4. Configuration hints

For security, do these things through the Linksys web interface (probably at http://192.168.1.1 on your network):

  1. Change your administrative password. On 15 June 2004 it was widely reported that turning off the remote admin feature doesn't work — you can still get at the administration page from the wireless side. This bug is still present in the 2.02 firmware, October 2004. It means that if you leave your password at default, any script kiddie can break in, steal your WEP, and scramble your configuration. The Linksys people get the moron medal with oak-leaf cluster for this screwup.

    (I don't know if this bug is still present in the 3.x firmware. It would be a good idea to check.)

  2. Make sure the DMZ host feature is disabled, under Applications+Gaming->DMZ Host, or in newer versions)Applications & Gaming->DMZ Host. It defaults off.

  3. Port-forward specific services instead of setting up a DMZ, and as few of those as you can get away with. A good minimum set is 22 (ssh), and 80 (http). If you want to receive mail add 25 (smtp). If you need to serve DNS queries, add 53. To serve identd so remote MTAs can verify your identity, enable 113.

  4. Disable Universal Plug and Play. Look under Password. There is a radio button for this under the "Password" tab; newer firmware versions put it under Administration+Management. UPnP is a notorious security hole in Windows, and up to at least firmware version 1.44 there was a lot of Web scuttlebutt that the Linksys implementation is flaky. While this won't affect operating systems written by competent people, there is no point in having traffic from a bunch of script-kiddie probes even reach your network.

There are two more steps for older firmware versions only. You can ignore these if you have 2.x or later firmware.

  1. Disable AOL Parental Controls. Make sure AOL Parental Controls (under Security) is turned off (off is the default); otherwise the Linksys won't pass packets for your Unix box at all. Newer versions of the firmware don't have this misfeature.

  2. Disable Stateful Packet Inspection. If you want to run a server and are running 1.42 or earlier firmware, you also need to make sure stateful packet inspection is off — this feature restricts incoming packets to those associated with an outbound connection and is intended for heightened security on client-only systems. On the Filters page, make sure SPI is off. If you don't see a radiobutton for SPI, relax — the feature isn't present in all versions of the firmware, and in fact was removed in 1.43 for stability reasons.