FreshTomato Wiki

User Tools

Site Tools

Trace:
basic_hardening

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
basic_hardening [2026/01/02 17:09] – [DNS] hogwildbasic_hardening [2026/01/09 23:50] (current) – [VPN Connections] -Condense hogwild
Line 1: Line 1:
 ====== Basic Steps to Harden FreshTomato ====== ====== Basic Steps to Harden FreshTomato ======
  
-This HOWTO will provide some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your networkonly a starting point.+This HOWTO will provide some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your network. It is only a starting point.
  
 Each small step will reduce your network's [[https://en.wikipedia.org/wiki/Attack_surface|attack surface]].  \\   \\ Each small step will reduce your network's [[https://en.wikipedia.org/wiki/Attack_surface|attack surface]].  \\   \\
Line 12: Line 12:
     * Change the password to a strong, unique one. \\ This is crucial. Many attacks rely on default credentials.     * Change the password to a strong, unique one. \\ This is crucial. Many attacks rely on default credentials.
  
-  * Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP FIXME+  * Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP.
  
  
Line 25: Line 25:
   * Disable UPnP in the [[forward-upnp|UPnP IGD & PCP]] menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.   * Disable UPnP in the [[forward-upnp|UPnP IGD & PCP]] menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.
  
-  * In the [[admin_access|Admin Access]] menu, set a low value in the "//Limit Communication to//" field to limit SSH / Telnet requests. This helps prevent DDoS attacks. FIXME Should this be here?+  * In the [[admin_access|Admin Access]] menu, set a low value in the "//Limit Communication to//" field to limit SSH / Telnet requests. This helps prevent DDoS attacks. FIXME Does this belong in this section?
  
  
Line 76: Line 76:
   * Disable NAT loopback.   * Disable NAT loopback.
  
 +  * Unless you're using an IPSEC VPN, disable IPSEC Passthrough in the Conntrack/Netfilter. While not, per se, a firewall function, this will remove open NAT entries in your router.
  
-===== Use Adblock =====+ 
 +===== Use Adblock/DNS Filtering =====
  
 Go to the [[adblock_dns_filtering|Adblock]] menu and enable this feature. If not completed already, add Domain blacklist URLs from the wiki list to choose which content to filter. Go to the [[adblock_dns_filtering|Adblock]] menu and enable this feature. If not completed already, add Domain blacklist URLs from the wiki list to choose which content to filter.
Line 96: Line 98:
   * Use a website to check for DNS leaks. Also use them to test your DNS server information. If it leaks, you're not hiding your digital identity. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]], [[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]] \\ \\    * Use a website to check for DNS leaks. Also use them to test your DNS server information. If it leaks, you're not hiding your digital identity. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]], [[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]] \\ \\ 
   * Configure a kill switch.  A kill switch is basically a policy-based routing rule to ensure that when the VPN tunnel/encryption is dropped, FreshTomato will drop your Internet connection to the VPN provider. This prevents you from using the Internet while your real IP address is exposed.\\ \\    * Configure a kill switch.  A kill switch is basically a policy-based routing rule to ensure that when the VPN tunnel/encryption is dropped, FreshTomato will drop your Internet connection to the VPN provider. This prevents you from using the Internet while your real IP address is exposed.\\ \\ 
-  * Consider using a Stubby server for DNS resolution. Stubby allows for secure+  * Consider using a Stubby server for DNS resolution. Stubby enhances DNS privacy by allowing DNS over TLS (“DoT”). DoT sends DNS queries via a secure (TLS-encrypted) connection. Note that network devices which use Stubby to resolve DNS queries, or point DNS queries to a router using Stubby will not have ads blocked by  the Adblock feature.
  
  
basic_hardening.1767373780.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki