So my father is extra paranoid. In the past he wouldn't use a cordless phone lest hackers invade his DSL router through the phone. He's concerned of his router being hacked so curious what alternative would be recommended. Something that's reasonably straightforward to configure would be ideal. I've played with a basic Mikrotik router before with success. Also any input on how people get hacked primarily? His browsing is tame so does he have much to fear of an online attack or someone in the neighborhood trying something? I'd like to assuage his fears somewhat but am not versed in security methodologies. In particular he's concerned of DNS hijacking. Appreciate any advice that can be offered. He's also concerned if his 2Wire modem/router supplied by Bell in 2009 (2701HG-G model) is of particular vulnerability. He's debating on disabling the antennas on it and just using it as a modem to another router. He won't accept another router from Bell as they all have WPS and he doesn't believe that WPS can effectively disabled
Hey, I'm probably older and more paranoid than he is I don't use WiFi at all for anything important. And I have my LANs behind a pfSense router. It's basically an old desktop, with a used Intel gigabit server NIC card. pfSense has a nice webGUI, and it's as easy to use as most consumer routers. For the basic stuff, I mean, because it can do way more.
The most common cause of infection is manually opening infected files. If you are careful about what files you open, for example don't open random email attachments and keep Windows and vulnerable software updated, then it's very hard to get infected. You do not need to take extreme measures to avoid getting infected or hacked. There's no need to be paranoid.
I'd call him cautious and wise, not paranoid. I agree with Roger. What your father and you need to do is keep Windows and your security programs current and most of all, avoid being "click-happy" on unsolicited downloads, emails, links, popups, and attachments. It is important to remember the user is always the weakest link in security. And it is those who are not cautious or a little bit paranoid who put their computers, themselves, and others at risk! As for securing the router, as suggested by mirimir, if you don't need wifi, don't use it. This is particularly true if you live in a large apartment complex or crowded neighborhood where someone next door (or above or below you) could easily "see" your network and attempt to hack in. If you live in a house where the houses are spread out a bit, it is likely you know your neighbors so it would be a bit harder for them to hack your network without being caught. So for a stranger to hack your network, he would have be sitting in a car on your street and perhaps pointing a directional antenna at your house. And hopefully then that would earn him some unwanted attention. For someone to hack into your network via Ethernet, they must have physical access to your network. And hopefully even you would notice a stranger in your house with an Ethernet cable connected to his notebook and plugged into your router. Assuming you will be using wifi, be sure to change both the password and passphrase from the defaults to very strong ones that cannot be tied to your home or family. That is, don't use a passphrase that is your street address or dog's name. And you can disable SSID broadcasting but that does NOT provide any additional security. It only makes it a tiny bit harder for the honest person to see your wireless network. It is more for peace of mind. As for that Bell 2701HG-G, it needs to be replaced - ASAP. It only supports up to 802.11g and is woefully out of date. Get a new wireless router (or residential gateway) that supports 11ac. Preferably a simultaneous dual-band. Then use 5GHz when possible. Your dad is right to be concerned about WPS. Just another reason to get a "new" wireless router. On some older devices, WPS could not be disabled. Those issues were resolved with the latest devices. However, if still a concern, there are new routers that do not support WPS. Or, as a safe compromise, many support "push-button connect". Push-button connect does not use a "guessable" PIN. Instead, typically the user must physically push a button on the router. This then provides only a few minutes where the router will accept and grant access to one new wireless device. It will either time-out and disable after a set time (usually 5 minutes) or it will automatically disable once that single device connects. This is easy and more importantly, easy to control. If your dad is worried a bad guy might have sneaked in another wireless device, he can simply log into the Admin Menu using the Admin password to see the connected devices and verify they are only those he allows. I recommend you check your ISP's website for compatible router/modems, then buy one at Best Buy, Walmart or from Amazon, etc. In the US, ISPs cannot force us to rent one from them. I always recommend buying your own. This satisfies the paranoid in me as I know then my ISP did not code a secret "back door" into my device. Terms: Wireless router = integrated device that includes a router, WAP (wireless access point) and a 4-port Ethernet switch Residential gateway = integrated device that includes a router, WAP, a 4-port Ethernet switch and a modem (may also include VoIP) Password = word or phrase required to access the Admin Menu of the router Passphrase = word or phrase required to connect wireless devices to the WAP
@Bill_Bright - That's an excellent response! Yeah, I played at "war driving" some years ago. And yes, I was nervous about driving through neighborhoods at night, and stopping occasionally to check for accessible WiFi APs. Still, I imagine that it's far more workable with two people, one to drive and the other to work. I also played some with a Ubiquiti radio and parabolic antenna. With that, I could hit APs at a few km. But the dish is hard to hide.
DNS hijacking is an attack used in the past in the real world. It can used to infect devices, but also to redirect to fake banking site without infecting end point devices. One thing about router/residential gateway is support for acceptable-level security of connection between end-points and router. Second important thing is vendor support for firmware updates. Out-of-date firmware is an easy target for attackers.