Basic Steps to Harden FreshTomato

This HOWTO will provide some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your network, only a starting point.

Each small step will reduce your network's attack surface.

• In the Admin Access menu:
  • Change the default username from “root” to something else.
  • Change the password to a strong, unique one.
    This is crucial. Many attacks rely on default credentials.

• Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP

• Unless needed, disable unused services in the Admin Access menu, including:
  • SSH
  • Telnet (make sure your web interface connections are reliable)
  • Wireless access
  • Remote Access

• Disable UPnP in the UPnP IGD & PCP menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.

• In the Admin Access menu, set a low value in the “Limit Communication to” field to limit SSH / Telnet requests. This helps prevent DDoS attacks. Should this be here?

• Use strong WiFi security protocols / encryption.
  At a minimum, configure wireless security to WPA2 Personal, with AES encryption.
  Note that some WiFi modes do not support higher encryption, and if enabled, may not function properly.

• Change the default SSID to one that is unidentifiable.

• Use long, complex WiFi Shared Keys with special characters, and no dictionary words.

• Consider changing the Group Key Renewal setting to a lower value, such as 1800.
  Rotating the client-router encryption keys more often will reduce the chances strangers will gain WiFi access.

• Reduce WiFi signal strength in the /Advanced/Wireless menu.
  Lowering a radio's transmit power to the minimum necessary to communicate with your devices reduces signal range. This minizes the chances others can connect via WiFi.

• Randomize MAC address: Use MAC address randomization to prevent tracking or spoofing risks. ! HOW?

• Consider adding entries in the Wireless Filter menu for all known devices. This will allow you specify which WiFi devices (via their known MAC addresses) will be allowed to connect to WiFi.
  
  

• In the DHCP Reservation menu, create reservations for all known client devices. This will mean they will always be assigned the address you choose. Note that this will not control devices configured with a static IP address.

• Choose IP addresses wisely. Typically, users set their router's address to "www.xxx.yyy.1" and other addresses as consecutive numbers after that. However, it's a better idea to assign client devices a less predictable address, such as “.27”, “.54”etctera.

• In the DHCP-DNS-TFTP menu, enable Ignore DHCP requests from unknown devices. Remember to release and then renew the DHCP leases on each client device for them to retain connectivity.

• While there, enable “Generate a name for DHCP clients which do not otherwise have one”. Forcing all client devices to be given hostnames will help to track/identify rogue or unknown devices.

• Check “Enable DNSSEC support” in the DHCP-DNS-TFTP menu.
  • Set “DNSSEC validation method” to, for example, “Dnsmasq”.
  • Enable “Use Stubby”.
  • Select “Show/Hide Servers”. Select an appropriate Stubby server.
    Many people use/trust Cloudflare 1 or 2 .
    

• Set “DNSSEC validation method” (“Dnsmasq”).

• Enable “Use Stubby”.

• In the Firewall menu, enable TCP SYN cookies. This will help to defend against SYN flood attacks.

• Clear default firewall entries and settings: Remove default rules and entries that could be unsecured or unnecessary.

• Disable NAT loopback.

Go to the Adblock menu and enable this feature. If not completed already, add Domain blacklist URLs from the wiki list to choose which content to filter.

In the Routing menu, disable “Accept DHCP Classless Routes” (option 121). This will reduce exposure to attacks from rogue DHCP servers sending malicious/fake routes.