288 lines
5.2 KiB
HTML
288 lines
5.2 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
||
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>Configuration hints</TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
||
|
REL="HOME"
|
||
|
TITLE="Linksys Blue Box Router HOWTO"
|
||
|
HREF="index.html"><LINK
|
||
|
REL="PREVIOUS"
|
||
|
TITLE="Lost the manual?"
|
||
|
HREF="lostmanual.html"><LINK
|
||
|
REL="NEXT"
|
||
|
TITLE="Upgrading the firmware"
|
||
|
HREF="upgradingfirmware.html"></HEAD
|
||
|
><BODY
|
||
|
CLASS="sect1"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="NAVHEADER"
|
||
|
><TABLE
|
||
|
SUMMARY="Header navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
COLSPAN="3"
|
||
|
ALIGN="center"
|
||
|
>Linksys Blue Box Router HOWTO</TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="lostmanual.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="80%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="bottom"
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="upgradingfirmware.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="confighints"
|
||
|
></A
|
||
|
>4. Configuration hints</H1
|
||
|
><P
|
||
|
>For security, do these things through the Linksys web interface
|
||
|
(probably at <A
|
||
|
HREF="http://192.168.1.1"
|
||
|
TARGET="_top"
|
||
|
>http://192.168.1.1</A
|
||
|
> on
|
||
|
your network):</P
|
||
|
><DIV
|
||
|
CLASS="procedure"
|
||
|
><OL
|
||
|
TYPE="1"
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Change your administrative
|
||
|
password.</EM
|
||
|
> On 15 June 2004 it was <A
|
||
|
HREF="http://slashdot.org/article.pl?sid=04/06/03/0337205&mode=thread&tid=137&tid=193&tid=215"
|
||
|
TARGET="_top"
|
||
|
>widely
|
||
|
reported</A
|
||
|
> that turning off the remote admin feature doesn't work
|
||
|
— you can still get at the administration page from the wireless
|
||
|
side. This bug is still present in the 2.02 firmware, October 2004. It
|
||
|
means that if you leave your password at default, any script kiddie can
|
||
|
break in, steal your WEP, and scramble your configuration. The Linksys
|
||
|
people get the moron medal with oak-leaf cluster for this screwup.</P
|
||
|
><P
|
||
|
>(I don't know if this bug is still present in the 3.x firmware. It
|
||
|
would be a good idea to check.)</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Make sure the DMZ host feature is
|
||
|
disabled</EM
|
||
|
>, under
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Applications</SPAN
|
||
|
>+<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Gaming</SPAN
|
||
|
>-><SPAN
|
||
|
CLASS="guimenuitem"
|
||
|
>DMZ
|
||
|
Host</SPAN
|
||
|
>, or in newer
|
||
|
versions)<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Applications &
|
||
|
Gaming</SPAN
|
||
|
>-><SPAN
|
||
|
CLASS="guimenuitem"
|
||
|
>DMZ Host</SPAN
|
||
|
>. It
|
||
|
defaults off.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Port-forward specific services instead of
|
||
|
setting up a DMZ</EM
|
||
|
>, and as few of those as you can get away with.
|
||
|
A good minimum set is 22 (ssh), and 80 (http). If you want to receive mail
|
||
|
add 25 (smtp). If you need to serve DNS queries, add 53. To serve identd
|
||
|
so remote MTAs can verify your identity, enable 113.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Disable Universal Plug and
|
||
|
Play.</EM
|
||
|
> Look under
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Password</SPAN
|
||
|
>. There is a radio
|
||
|
button for this under the <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"Password"</SPAN
|
||
|
> tab; newer firmware
|
||
|
versions put it under
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Administration</SPAN
|
||
|
>+<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Management</SPAN
|
||
|
>.
|
||
|
<SPAN
|
||
|
CLASS="acronym"
|
||
|
>UPnP</SPAN
|
||
|
> is a notorious security hole in Windows, and up to
|
||
|
at least firmware version 1.44 there was a lot of Web scuttlebutt that the
|
||
|
Linksys implementation is flaky. While this won't affect operating systems
|
||
|
written by <EM
|
||
|
>competent</EM
|
||
|
> people, there is no point in
|
||
|
having traffic from a bunch of script-kiddie probes even reach your
|
||
|
network.</P
|
||
|
></LI
|
||
|
></OL
|
||
|
></DIV
|
||
|
><P
|
||
|
>There are two more steps for older firmware versions only. You can
|
||
|
ignore these if you have 2.x or later firmware.</P
|
||
|
><DIV
|
||
|
CLASS="procedure"
|
||
|
><OL
|
||
|
TYPE="1"
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Disable AOL Parental Controls.</EM
|
||
|
>
|
||
|
Make sure <SPAN
|
||
|
CLASS="guibutton"
|
||
|
>AOL Parental Controls</SPAN
|
||
|
> (under
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Security</SPAN
|
||
|
>) is turned off (off is
|
||
|
the default); otherwise the Linksys won't pass packets for your Unix box at
|
||
|
all. Newer versions of the firmware don't have this misfeature.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Disable Stateful Packet
|
||
|
Inspection.</EM
|
||
|
> If you want to run a server and are running
|
||
|
1.42 or earlier firmware, you also need to make sure stateful packet
|
||
|
inspection is off — this feature restricts incoming packets to those
|
||
|
associated with an outbound connection and is intended for heightened
|
||
|
security on client-only systems. On the
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Filters</SPAN
|
||
|
> page, make sure
|
||
|
<SPAN
|
||
|
CLASS="guilabel"
|
||
|
>SPI</SPAN
|
||
|
> is off. If you don't see a radiobutton for SPI,
|
||
|
relax — the feature isn't present in all versions of the firmware,
|
||
|
and in fact was removed in 1.43 for stability reasons.</P
|
||
|
></LI
|
||
|
></OL
|
||
|
></DIV
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="NAVFOOTER"
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"><TABLE
|
||
|
SUMMARY="Footer navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="lostmanual.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="index.html"
|
||
|
ACCESSKEY="H"
|
||
|
>Home</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="upgradingfirmware.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
>Lost the manual?</TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
> </TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
>Upgrading the firmware</TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|