Basic Steps to Harden FreshTomato

This HOWTO provides some basic steps toward hardening your Freshtomato router. It is not intended to be a thorough or complete reference on securing your network. It is only a starting point.

Each small step will reduce your network's attack surface.

• In the Admin Access menu:
  • Change the default username from “root” to something else.
  • Change the password to a strong, unique one.
    This is crucial. Many attacks rely on default credentials.

• Enable HTTPS for router access: Secure the web interface by setting local access to use secure HTTPS instead of HTTP.

• Unless needed, disable unused services in the Admin Access menu, including:
  • SSH
  • Telnet (make sure your web interface connections are reliable)
  • Wireless access
  • Remote Access

• Disable UPnP in the UPnP IGD & PCP menu. Universal Plug and Play is known to be insecure and should be disabled, unless absolutely required.

• In the Admin Access menu, set a low value in the “Limit Communication to” field to limit SSH / Telnet requests. This helps prevent DDoS attacks. Does this belong in this section?

• Use strong WiFi security protocols / encryption. At a minimum, configure wireless security to WPA2 Personal, with AES encryption.
  Note that some WiFi modes do not support higher encryption. If it is enabled, those modes may not function properly.

• Change the default SSID to one that is unidentifiable.

• Use long, complex WiFi Shared Keys with special characters, and no dictionary words.

• Consider changing the Group Key Renewal setting to a lower value, such as 1800.
  Rotating the client-router encryption keys more often will reduce the chances strangers will gain WiFi access.

• Reduce WiFi signal strength in the the /Advanced/Wireless menu.
  Lowering a radio's transmit power to the minimum necessary to communicate with your devices reduces signal range. This minimizes the chances others can connect via WiFi.

• Randomize MAC address: Use MAC address randomization to prevent tracking or spoofing risks. This can be achieved through the command-line interface through use of the following script:

• Consider adding entries in the Wireless Filter menu for all known devices. This will allow you specify which WiFi devices (via their known MAC addresses) will be allowed to connect to WiFi.
  
  

• In the DHCP Reservation menu, create reservations for all known client devices. This will mean they will always be assigned the address you choose. Note that this will not control devices configured with a static IP address.

• Choose IP addresses wisely. Typically, users set their router's address to "www.xxx.yyy.1" and other addresses as consecutive numbers after that. However, it's a better idea to assign client devices a less predictable address, such as “.27”, “.54”etctera.

• In the DHCP-DNS-TFTP menu, enable Ignore DHCP requests from unknown devices. Remember to release and then renew the DHCP leases on each client device for them to retain connectivity.

• While there, enable “Generate a name for DHCP clients which do not otherwise have one”. Forcing all client devices to be given hostnames will help to track/identify rogue or unknown devices.

• Check “Enable DNSSEC support” in the DHCP-DNS-TFTP menu.
  • Set “DNSSEC validation method” to, for example, “Dnsmasq”.
  • Enable “Use Stubby”.
  • Select “Show/Hide Servers”. Select an appropriate Stubby server.
    Many people use/trust Cloudflare 1 or 2 .
    

• Set “DNSSEC validation method” (“Dnsmasq”).

• Enable “Use Stubby”.

• In the Firewall menu, enable TCP SYN cookies. This will help to defend against SYN flood attacks.

• Clear default firewall entries and settings: Remove default rules and entries that could be unsecured or unnecessary.

• Disable NAT loopback.

• Unless you're using an IPSEC VPN, disable IPSEC Passthrough in the Conntrack/Netfilter. While not, per se, a firewall function, this will remove open NAT entries in your router.

Go to the Adblock menu and enable this feature. If not completed already, add Domain blacklist URLs from the wiki list to choose which content to filter.

In the Routing menu, disable “Accept DHCP Classless Routes” (option 121). This will reduce exposure to attacks from rogue DHCP servers sending malicious/fake routes.

• Use a website to check for IP leaks. Recommended sites include:
  
  
  • dnsleaktest.com
  • controld.com
  • ipleak.net

If your real (physical) IP address leaks, your “cover is blown”. In that case, there's no point in using a VPN, as the main reason for using one is to hide that address. Avoid using most VPN providers' own test pages. Their “leak tests” almost always return a report of “Unprotected”. They do not display an IP address from their own VPN server pool, and in this way, can scare users into purchasing a “real, secure VPN”

• Use a website to test for DNS leaks. Also, use these sites to test your DNS server information. If it leaks, you're not hiding your digital identity.
  Recommended websites include:
  
  
  • dnsleaktest.com
  • controld.com
  • ipleak.net
    
    
    
• Configure a kill switch. This is basically a policy-based routing rule to ensure that when the VPN tunnel is dropped, FreshTomato will drop your Internet connection to the VPN provider. This prevents you from using the Internet while your real IP address is exposed.
  
  
• Consider using a Stubby server for DNS resolution. Stubby enhances DNS privacy by allowing DNS over TLS (“DoT”). DoT sends DNS queries via a secure (TLS-encrypted) connection. Note that network devices which use Stubby to resolve DNS queries, or point DNS queries to a router using Stubby will not have ads blocked by the Adblock feature.