Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Which Is the Safest Router?

Posted by BeauHD on from the safety-first dept.

MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?

11 of 386 comments (clear)

  1. PEBCAK by sexconker · · Score: 5, Informative

    A "secure" router won't help you. What does "hacked twice recently" actually mean?

    1. Re:PEBCAK by Anonymous Coward · · Score: 5, Insightful

      This is a critical question - in what way was your system compromised? What vulnerability was exploited that allowed someone to access your machine? No single firewall or router can prevent all forms of compromise.

    2. Re:PEBCAK by Excelcia · · Score: 5, Informative

      How about you stop being pedantic on what the background information means, and either helpfully answer the (fairly easy to understand) question or decide you have nothing useful to add to the conversation and not try to. The people who think they are clever by second guessing Ask Slashdot questions get rather annoying in short order.

      I actually came to this question with some amount of actual curiosity. I used to build Linux firewalls for small businesses. This was back before routers were appliances. When NAT was still "IP Masquerading" on Linux, and it was actually a dirty word because it let you "share" internet connections when the early cable modem providers wanted to sell you an IP address for every computer using the connection. I moved on to process control and automation work, project management, and then switched tracks into the Navy. What relevance is that? The point is, there are lots of people like me who had at one point been heavily invested in the current state of the art who, for some years, haven't had the time or resources to follow current best practices. Ask Slashdot questions like these are actually helpful to those of us who would like the benefit of the experience of those who are still up on the state of the art.

      When you, and those like you, roll in with your clever meta-answers, it helps no one. You and (especially) the five moderators who upvoted your post as "informative" should hang your heads in collective shame.

    3. Re:PEBCAK by MindPrison · · Score: 5, Informative

      Well, I guess I was a little tired, and provided too little information, but I can explain why I kept it short.

      I talked to some of the security guys at work (I work at a HUGE world wide company, I can't disclose who for obvious reasons), and I told them a detailed story, which I didn't tell you.

      They came to the conclusion that the root of my problems was that I used an unsafe router that has been infected, and that the attackers had most likely infected my router and somehow upgraded it with malicious firmware. Therefor they came to the conclusion that I should go and get a much safer router. So my first instinct, tired and a little stressed from it all - was to ask you. I'm not in my 20s anymore, and I'm not as up to code about the hacking possibilities and vulnerabilities as I once was rightfully for my time. Today, I know next to nothing compared to you guys.

      The first time I got hacked:

      Firefox 54: I was visiting a page to get some schematics for some home made remote control system, and I noticed that the browser had all of my CPU threads busy, and the computer became oddly sluggish. I had No-Script installed, ad-blocker and my windows 10 was up to shape with the latest defender database plus latest updates I could possibly download, I always update immediately when it suggests an update.

      I immediately wanted to force stop Firefox so I went to the Task Bar and looked at the processes, oh my goodness - several instances of firefox (hidden windows /popups that aren't immediately visible?) was running, and it was creating more as I watched. I ended up killing all processes, and ran anti malware software (well, windows defender with the latest definitions) and it came out clean, or so I thought.

      Went to bed, and got woken up by my phone with several warnings from my various social media telling me that someone is posting from a different IP address than I normally used, I got out of bed and panicked.

      I immediately changed ALL passwords to hideously long random letter passwords on ALL my services, and went for two factor-authentication on everything I could.

      This stopped the attack on my personal accounts.

      Thinking it all was over, and safe - 3 weeks went by, and all of a sudden when I was working with something on my Linux partition, the computer crashed hard, and it rarely ever does that.

      After that crash, the Bios (or boot menu) was completely garbled. Interestingly enough, so was the bios on my second computer, which was 10 years old, and my new work computer was only a few years old, but with relatively fresh installations of both Linux (on an M.2. NVMe storage) and Windows 10 on an normal SSD storage, totally separated from each other (well, needing 2 different boot menues to access each one).

      I took a memdump of the entire bios, and found that the raw graphics area contained assembly code whereas it should be an image (you can look at the image with raw data image browser/raw graphics dump, it won't look like a clean image, but you can see that there is image data there).

      What I did, is that I reflashed the bios with the help of a separate hardware switch (my mainboard has two bioses, totally hardware separated with a switch), and looking at the manufacturers homepage, they already know that their bios had been comprimised, so they provided a beta patch with ME microcode included as well.

      I told this story to our security guys, and they said the same as someone else in this thread, someone thinks you have something to hide, and they're not script kiddies, you've been targeted - I suggest you start with a badass router, and take it from there, disable all server services in win 10 + remote services like remote registry etc.

      I don't know that much about windows 10. But that's all I know for now. Appreciate all the feedback , you wonderful Slashdotters!

      --
      What this world is coming to - is for you and me to decide.
  2. OPNsense by darkain · · Score: 5, Informative

    OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.

    But really, security isn't just one device. Secure ALL of your shit.

  3. Google wifi by buck68 · · Score: 5, Funny

    I chose it mainly for security. As a former Google engineer, I feel that Google's security expertise is top notch.

  4. Re: The safest router is... by saloomy · · Score: 5, Informative

    I like using Linux boxes with packet-forwarder turned on in the kernel, and using either IPTables or firewalld, depending on your flavor. I then use my "router" to serve me web content and handle my VPN for me while I'm away from home. Oh, and I would highly recommend something like this: tiny PC with multiple 1GB NIC ports, Wifi, BT, etc... so you can have a WAN and a LAN port. It is easier to configure it this way.

  5. Re:safest by Zmobie · · Score: 5, Informative

    one to which you have the source code:
    https://www.dd-wrt.com/site/in...

    This AC is exactly right actually. If you don't want to deal with some god awful proprietary firmware or go commercial grade, pick up a Netgear router with good hardware and load DD-WRT on it. Been using it for years and it is the best decision I ever made for my home setup.

  6. Barking up the wrong tree? by danlor · · Score: 5, Interesting

    Unless you are talking about your netgear or dlink box getting back doored, I think you are looking in the wrong places.

    Any NAT device is sufficient.
    Patch all your stuff
    Don't download crap
    Don't execute the crap you download
    Don't play web games
    Don't use internet explorer
    uninstall flash
    uninstall java

    If you are really looking for a good firewall, go grab a little pfsense box from netgate. But I think you have many other places to look at first.

  7. Re: The safest router is... by misnohmer · · Score: 5, Interesting

    A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain. Just because you can't hack it, doesn't mean it's safe. Misconfiguration is the most common cause for security holes (do you really know each and every piece of software you have running on it, every kernel module, driver, server, etc?), but even if you do manage to lock it down, security vulnerabilities in Linux and other open source software that Linux uses are discovered all the time and need to be patched fast as scripts exploiting them come just as fast. It's a full time job to keep a Linux box secured on the open internet.

  8. Re: The safest router is... by arglebargle_xiv · · Score: 5, Funny

    It's a bit of a personal-taste thing, but I rather like my Bosch 1617EV. I've also heard good things about the Porter-Cable 690LR. Neither have ever been hacked, to the best of my knowledge.