2 uses AES encryption. The non-AES encryption can be broken given enough time. The weaker encryption used by the older wireless protocols can be broken by listening to large amounts of data. Once someone has your SSID, then can have a device just sit and record all of your data. There is A LOT of data that is always the same in network packets. Being that people know what data to expect, they just listen to your wireless network for a few days, collect the data, and break your password based on knowing what the data should look like. AES is crazy hard to do this, but the older encryptions are relatively easy.

nutshell: disable SSID broadcasting, use WPA2 with AES (decent password)

 

[rive0108]

There seems to be a mix of good/bad/miss information

changing your default router IP does nothing to secure your router since anyone on your network can either listen to network traffic and get the info or just brute-force IP scan.

Locking your router down to a list of MAC addresses can help, but anyone hacking your wireless network will just listen to the traffic and grab one of the mac addresses that are currently broadcasting data. Your router just ignores any mac address that doesn't match your list. but when your wireless device send data to your router, it broadcasts it's own mac address and someone can just read that and change their mac address to match yours.

Disabling SSID broadcast is a VERY good step in the right direction. It makes it quite a bit harder to figure out if there is a network to break into.

Anyone, who is set out to get free internet from someone, will just have some easily downloadable software that will listen to all wireless traffic and can pick up a network name by watching traffic patterns. If you use a wireless device, it has to communicate with your router and that traffic can be listened to.

Now that you're not broadcasting your SSID, you need to password protect your connection. WPA2 uses AES encryption. The non-AES encryption can be broken given enough time. The weaker encryption used by the older wireless protocols can be broken by listening to large amounts of data. Once someone has your SSID, then can have a device just sit and record all of your data. There is A LOT of data that is always the same in network packets. Being that people know what data to expect, they just listen to your wireless network for a few days, collect the data, and break your password based on knowing what the data should look like. AES is crazy hard to do this, but the older encryptions are relatively easy.

nutshell: disable SSID broadcasting, use WPA2 with AES (decent password)

While that may be true, to hack the network they need the key. They can listen to the traffic all they want It does them no good If they cant break the encryption-or If it re-keys before enough packets are obtained, The network is still secure. In my case the algorithm for the Temporal key renews every 600 seconds.(by the time they crack the key it would already be changed). Researchers have found a way to break the Temporal Key Integrity Protocol (TKIP) key used by WPA in a matter of twelve to fifteen minutes. They have not yet managed to crack the encryption keys used to secure data that goes from the PC to the router. Security experts had known that TKIP could be cracked using what's known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.

Dictionary/brute force attacks will not crack an encryption key that is random like this, and will have difficulty with a temporal key that renews and changes every 10 minutes:

0z417swWM1'@((H#3$J]{,GOBW248+_@#fsdVXPq34012

Beck-Tews attacks (as well as others) operate on the premise that a long re-keying interval is used for TKIP (i.e., default 3600 seconds), this re-keying Interval must be changed.
The Aircr***-ng cracks utilize WEP (Brute-force search) and WPA (Dictionary File) keys breakers.
Effectively the only way to break WPA is to brute force it, so if you have a long key with letter, numbers and symbols in you are in effect making it logistically impossible to crack. It is important to also set the TKIP renewal to 600 Seconds.

How to secure WPA PSK
1. Block anonymous internet requests
2.You can disable SSID Broadcast (I leave mine enabled though-as it makes it easier to reconnect to network in the event I repair/disconnect from network)
3. Do not use default SSID- change it
4.I use WPA TKP with a randomly manual generated 40+ digit string consisting of Numbers/symbols/letters/caps/lower case-Not an auto generated string (back it up, and
store it somewhere safe- like a encrypted/protected drive)
5.Enable MAC Filtering to allow only those IP's you add to the access list (i.e., networked computers)
6. Disable remote Admin/Disable Remote upgrade/Disable UPnP
7. Set alpha/numeric random password to router that is no less than 8 digits.
8. THIS IS VERY IMPORTANT!-TKIP re-keying Interval must be reset to 600 seconds (or less)

"...the frst practical attack on WPA secured wireless networks, besides
launching a dictionary attack when a weak pre shared key (PSK) is used-
The attack works if the network is using TKIP to encrypt the traffic. An
attacker, who has about 12-15 minutes access to the network is then able
to decrypt an ARP request or response and send 7 packets with custom
content to network."

Eircom default wireless configuration is still insecure - boards.ie
http://www.infoworld.com/d/security-central/once-thought-safe-wpa-wi-fi-encryption-cracked-635
http://dl.aircrack-ng.org/breakingwepandwpa.pdf