Linksys EA6900 802.11ac WiFi Router security best practices

Posted by Paul Braren on Feb 23 2014 (updated on Apr 10 2014) in
  • Network

    • The public internet is a scary place. It's where your home's WiFi router lives, one "foot" on the outside, the other on the inside, vulnerable to attack as it works to protect your home's precious, connected gadgets. I've been doing some security "tuning" in the months since I deployed my family's new Linksys EA6900 WiFi Router back in October, and I'd like to share my own little "best practices" guidelines I've been using for years. This latest refresh of those practices are specific to the Linksys EA6900 router, but some of these concepts could apply to other models and brands of routers as well. None of these tweaks have left me without any features I really need or use. I have a robust, 150Mbps down and 30Mbps up connection to Cox, and rock-solid stability. And not once since October have I had to reboot this router manually for any network issues.

    I plan to use my own article here, to help me "audit" various friends and family routers I help configure. Hope you find it helpful. As always, I'm open to suggestions for improvements. Please drop your thoughts below the article.

    Disclaimer:

    • what you do to your network, and the security implications of your actions, are always done at your own risk
    • this guide is for informational purposes only
    • I'm sharing what I do and why, making no clams that it's the best way to configure your router for your situation
    • don't forget to backup your router's settings before you even begin tweaking any of your router's settings

    On the Linksys EA6900, such backups are done at:
    Router Settings, Troubleshooting, Diagnostics, Router configuration, 'Backup' button

    Can't find those settings? You probably activate the cloud connection and are using the https://www.linksyssmartwifi.com URL to get to your router. Read onward to see how to disable that.

    For advanced, normally hidden wireless settings, using local login, give this special URL a try:
    http://192.168.1.1/ui/dynamic/advanced-wireless.html

    Turn off WAN admin:

    For this router, there is no "Remote access from WAN" checkbox. Instead, simply don't bother with Creating a Linksys Smart Wi-Fi Account Article ID 25806 in the first place.

    Why? Well, how about Title: How to prevent your Linksys router from getting The Moon malware Article ID: 29259, which Steve Gibson has shortened to bit.ly/themoonworm. Yes, I realize the EA6900 is not vulnerable to this particular exploit, but my extended family still has some of the vulnerable E4200 models.

    It's just not great to open yourself up to remote login of any kind anyway, especially since you likely don't have any really good reason to. It's all just another potential attack vector, and another breach possibility.

    If you already set one up, you'reyou can downgrade following the Linksys instructions here, then deactivate the account as explained here. You'll then end up with the factory default http://192.168.1.1 URL to go get in and do web admin.

    Turn off UPnP:

    UPnP-Enabled-checkbox-is-turned-off

    Router Settings, Connectivity, 'Administration' tab, 'UPnP' checkbox off for 'Enabled'

    Why? You may remember US-CERT Alert TA12-006A, Jan 2012. Leaving it enabled is an unnecessary vulnerability for most home users, read more here:
    TinkerTry.com/upnp-vulnerability

    Turn on "Filter anonymous Internet requests":

    Filter-anonymous-Internet-requests

    Router Settings, Security, 'Firewall' tab, Internet filters, checkbox on for 'Filter anonymous Internet requests'

    Why? Well, same article about The Moon malware explains that the checkbox should be left on, which Linksys goes on to explain enhances security over here.

    Be sure you're not vulnerable to Port 32764 attack:

    grc-clean-32764-scan-result

    Test at grc.com/x/portprobe=32764

    Why? Read more about this January 2014 issue here. You'll know that if you past the test at the above URL if it says status 'Stealth', there's nothing to worry about. Probably a good idea to run this again, after any firmware updates.

    For WiFi encryption, use WPA2 (never use WEP):

    WPA2-Personal-set

    Router Settings, Wireless, 'Wireless' tab, making sure both the 2.4GHz and 5HGz wireless network show 'Security mode' as 'WPA2 Personal'

    Why? Because WEP was identified by Homeland Security as vulnerable, way back in Dec 2011, explained at:
    kb.cert.org/vuls/id/723755

    Turn off WPS (WiFi Protected Setup):

    Wi-Fi-Protected-Setup-slider-set-to-off

    Router Settings, Wireless, 'Wi-Fi Protected Setup' tab, making sure the 'Wi-Fi Protected Setup' slider is set to off

    Why? Because WPS is insecure, explained by US-CERT TA12-006A:
    Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack Jan 2012.

    Yes, this means you have some minor loss of convenience. You can turn it on, connect your gizmo, then turn it off again, if you wish. I'd just rather have one less thing to read about/worry about/stay on top of, since I don't really need WPS.

    Turn off Automatic Firmware Update:

    Feb-23-2014-view-of-EA6900-downloads

    Router Settings, Connectivity, 'Basic' tab, 'Firmware Update' checkbox off for 'Automatic'

    As far as firmware? Well, I've been quite stable on the version I've had since the update I did right after the unboxing back in October 2013, Version 1.1.42.156465, documented at the manual download site here:
    support.linksys.com/en-us/support/routers/EA6900

    This means I'm rather motivated to think long and hard about any updates. I want to read release notes first, before considering the update. Turns out that since Wed Feb 20 2014, you can manually check for new firmware and find the following message, "New firmware available Click here to install 1.1.42.158863" seen below:

    New-firmware-available-1.1.42.158863

    The thing is, there are no release notes available publically yet. I even tried the Live Chat with Linksys at the same support site:
    support.linksys.com/en-us/support/routers/EA6900
    but they had no answers yet either, with no ETA on release notes. I'll just have to check back later. There's little urgency, since everything I need is working fine as is.

    The most important firmware upgrade would be the type that addresses a critical security vulnerability, and I'll need to apply any of those quickly, whether I want to or not. If more things like The Moon Malware show up, I may need to rethink this one, and turn Automatic Firmware Update back on. Admittedly, I haven't researched or tested whether this particular modem can be back-flashed, that is, flash the firmware back to a previous level. Curious if anybody has tested this? Drop a comment below!

    See also at TinkerTry

    See also

    Mar 11 2014 Update

    So, you have an Xbox, and wonder about the effects of turning of UPnP? The fix:
    support.xbox.com/en-US/xbox-on-other-devices/windows/troubleshoot-games-for-windows-live-connection#c22803418ebd4b76bb8463e98ccb2c75

    So, you have multiple Xboxes? Check out this solution:
    pcasts.in/gtGP

    Mar 30 2014 Update

    Version 1.1.42 Build 158863 is available here, with release notes. Strangely, it only shows for "Version 1.1" of the hardware, whatever that means, not version 1.0. This is strange because I bought my EA6900 the first month it arrived on shelves. I still have auto update off, and am still on the trusted 1.1.42.156465 level, with no pressing need that'd make me want to upgrade. Doing a search on "ea6900" in Linsksy forums, here's the results.

    Apr 10 2014 Update

    To see the exact details on how you go about setting up this router WITHOUT any of the cloud stuff, you don't need to sit through videos, check out this fine set of screenshots:

    TinkerTry - PCs, EVs, home tech, efficiency and more, including virtualization. My opinions here, not my employer's.

    Paul Braren, MCSE in 1998, VCP #2681 in 2005, vExpert 2014 to 2024, Veeam Vanguard Emeritus, 2015 to 2019.

    Support TinkerTry

    PayPal | Patreon | VMware Store

    After 6 successful years testing then shipping well over 1,000 Xeon D Bundles, Wiredzone had to stop selling them in mid-2021 due to cost, supply, and logistics challenges. So far, Xeon D-1700/2700 (Ice Lake D) was a minor refresh for 2023, with Xeon D-1800/2800 (Granite Rapids D) refresh looking a little better for 2024. More cores, but still just PCIe Gen4 and DDR4. Looking ahead, I'm glad it's Pat Gelsinger at Intel's helm. I'm also grateful to have had the honor of working at VMware when Pat was the CIO there. I'll leave it at that, given the whole Broadcom thing.

    Easily update VMware ESXi at TinkerTry.com/easy-update-to-latest-esxi