====== Basic Steps to Harden FreshTomato ======

This HOWTO will provide some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your network, only a starting point.

Each small step will reduce your network's [[https://en.wikipedia.org/wiki/Attack_surface|attack surface]].  \\   \\


===== Logon / Remote Administration =====

  *  In the [[admin_access|Admin Access]] menu:
    * Change the default username from "root" to something else.
    * Change the password to a strong, unique one. \\ This is crucial. Many attacks rely on default credentials.

  * Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP FIXME


===== Disable Unnecessary Services/Features =====

  * Unless needed, disable unused services in the [[admin_access|Admin Access]] menu, including: 
    * SSH
    * Telnet (make sure your web interface connections are reliable)
    * Wireless access
    * Remote Access

  * Disable UPnP in the [[forward-upnp|UPnP IGD & PCP]] menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.

  * In the [[admin_access|Admin Access]] menu, set a low value in the "//Limit Communication to//" field to limit SSH / Telnet requests. This helps prevent DDoS attacks. FIXME Should this be here?


===== WiFi Settings =====

  * Use strong WiFi security protocols / encryption.  At a minimum, configure wireless security to WPA2 Personal, with AES encryption. \\ Note that some WiFi modes do not support higher encryption. If it is enabled, those modes may not function properly.

  * Change the default SSID to one that is unidentifiable.

  * Use long, complex WiFi Shared Keys with special characters, and no dictionary words.

  * Consider changing the Group Key Renewal setting to a lower value, such as 1800. \\ Rotating the client-router encryption keys more often will reduce the chances strangers will gain WiFi access.

  * Reduce WiFi signal strength in the the /Advanced/[[advanced-wireless|Wireless]] menu//. // \\ Lowering a radio's transmit power to the minimum necessary to communicate with your devices reduces signal range. This minizes the chances others can connect via WiFi.

  * Randomize MAC address: Use MAC address randomization to prevent tracking or spoofing risks.  This can be achieved through the command-line interface through use of the following script:

  * Consider adding entries in the [[wireless_filter|Wireless Filter]] menu for all known devices. This will allow you specify which WiFi devices (via their known MAC addresses) will be allowed to connect to WiFi.\\ \\


===== DHCP Settings =====

  * In the [[dhcp_reservation|DHCP Reservation]] menu, create reservations for all known client devices. This will mean they will always be assigned the address you choose. Note that this will not control devices configured with a static IP address.

  * Choose IP addresses wisely. Typically, users set their router's address to %%"www.xxx.yyy.1"%% and other addresses as consecutive numbers after that. However, it's a better idea to assign client devices a less predictable address, such as ".27", ".54"etctera.

  * In the [[advanced-dhcpdns|DHCP-DNS-TFTP]] menu, enable //Ignore DHCP requests from unknown devices//. Remember to release and then renew the DHCP leases on each client device for them to retain connectivity.

  * While there, enable "//Generate a name for DHCP clients which do not otherwise have one//". Forcing all client devices to be given hostnames will help to track/identify rogue or unknown devices.


===== DNS =====

  * Check "Enable DNSSEC support" in the [[advanced-dhcpdns|DHCP-DNS-TFTP]] menu.
    * Set "DNSSEC validation method" to, for example, "Dnsmasq".
    * Enable "Use Stubby". 
    * Select "Show/Hide Servers". Select an appropriate Stubby server. \\ Many people use/trust Cloudflare 1 or 2 .\\ 
      *

  * Set "DNSSEC validation method" ("Dnsmasq").

  * Enable "Use Stubby".


===== Firewall Settings =====

  * In the [[advanced-firewall|Firewall]] menu, enable TCP SYN cookies//. //This will help to defend against SYN flood attacks.

  * Clear default firewall entries and settings//: //Remove default rules and entries that could be unsecured or unnecessary.

  * Disable NAT loopback.


===== Use Adblock =====

Go to the [[adblock_dns_filtering|Adblock]] menu and enable this feature. If not completed already, add Domain blacklist URLs from the wiki list to choose which content to filter.

 \\


===== Router Identification =====

In the [[advanced-routing|Routing]] menu, disable "Accept DHCP Classless Routes" (option 121). This will reduce exposure to attacks from rogue DHCP servers sending malicious/fake routes.

\\


===== VPN Connections =====

  * Use a website to check for IP leaks. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]], [[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]]\\ If your real (physical) IP address leaks, your "cover is blown" and there's no point in using a VPN, as the main reason for using one is to hide that address. Avoid using most VPN providers' own test page. Their "leak tests" almost always return a result of  "Unprotected". They do not display an IP address from their own VPN server pool, and in this way, can scare users into purchasing a "real secure VPN"
  * Use a website to check for DNS leaks. \\The same goes for your DNS server information. If it leaks, you're not hiding your digital identity. Recommended websites include: [[https://www.dnsleaktest.com|dnsleaktest.com]], [[https://controld.com/tools/dns-leak-test|controld.com]] and [[https://ipleak.net/|ipleak.net]]
  * Configure a kill switch.  A kill switch is basically a some policy-based routing rule to ensure that if the VPN tunnel/encryption is dropped, FreshTomato will drop your Internet connection to the VPN provider.
  * Consider using a Stubby server for DNS resolution. Stubby allows for secure