FreshTomato Wiki

User Tools

Site Tools

Trace:
basic_hardening

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
basic_hardening [2026/01/08 02:02] – [Firewall Settings] hogwildbasic_hardening [2026/05/18 18:57] (current) – [Basic Steps to Harden FreshTomato] hogwild
Line 1: Line 1:
 ====== Basic Steps to Harden FreshTomato ====== ====== Basic Steps to Harden FreshTomato ======
  
-This HOWTO will provide some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your network. It is only a starting point.+This HOWTO provides some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your network. It is only a starting point.
  
 Each small step will reduce your network's [[https://en.wikipedia.org/wiki/Attack_surface|attack surface]].  \\   \\ Each small step will reduce your network's [[https://en.wikipedia.org/wiki/Attack_surface|attack surface]].  \\   \\
Line 12: Line 12:
     * Change the password to a strong, unique one. \\ This is crucial. Many attacks rely on default credentials.     * Change the password to a strong, unique one. \\ This is crucial. Many attacks rely on default credentials.
  
-  * Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP FIXME+  * Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP.
  
  
Line 25: Line 25:
   * Disable UPnP in the [[forward-upnp|UPnP IGD & PCP]] menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.   * Disable UPnP in the [[forward-upnp|UPnP IGD & PCP]] menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.
  
-  * In the [[admin_access|Admin Access]] menu, set a low value in the "//Limit Communication to//" field to limit SSH / Telnet requests. This helps prevent DDoS attacks. FIXME Should this be here?+  * In the [[admin_access|Admin Access]] menu, set a low value in the "//Limit Communication to//" field to limit SSH / Telnet requests. This helps prevent DDoS attacks. FIXME Does this belong in this section?
  
  
Line 95: Line 95:
 ===== VPN Connections ===== ===== VPN Connections =====
  
-  * Use a website to check for IP leaks. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]][[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]]\\ If your real (physical) IP address leaks, your "cover is blown" and there's no point in using a VPN, as the main reason for using one is to hide that address. Avoid using most VPN providers' own test pages. Their "leak tests" almost always return a result of  "Unprotected". They do not display an IP address from their own VPN server pool, and in this way, can scare users into purchasing a "real secure VPN" \\ \\  +  * Use a website to check for IP leaks. Recommended sites include: \\ \\  
-  * Use a website to check for DNS leaks. Also use them to test your DNS server information. If it leaks, you're not hiding your digital identity. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]][[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]] \\ \\  +    * [[https://www.dnsleaktest.com|dnsleaktest.com]] 
-  * Configure a kill switch.  A kill switch is basically a policy-based routing rule to ensure that when the VPN tunnel/encryption is dropped, FreshTomato will drop your Internet connection to the VPN provider. This prevents you from using the Internet while your real IP address is exposed.\\ \\  +    * [[https://controld.com/tools/dns-leak-test|controld.com]]  
-  * Consider using a Stubby server for DNS resolution. Stubby allows for secure+    * [[https://ipleak.net/|ipleak.net]] 
 + 
 + \\ 
 + 
 +If your real (physical) IP address leaks, your "cover is blown". In that case, there's no point in using a VPN, as the main reason for using one is to hide that address. Avoid using most VPN providers' own test pages. Their "leak tests" almost always return a report of "Unprotected". They do not display an IP address from their own VPN server pool, and in this way, can scare users into purchasing a "realsecure VPN" \\  \\ 
 + 
 +  * Use a website to test for DNS leaks. Alsouse these sites to test your DNS server information. If it leaks, you're not hiding your digital identity.  \\ Recommended websites include: \\ \\  
 +    * [[https://www.dnsleaktest.com|dnsleaktest.com]] 
 +    * [[https://controld.com/tools/dns-leak-test|controld.com]]  
 +    * [[https://ipleak.net/|ipleak.net]] \\ \\ \\ 
 +  * Configure a kill switch.  This is basically a policy-based routing rule to ensure that when the VPN tunnel is dropped, FreshTomato will drop your Internet connection to the VPN provider. This prevents you from using the Internet while your real IP address is exposed.\\ \\  
 +  * Consider using a Stubby server for DNS resolution. Stubby enhances DNS privacy by allowing DNS over TLS (“DoT”). DoT sends DNS queries via a secure (TLS-encrypted) connection. Note that network devices which use Stubby to resolve DNS queries, or point DNS queries to a router using Stubby will not have ads blocked by  the Adblock feature.
  
  
basic_hardening.1767837755.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki