FreshTomato Wiki

User Tools

Site Tools

Trace:
basic_hardening

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
basic_hardening [2025/12/07 20:44] – [VPN Connections] -Add warning not to use VPN providers own test pages hogwildbasic_hardening [2026/01/09 23:50] (current) – [VPN Connections] -Condense hogwild
Line 1: Line 1:
 ====== Basic Steps to Harden FreshTomato ====== ====== Basic Steps to Harden FreshTomato ======
  
-This HOWTO will provide some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your networkonly a starting point.+This HOWTO will provide some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your network. It is only a starting point.
  
 Each small step will reduce your network's [[https://en.wikipedia.org/wiki/Attack_surface|attack surface]].  \\   \\ Each small step will reduce your network's [[https://en.wikipedia.org/wiki/Attack_surface|attack surface]].  \\   \\
Line 12: Line 12:
     * Change the password to a strong, unique one. \\ This is crucial. Many attacks rely on default credentials.     * Change the password to a strong, unique one. \\ This is crucial. Many attacks rely on default credentials.
  
-  * Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP FIXME+  * Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP.
  
  
Line 25: Line 25:
   * Disable UPnP in the [[forward-upnp|UPnP IGD & PCP]] menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.   * Disable UPnP in the [[forward-upnp|UPnP IGD & PCP]] menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.
  
-  * In the [[admin_access|Admin Access]] menu, set a low value in the "//Limit Communication to//" field to limit SSH / Telnet requests. This helps prevent DDoS attacks. FIXME Should this be here?+  * In the [[admin_access|Admin Access]] menu, set a low value in the "//Limit Communication to//" field to limit SSH / Telnet requests. This helps prevent DDoS attacks. FIXME Does this belong in this section?
  
  
 ===== WiFi Settings ===== ===== WiFi Settings =====
  
-  * Use strong WiFi security protocols / encryption.  At a minimum, configure wireless security to WPA2 Personal, with AES encryption. \\ Note that some WiFi modes do not support higher encryption. If it is enabled, those modes may not function properly.+  * Use strong WiFi security protocols / encryption.   At a minimum, configure wireless security to WPA2 Personal, with AES encryption. \\ Note that some WiFi modes do not support higher encryption. If it is enabled, those modes may not function properly.
  
   * Change the default SSID to one that is unidentifiable.   * Change the default SSID to one that is unidentifiable.
Line 38: Line 38:
   * Consider changing the Group Key Renewal setting to a lower value, such as 1800. \\ Rotating the client-router encryption keys more often will reduce the chances strangers will gain WiFi access.   * Consider changing the Group Key Renewal setting to a lower value, such as 1800. \\ Rotating the client-router encryption keys more often will reduce the chances strangers will gain WiFi access.
  
-  * Reduce WiFi signal strength in the the /Advanced/[[advanced-wireless|Wireless]] menu//. // \\ Lowering a radio's transmit power to the minimum necessary to communicate with your devices reduces signal range. This minizes the chances others can connect via WiFi.+  * Reduce WiFi signal strength in the the /Advanced/[[advanced-wireless|Wireless]] menu//. // \\ Lowering a radio's transmit power to the minimum necessary to communicate with your devices reduces signal range. This minimizes the chances others can connect via WiFi.
  
   * Randomize MAC address: Use MAC address randomization to prevent tracking or spoofing risks.  This can be achieved through the command-line interface through use of the following script:   * Randomize MAC address: Use MAC address randomization to prevent tracking or spoofing risks.  This can be achieved through the command-line interface through use of the following script:
Line 61: Line 61:
     * Set "DNSSEC validation method" to, for example, "Dnsmasq".     * Set "DNSSEC validation method" to, for example, "Dnsmasq".
     * Enable "Use Stubby"     * Enable "Use Stubby"
-    * Select "Show/Hide Servers". Select an appropriate Stubby server. \\ Many people use/trust Cloudflare 1 or 2 .\\  +    * Select "Show/Hide Servers". Select an appropriate Stubby server. \\ Many people use/trust Cloudflare 1 or 2 .\\
-      *+
  
   * Set "DNSSEC validation method" ("Dnsmasq").   * Set "DNSSEC validation method" ("Dnsmasq").
Line 77: Line 76:
   * Disable NAT loopback.   * Disable NAT loopback.
  
 +  * Unless you're using an IPSEC VPN, disable IPSEC Passthrough in the Conntrack/Netfilter. While not, per se, a firewall function, this will remove open NAT entries in your router.
  
-===== Use Adblock =====+ 
 +===== Use Adblock/DNS Filtering =====
  
 Go to the [[adblock_dns_filtering|Adblock]] menu and enable this feature. If not completed already, add Domain blacklist URLs from the wiki list to choose which content to filter. Go to the [[adblock_dns_filtering|Adblock]] menu and enable this feature. If not completed already, add Domain blacklist URLs from the wiki list to choose which content to filter.
Line 94: Line 95:
 ===== VPN Connections ===== ===== VPN Connections =====
  
-  * Use a website to check for IP leaks. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]], [[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]]\\ If your real (physical) IP address leaks, your "cover is blown" and there's no point in using a VPN, as the main reason for using one is to hide that address. Avoid using most VPN providers' own test page. Their "leak tests" almost always return a result of  "Unprotected". They do not display an IP address from their own VPN server pool, and in this way, can scare users into purchasing a "real secure VPN" +  * Use a website to check for IP leaks. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]], [[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]]\\ If your real (physical) IP address leaks, your "cover is blown" and there's no point in using a VPN, as the main reason for using one is to hide that address. Avoid using most VPN providers' own test pages. Their "leak tests" almost always return a result of  "Unprotected". They do not display an IP address from their own VPN server pool, and in this way, can scare users into purchasing a "real secure VPN" \\ \\  
-  * Use a website to check for DNS leaks. \\The same goes for your DNS server information. If it leaks, you're not hiding your digital identity. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]], [[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]] +  * Use a website to check for DNS leaks. Also use them to test your DNS server information. If it leaks, you're not hiding your digital identity. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]], [[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]] \\ \\  
-  * Configure a kill switch.  A kill switch is basically a some policy-based routing rule to ensure that if the VPN tunnel/encryption is dropped, FreshTomato will drop your Internet connection to the VPN provider. +  * Configure a kill switch.  A kill switch is basically a policy-based routing rule to ensure that when the VPN tunnel/encryption is dropped, FreshTomato will drop your Internet connection to the VPN provider. This prevents you from using the Internet while your real IP address is exposed.\\ \\  
-  * Consider using a Stubby server for DNS resolution. Stubby allows for secure+  * Consider using a Stubby server for DNS resolution. Stubby enhances DNS privacy by allowing DNS over TLS (“DoT”). DoT sends DNS queries via a secure (TLS-encrypted) connection. Note that network devices which use Stubby to resolve DNS queries, or point DNS queries to a router using Stubby will not have ads blocked by  the Adblock feature.
  
  
basic_hardening.1765140267.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki