====== Basic Steps to Harden FreshTomato ======

This HOWTO will provide some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your network, only a starting point.

Each small step will reduce your network's [[https://en.wikipedia.org/wiki/Attack_surface|attack surface]].  \\   \\


===== Logon / Remote Administration =====

  *  In the [[admin_access|Admin Access]] menu:
    * Change the default username from "root" to something else.
    * Change the password to a strong, unique one. \\ This is crucial. Many attacks rely on default credentials.

  * Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP FIXME


===== Disable Unnecessary Services/Features =====

  * Unless needed, disable unused services in the [[admin_access|Admin Access]] menu, including: 
    * SSH
    * Telnet (make sure your web interface connections are reliable)
    * Wireless access
    * Remote Access

  * Disable UPnP in the [[forward-upnp|UPnP IGD & PCP]] menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.

  * In the [[admin_access|Admin Access]] menu, set a low value in the "//Limit Communication to//" field to limit SSH / Telnet requests. This helps prevent DDoS attacks. FIXME Should this be here?


===== WiFi Settings =====

  * Use strong WiFi security protocols / encryption. \\ At a minimum, configure wireless security to WPA2 Personal, with AES encryption. \\ Note that some WiFi modes do not support higher encryption, and if enabled, may not function properly.

  * Change the default SSID to one that is unidentifiable.

  * Use long, complex WiFi Shared Keys with special characters, and no dictionary words.

  * Consider changing the Group Key Renewal setting to a lower value, such as 1800. \\ Rotating the client-router encryption keys more often will reduce the chances strangers will gain WiFi access.

  * Reduce WiFi signal strength in the /Advanced/[[advanced-wireless|Wireless]] menu//. // \\ Lowering a radio's transmit power to the minimum necessary to communicate with your devices reduces signal range. This minizes the chances others can connect via WiFi.

  * Randomize MAC address: Use MAC address randomization to prevent tracking or spoofing risks. FIXME! HOW?

  * Consider adding entries in the [[wireless_filter|Wireless Filter]] menu for all known devices. This will allow you specify which WiFi devices (via their known MAC addresses) will be allowed to connect to WiFi.\\ \\


===== DHCP Settings =====

  * In the [[dhcp_reservation|DHCP Reservation]] menu, create reservations for all known client devices. This will mean they will always be assigned the address you choose. Note that this will not control devices configured with a static IP address.

  * Choose IP addresses wisely. Typically, users set their router's address to %%"www.xxx.yyy.1"%% and other addresses as consecutive numbers after that. However, it's a better idea to assign client devices a less predictable address, such as ".27", ".54"etctera.

  * In the [[advanced-dhcpdns|DHCP-DNS-TFTP]] menu, enable //Ignore DHCP requests from unknown devices//. Remember to release and then renew the DHCP leases on each client device for them to retain connectivity.

  * While there, enable "//Generate a name for DHCP clients which do not otherwise have one//". Forcing all client devices to be given hostnames will help to track/identify rogue or unknown devices.


===== DNS =====

  * Check "Enable DNSSEC support" in the [[advanced-dhcpdns|DHCP-DNS-TFTP]] menu.
    * Set "DNSSEC validation method" to, for example, "Dnsmasq".
    * Enable "Use Stubby". 
    * Select "Show/Hide Servers". Select an appropriate Stubby server. \\ Many people use/trust Cloudflare 1 or 2 .\\ 
      *

  * Set "DNSSEC validation method" ("Dnsmasq").

  * Enable "Use Stubby".


===== Firewall Settings =====

  * In the [[advanced-firewall|Firewall]] menu, enable TCP SYN cookies//. //This will help to defend against SYN flood attacks.

  * Clear default firewall entries and settings//: //Remove default rules and entries that could be unsecured or unnecessary.

  * Disable NAT loopback.


===== Use Adblock =====

Go to the [[adblock_dns_filtering|Adblock]] menu and enable this feature. If not completed already, add Domain blacklist URLs from the wiki list to choose which content to filter.

 \\


===== Router Identification =====

In the [[advanced-routing|Routing]] menu, disable "Accept DHCP Classless Routes" (option 121). This will reduce exposure to attacks from rogue DHCP servers sending malicious/fake routes.

\\


===== VPN Connections =====