鑑於近日發生了很多路由器和網絡儲存裝置被入侵的事故,我覺得有必要加強一下我們對家居網絡安全的知識。大部份人都是對網絡安全一知半解或者完全一竅不通的,所以我會用一些直接的方式去說明而避免了一些專業的用語。
路由器 (Router)
路由器有分有綫和無綫兩種,而大部份的家居路由器都是二合一的版本,即是有綫和無綫功能集於一身。
在設定路由器時,必須要更改路由器預設的密碼,更要有一個較強而複雜的密碼。
在設定路由器管理時,絕對不可以設定為可供遠端管理 (Remote Management) ,即是不可以在家以外的地方來遙控管理路由器。通常大部份的路由器預設遠端管理是啟動的。
在設定無綫路由器時應當設定為 WPA3 制式,如沒有的話至少要設定為 WPA2。至於加密方面,最好是 AES 並且至少要有十二位的密碼,而密碼方面就需要包括英文大小楷、數目字和標點符號。在本年底 WPA3 的路由器將會面世,在此時必須要設定為 WPA3 制式。
經常更新路由器韌體 (Firmware),若果官方一年或以上沒有發表路由器韌體更新或型號已經停產的話,就必須購買新一款的路由器替換。永遠要保持路由器的規格是最新的。
不要輕易開放埠 (Port),需要檢查一下有沒有埠是開放於互聯網中,例如埠 22 (SSH)、23 (Telnet)、80 (http)、443 (https) 或 8080 (proxy),如有發現的話,我強烈建議立即關閉這些埠在互聯網中開放,要注意的是有些路由器是預設開放的。
桌面電腦 (Desktop)
經常更新作業系統,保持其為最新版本。不要安裝或下載不明來歷的軟件,更不應使用侵權軟件或多媒體。要經常更新瀏覽器並且不要瀏覽不良網站或侵權網站。最好是安裝及啟動防火牆並且不可輕易開放埠 (Port) 。
如果是微軟視窗系統的話,一定要安裝防毒軟件。蘋果公司的 macOS 或 Linux 的話,可以考慮安裝防毒軟件。至於 Linux 更可以零成本加固的 (詳情可以參考我的博客)。
不可以繼續使用舊版本的作業系統 (Operating System),更不應使用已經停止支援和更新的作業系統。
網絡儲存裝置 (NAS)
若果有網絡儲存裝置的話,我絕對不贊成直接接駁到互聯網作遠端存取。如果必需要遠端存取的話,我強烈建議必須使用虛擬私人網絡 (VPN),並必須經常更新韌體。通常虛擬私人網絡都可以在比較貴價的路由中找到。
最後,祝大家安全地和暢快地在互聯網中衝浪!
Samiux
OSCE OSCP OSWP
二零一八年六月七日 中國香港
Home Network Security Rules
Recently, there are a lot of routers and network attached storage (NAS) devices infected by malware or being attacked. It is a high time to refresh our home network security knowledge.
Router
There are wired and wireless routers in the market. Home routers equipped both. We should change the default password of the router in the login control panel with strong and complicated password. It is not wise to let the router to be controlled remotely. It is better to disable this feature or function even it is enabled by default.
When setting wireless, it is recommended to set it to WPA3 when it is available in the end this year. If not, at least set it to WPA2 with AES encryption. Strong and complicated password should be set. Make sure uppercase and lowercase, numberic and symbols to be set for the password.
Update the router firmware when it is available and always keep it up-to-date. If you do not get the firmware update for more than a year from the vendor or the router has been phased out, you should purchase a new and modern one.
Make sure port 22 (ssh), 23 (telnet), 80 (http), 443 (https) and 8080 (proxy) are not opened or forwarded to the public in the router.
Desktop
Update your operating system often and keep it up-to-date. Do not install any pirate or unknown sourced software or multi-media. Make sure no port is opened to the public.
If you are using Microsoft Windows systems, it is recommended to install anti-virus program. You may consider to install anti-virus program on Apple macOS and Linux systems. Meanwhile, you can harden your linux system with no extra cost, for details please read my blog.
Never use a not up-to-date operating system especailly when there is no more support or it is already phased out.
Network Attached Storage (NAS)
Make sure update the firmware with the latest firmware often. I am not recommended to let your NAS to be accessed from the internet. I strongly recommended to do it via virtual private network (VPN) when necessary. Most expensive routers may equipped with VPN feature.
Finally, happy internet surfing!
Samiux
OSCE OSCP OSWP
June 7, 2018 Hong Kong, China