LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Linksys-Blue-Box-Router-HOWTO/confighints.html

288 lines
5.2 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>Configuration hints</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Linksys Blue Box Router HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Lost the manual?"
HREF="lostmanual.html"><LINK
REL="NEXT"
TITLE="Upgrading the firmware"
HREF="upgradingfirmware.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linksys Blue Box Router HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="lostmanual.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="upgradingfirmware.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="confighints"
></A
>4. Configuration hints</H1
><P
>For security, do these things through the Linksys web interface
(probably at <A
HREF="http://192.168.1.1"
TARGET="_top"
>http://192.168.1.1</A
> on
your network):</P
><DIV
CLASS="procedure"
><OL
TYPE="1"
><LI
><P
><EM
>Change your administrative
password.</EM
> On 15 June 2004 it was <A
HREF="http://slashdot.org/article.pl?sid=04/06/03/0337205&mode=thread&tid=137&tid=193&tid=215"
TARGET="_top"
>widely
reported</A
> that turning off the remote admin feature doesn't work
&#8212; you can still get at the administration page from the wireless
side. This bug is still present in the 2.02 firmware, October 2004. It
means that if you leave your password at default, any script kiddie can
break in, steal your WEP, and scramble your configuration. The Linksys
people get the moron medal with oak-leaf cluster for this screwup.</P
><P
>(I don't know if this bug is still present in the 3.x firmware. It
would be a good idea to check.)</P
></LI
><LI
><P
><EM
>Make sure the DMZ host feature is
disabled</EM
>, under
<SPAN
CLASS="guimenu"
>Applications</SPAN
>+<SPAN
CLASS="guimenu"
>Gaming</SPAN
>-&gt;<SPAN
CLASS="guimenuitem"
>DMZ
Host</SPAN
>, or in newer
versions)<SPAN
CLASS="guimenu"
>Applications &#38;
Gaming</SPAN
>-&gt;<SPAN
CLASS="guimenuitem"
>DMZ Host</SPAN
>. It
defaults off.</P
></LI
><LI
><P
><EM
>Port-forward specific services instead of
setting up a DMZ</EM
>, and as few of those as you can get away with.
A good minimum set is 22 (ssh), and 80 (http). If you want to receive mail
add 25 (smtp). If you need to serve DNS queries, add 53. To serve identd
so remote MTAs can verify your identity, enable 113.</P
></LI
><LI
><P
><EM
>Disable Universal Plug and
Play.</EM
> Look under
<SPAN
CLASS="guimenu"
>Password</SPAN
>. There is a radio
button for this under the <SPAN
CLASS="QUOTE"
>"Password"</SPAN
> tab; newer firmware
versions put it under
<SPAN
CLASS="guimenu"
>Administration</SPAN
>+<SPAN
CLASS="guimenu"
>Management</SPAN
>.
<SPAN
CLASS="acronym"
>UPnP</SPAN
> is a notorious security hole in Windows, and up to
at least firmware version 1.44 there was a lot of Web scuttlebutt that the
Linksys implementation is flaky. While this won't affect operating systems
written by <EM
>competent</EM
> people, there is no point in
having traffic from a bunch of script-kiddie probes even reach your
network.</P
></LI
></OL
></DIV
><P
>There are two more steps for older firmware versions only. You can
ignore these if you have 2.x or later firmware.</P
><DIV
CLASS="procedure"
><OL
TYPE="1"
><LI
><P
><EM
>Disable AOL Parental Controls.</EM
>
Make sure <SPAN
CLASS="guibutton"
>AOL Parental Controls</SPAN
> (under
<SPAN
CLASS="guimenu"
>Security</SPAN
>) is turned off (off is
the default); otherwise the Linksys won't pass packets for your Unix box at
all. Newer versions of the firmware don't have this misfeature.</P
></LI
><LI
><P
><EM
>Disable Stateful Packet
Inspection.</EM
> If you want to run a server and are running
1.42 or earlier firmware, you also need to make sure stateful packet
inspection is off &#8212; this feature restricts incoming packets to those
associated with an outbound connection and is intended for heightened
security on client-only systems. On the
<SPAN
CLASS="guimenu"
>Filters</SPAN
> page, make sure
<SPAN
CLASS="guilabel"
>SPI</SPAN
> is off. If you don't see a radiobutton for SPI,
relax &#8212; the feature isn't present in all versions of the firmware,
and in fact was removed in 1.43 for stability reasons.</P
></LI
></OL
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="lostmanual.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="upgradingfirmware.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Lost the manual?</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Upgrading the firmware</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink