Linksys EA6900 802.11ac WiFi Router security best practices
The public internet is a scary place. It's where your home's WiFi router lives, one "foot" on the outside, the other on the inside, vulnerable to attack as it works to protect your home's precious, connected gadgets. I've been doing some security "tuning" in the months since I deployed my family's new Linksys EA6900 WiFi Router back in October, and I'd like to share my own little "best practices" guidelines I've been using for years. This latest refresh of those practices are specific to the Linksys EA6900 router, but some of these concepts could apply to other models and brands of routers as well. None of these tweaks have left me without any features I really need or use. I have a robust, 150Mbps down and 30Mbps up connection to Cox, and rock-solid stability. And not once since October have I had to reboot this router manually for any network issues.
I plan to use my own article here, to help me "audit" various friends and family routers I help configure. Hope you find it helpful. As always, I'm open to suggestions for improvements. Please drop your thoughts below the article.
Disclaimer:
- what you do to your network, and the security implications of your actions, are always done at your own risk
- this guide is for informational purposes only
- I'm sharing what I do and why, making no clams that it's the best way to configure your router for your situation
- don't forget to backup your router's settings before you even begin tweaking any of your router's settings
On the Linksys EA6900, such backups are done at:
Router Settings, Troubleshooting, Diagnostics, Router configuration, 'Backup' button
Can't find those settings? You probably activate the cloud connection and are using the https://www.linksyssmartwifi.com
URL to get to your router. Read onward to see how to disable that.
For advanced, normally hidden wireless settings, using local login, give this special URL a try:
http://192.168.1.1/ui/dynamic/advanced-wireless.html
Turn off WAN admin:
For this router, there is no "Remote access from WAN" checkbox. Instead, simply don't bother with Creating a Linksys Smart Wi-Fi Account Article ID 25806 in the first place.
Why? Well, how about Title: How to prevent your Linksys router from getting The Moon malware Article ID: 29259, which Steve Gibson has shortened to bit.ly/themoonworm. Yes, I realize the EA6900 is not vulnerable to this particular exploit, but my extended family still has some of the vulnerable E4200 models.
It's just not great to open yourself up to remote login of any kind anyway, especially since you likely don't have any really good reason to. It's all just another potential attack vector, and another breach possibility.
If you already set one up, you'reyou can downgrade following the Linksys instructions here, then deactivate the account as explained here. You'll then end up with the factory default http://192.168.1.1
URL to go get in and do web admin.
Turn off UPnP:
Router Settings, Connectivity, 'Administration' tab, 'UPnP' checkbox off for 'Enabled'
Why? You may remember US-CERT Alert TA12-006A, Jan 2012. Leaving it enabled is an unnecessary vulnerability for most home users, read more here:
TinkerTry.com/upnp-vulnerability
Turn on "Filter anonymous Internet requests":
Router Settings, Security, 'Firewall' tab, Internet filters, checkbox on for 'Filter anonymous Internet requests'
Why? Well, same article about The Moon malware explains that the checkbox should be left on, which Linksys goes on to explain enhances security over here.
Be sure you're not vulnerable to Port 32764 attack:
Test at grc.com/x/portprobe=32764
Why? Read more about this January 2014 issue here. You'll know that if you past the test at the above URL if it says status 'Stealth', there's nothing to worry about. Probably a good idea to run this again, after any firmware updates.
For WiFi encryption, use WPA2 (never use WEP):
Router Settings, Wireless, 'Wireless' tab, making sure both the 2.4GHz and 5HGz wireless network show 'Security mode' as 'WPA2 Personal'
Why? Because WEP was identified by Homeland Security as vulnerable, way back in Dec 2011, explained at:
kb.cert.org/vuls/id/723755
Turn off WPS (WiFi Protected Setup):
Router Settings, Wireless, 'Wi-Fi Protected Setup' tab, making sure the 'Wi-Fi Protected Setup' slider is set to off
Why? Because WPS is insecure, explained by US-CERT TA12-006A:
Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack Jan 2012.
Yes, this means you have some minor loss of convenience. You can turn it on, connect your gizmo, then turn it off again, if you wish. I'd just rather have one less thing to read about/worry about/stay on top of, since I don't really need WPS.
Turn off Automatic Firmware Update:
Router Settings, Connectivity, 'Basic' tab, 'Firmware Update' checkbox off for 'Automatic'
As far as firmware? Well, I've been quite stable on the version I've had since the update I did right after the unboxing back in October 2013, Version 1.1.42.156465, documented at the manual download site here:
support.linksys.com/en-us/support/routers/EA6900
This means I'm rather motivated to think long and hard about any updates. I want to read release notes first, before considering the update. Turns out that since Wed Feb 20 2014, you can manually check for new firmware and find the following message, "New firmware available Click here to install 1.1.42.158863" seen below:
The thing is, there are no release notes available publically yet. I even tried the Live Chat with Linksys at the same support site:
support.linksys.com/en-us/support/routers/EA6900
but they had no answers yet either, with no ETA on release notes. I'll just have to check back later. There's little urgency, since everything I need is working fine as is.
The most important firmware upgrade would be the type that addresses a critical security vulnerability, and I'll need to apply any of those quickly, whether I want to or not. If more things like The Moon Malware show up, I may need to rethink this one, and turn Automatic Firmware Update back on. Admittedly, I haven't researched or tested whether this particular modem can be back-flashed, that is, flash the firmware back to a previous level. Curious if anybody has tested this? Drop a comment below!
See also at TinkerTry
See also
- Don’t shoot for ‘TheMoon’: New malware takes aim at Linksys routers
Feb 17 2014 by Korad Krawczyk
Mar 11 2014 Update
So, you have an Xbox, and wonder about the effects of turning of UPnP? The fix:
support.xbox.com/en-US/xbox-on-other-devices/windows/troubleshoot-games-for-windows-live-connection#c22803418ebd4b76bb8463e98ccb2c75
So, you have multiple Xboxes? Check out this solution:
pcasts.in/gtGP
Mar 30 2014 Update
Version 1.1.42 Build 158863 is available here, with release notes. Strangely, it only shows for "Version 1.1" of the hardware, whatever that means, not version 1.0. This is strange because I bought my EA6900 the first month it arrived on shelves. I still have auto update off, and am still on the trusted 1.1.42.156465 level, with no pressing need that'd make me want to upgrade. Doing a search on "ea6900" in Linsksy forums, here's the results.
Apr 10 2014 Update
To see the exact details on how you go about setting up this router WITHOUT any of the cloud stuff, you don't need to sit through videos, check out this fine set of screenshots:
- It Doesn’t Matter What You Think: Setting up the Linksys EA6900
Jan 18 2014, by JERAMIAH DOOLEY at Virtualization for Service Providers