<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML ><HEAD ><TITLE >Configuration hints</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Linksys Blue Box Router HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="Lost the manual?" HREF="lostmanual.html"><LINK REL="NEXT" TITLE="Upgrading the firmware" HREF="upgradingfirmware.html"></HEAD ><BODY CLASS="sect1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Linksys Blue Box Router HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="lostmanual.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="upgradingfirmware.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="sect1" ><H1 CLASS="sect1" ><A NAME="confighints" ></A >4. Configuration hints</H1 ><P >For security, do these things through the Linksys web interface (probably at <A HREF="http://192.168.1.1" TARGET="_top" >http://192.168.1.1</A > on your network):</P ><DIV CLASS="procedure" ><OL TYPE="1" ><LI ><P ><EM >Change your administrative password.</EM > On 15 June 2004 it was <A HREF="http://slashdot.org/article.pl?sid=04/06/03/0337205&mode=thread&tid=137&tid=193&tid=215" TARGET="_top" >widely reported</A > that turning off the remote admin feature doesn't work — you can still get at the administration page from the wireless side. This bug is still present in the 2.02 firmware, October 2004. It means that if you leave your password at default, any script kiddie can break in, steal your WEP, and scramble your configuration. The Linksys people get the moron medal with oak-leaf cluster for this screwup.</P ><P >(I don't know if this bug is still present in the 3.x firmware. It would be a good idea to check.)</P ></LI ><LI ><P ><EM >Make sure the DMZ host feature is disabled</EM >, under <SPAN CLASS="guimenu" >Applications</SPAN >+<SPAN CLASS="guimenu" >Gaming</SPAN >-><SPAN CLASS="guimenuitem" >DMZ Host</SPAN >, or in newer versions)<SPAN CLASS="guimenu" >Applications & Gaming</SPAN >-><SPAN CLASS="guimenuitem" >DMZ Host</SPAN >. It defaults off.</P ></LI ><LI ><P ><EM >Port-forward specific services instead of setting up a DMZ</EM >, and as few of those as you can get away with. A good minimum set is 22 (ssh), and 80 (http). If you want to receive mail add 25 (smtp). If you need to serve DNS queries, add 53. To serve identd so remote MTAs can verify your identity, enable 113.</P ></LI ><LI ><P ><EM >Disable Universal Plug and Play.</EM > Look under <SPAN CLASS="guimenu" >Password</SPAN >. There is a radio button for this under the <SPAN CLASS="QUOTE" >"Password"</SPAN > tab; newer firmware versions put it under <SPAN CLASS="guimenu" >Administration</SPAN >+<SPAN CLASS="guimenu" >Management</SPAN >. <SPAN CLASS="acronym" >UPnP</SPAN > is a notorious security hole in Windows, and up to at least firmware version 1.44 there was a lot of Web scuttlebutt that the Linksys implementation is flaky. While this won't affect operating systems written by <EM >competent</EM > people, there is no point in having traffic from a bunch of script-kiddie probes even reach your network.</P ></LI ></OL ></DIV ><P >There are two more steps for older firmware versions only. You can ignore these if you have 2.x or later firmware.</P ><DIV CLASS="procedure" ><OL TYPE="1" ><LI ><P ><EM >Disable AOL Parental Controls.</EM > Make sure <SPAN CLASS="guibutton" >AOL Parental Controls</SPAN > (under <SPAN CLASS="guimenu" >Security</SPAN >) is turned off (off is the default); otherwise the Linksys won't pass packets for your Unix box at all. Newer versions of the firmware don't have this misfeature.</P ></LI ><LI ><P ><EM >Disable Stateful Packet Inspection.</EM > If you want to run a server and are running 1.42 or earlier firmware, you also need to make sure stateful packet inspection is off — this feature restricts incoming packets to those associated with an outbound connection and is intended for heightened security on client-only systems. On the <SPAN CLASS="guimenu" >Filters</SPAN > page, make sure <SPAN CLASS="guilabel" >SPI</SPAN > is off. If you don't see a radiobutton for SPI, relax — the feature isn't present in all versions of the firmware, and in fact was removed in 1.43 for stability reasons.</P ></LI ></OL ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="lostmanual.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="upgradingfirmware.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Lost the manual?</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Upgrading the firmware</TD ></TR ></TABLE ></DIV ></BODY ></HTML >