Safer Network

Hi my network got hacked when I had Ssid turned off Mac filtering on, and security set to costume with Xfinity. They cant seem to do anything about it. I recently got a new router from them because the wifi toggle button disappeared, and sure enough its done it again.
I am wondering what Docsis 3.1 router is extremely secure?
What should I pair it with a managed switch a hardware fire wall? Id like to get something that doesnt have an app so no one could remote in. In fact id like it so only my terminal could access my internet any solutions or ways to deal with this for an intermediate in I.T knowledge? Thanks for your help.

Are you sure they entered your network through wifi? that would require them to be physically near your AP

Basic set up would be your own modem and some sort of Router/AP combo could do an all in one or you could do an opensens/pfsense router and a AP behind that.

What? WiFi was disabled? The ssid was hidden? Something else?

What? No idea what this means.

Who?

Are you describing one or two things here?

… your terminal? You have a mainframe? What are you talking about?

It’s very unclear what you’re describing. Please break each item down in clearer terms.

Merry Christmas

It is not my intent to steal any of leve1’s thunder, I appreciate their work quite a lot, but folks in my family have been plagued by these kinds of issues and I’ve had a hellava time working through it with them… so I made a series of video’s for them to watch when setting up their routers to help them do it, and reduce the risk as much as possible. I think you might like it: https://www.youtube.com/watch?v=geHCLVZKhR8&list=PLK5UbXq39iVlrZN3LuXkgp0rQHfv-VVVY

Hidden SSID is what I got from that

Still a guess though.

@ioridracu, if you’re unsure about terminology, or if your router configuration is opaque (which is likely on an ISP-provided touter), please post some a screenshots of the config so we can piece it together.

Hi @ioridracu, welcome to level1techs.

First of all, don’t trust your ISP provided network gear to work well, especially don’t rely on it for security, even of the most basic kind. The box your ISP has access to is for your ISP to secure, it’s not meant to secure you from the internet or from your neighbors, or from your own misfortune of misfortune of the people you live with. Everything it provides is insecure.

Read the above paragraph a few times until it sinks in.

Buy a router of your own, secure your own network, as per your needs. then connect to whatever they/ISP provide using ethernet. Give your network router maximum exposure to internet, setup DMZ on their router (forwarding of all ports), disable stateful firewalling of ipv6 and so on…try to neuter their gateway as much as possible.

There’s many different routers with different features. On paper I very much like this one: https://store.ui.com/products/unifi-dream-machine . I have some of their other products, and have used/developed/built ddwrt/openwrt/mikrotik/Cisco/Aruba/Google WiFi/Linksys/Asus/Netgear stuff (even had random boards shipped from China cause I happened to be on irc at the right time and someone needed driver help for some mediatek stuff). I consider ubiquiti products in general to be very noob friendly (wizards and clicky clicky tapy tapy stuff, almost zero touch needed). Also I consider their stuff to have a decent feature set and to be reasonably performant compared to most other options, and reasonably secure on initial setup. And they have long term update support as well. (Not paid by them, just speaking from lots of experience)

I can’t disagree with a lot of what you’ve said, but there are a few things I’d add.

1. Do you know what it looks like to block unnecessary traffic and to allow needed traffic? I thought I did years ago and the more I investigated it became evident what a gaping knowledge chasm existed between what I wanted versus my ability to make it work in a way that was not like taking a second job. The goal of the video playlist I posted for you, and my family, is intended to get you at least half if not most of the way there. Knowing how the initial port setup should look, for your purposes, is the major step needed to get as far as you can go with it. After that, you can go deeper into blocking app level protocols if your router’s processor is capable of that. My free one can do some of that too, but not all.

2. While ISP routers do leave a LOT to be desired. How much, varies greatly. The router I’m using as a demo for my family is from Spectrum. It works if you set it up accordingly. However, other routers from other ISP’s I’ve had have been straight up evil. ATT has been the worst that I’ve worked with, so far.

3. While it’s also true that getting your own router is an important step if you really want maximum atomicity using your firewalls online traffic cop, that isn’t always the most practical thing to do given the very high cost you get into buying ever more capable routers. The general rule I’ve experienced, which can be wrong, but for the past 10 years or so has held, is that more expensive routers have better documentation for blocking low “Application Level” protocols, through packet inspection, and more expensive routers have ever greater processors more capable of inspecting that traffic without getting overwhelmed (ie preserving your given ISP speed). That’s very nice if you have $400 to $800 laying around just for a router, and months to program it. It’s a pretty unfriendly and challenging rabbit hole to go down, for example with something like an advanced Cisco business router, because of the documentation challenges that exist when it comes to reading very very long RFC’s for internet standards, each of which are pages and pages long. However, you make up for it a little bit in the improved manuals and support you get from Cisco when you dive into a router like that.

The shorter answer is that ISP routers do what they say and don’t do a ton of things they should do to keep you safer. However, there can be and are exceptions to those rules, such as is the case with this Spectrum router with limited but effective abilities, and with others I’ve seen such as the one I used with FIOS several years ago (that may have changed, I don’t know). Others are ridiculously far beneath what anyone would consider reasonable safety standards, such as the one you can currently get with service from ATT in my home town.

Thank you

Im only going off the terms in the routers default gate way. I mean you go to the address bar and type it in 10.0.0.1 you get to the settings page of my isp router I am sure on a private router its different like a 19.2 or something. But if you go to settings under wifi youll see a 2.4 and 5. click on either very bottom its says Ssid or Network name. If the terms are something different for another router then forgive my ignorance, but I can only post what information I have available to me.

Thank you very much for the help, and sorry my explanation wasn’t clear.

HP thanks for the video link.

To answer your question not really.
I have the list of ports but I haven’t had need to go in and see what ips are floating around or do anything with a command prompt.
I used to have to work at the I.T help desk in my army unit but that was basic printer and hardware repair. My current career is Character Artist so its far way from relating to network or cyber security.
I generally like Xfinity but I mean, if I turned off broadcast wifi name. If I have complex passwords 32 characters numbers letters symbols, have mac address filtering on I just don’t know how its possible for someone to get on my network.
I think I get your last point as well, and it makes allot of sense to me.
Once again thank you for your help.

Bad actors might not be knocking on your routers’ door, there might be some bad code on a website which may be how they gained access.
Or a price of second hand/used it equipment may have been compromised.
Or a cellphone app could have malicious code, like advertisement stuff.

I’m not saying your routers haven’t been compromised, and if they have, by far and away the more likely method would be from the internet over the wire instead of the WiFi.

Yep, if you follow the video recommendations, it suggests using the guest network for wireless devices so ephemeral devices can’t get access to the management interface of your router…

The caveat to that is, when you use a wired connection those devices also have to be “on thier good behavior too”… which often times they’re not.

My parents Roku, for example, after about a week or so hacks into the router and takes control of it, which really grinds my gears. It shouldn’t do that, but Roku either doesn’t manage thier software well enough or there’s some other problem leading to it doing that, none of which are acceptable.

One of the many gripes I have with non business routers is that there should be an independent port for configuring it apart from those you use for connected devices. This is par for the course on expensive business routers.

Alas, woe is me, lol

I’m not sure I understand what you meant by the Roku “taking over” the router, but sounds like a replacement was needed if it had malware, unless it has a factory reset?

I don’t know, I haven’t gone down that road so far. The whole reason for making the playlist is because I am very tired of being my families IT guy. They want me to solve all their problems for them, but I have more problems than they do by a very wide margin, and I really resent that I can’t get them to take responsibility for knowing these things.

On the other hand, though, the only reason I know is because I have years of experience working with business class routers, non consensually, while working to hold intranet web apps together and diagnosing problems ultimately associated with routing dysfunction.

I want them to know so I don’t have to do it, but it’s unreasonable for most people to be expected to know these things because as I said earlier, it’s an incredible deep rabbit hole when you dig into it. I consider it basically criminal that all these things aren’t completely transparent to average people on an average low power free device. If they had a clue the level of complexity and engineering that’s in play, how many potential processes are at work, I think first they’d be very afraid, then they’d be very upset for the details being hidden from them.

The issue with the Roku, can emanate from any of dozen’s of places. I am a fairly educated person but I live in a fairly uneducated town, where anyone anywhere can be messing with it at any time. It’s stupid, but so much that’s stupid and terrible is considered cool and fun by the endless bullies, peeping tom’s, and misanthropes that live on the internet. People and places of authority even reward the corrosive behavior instead of enforcing the kinds of basic safety expectations we enjoyed when we all used cable box’s in the 90’s. This problem is a story of a larger degenerate pattern of acceptable operating standards and behavior at every level and in every place in society… in government, business, and private life, lol. One can only laugh and do their best to ignore it, haha. I don’t know where to start…

Yeah, I would focus more on the IOT side of companies making stuff to a price point, with the minimum level of security that won’t get them sued, then sell it with as little support/ updates as they can.
because it’s cheap disposable garbage, and people care less, until they get infected.

I believe it… that stupid Roku isn’t cheap either. It’s fully broken twice within a year. I think the owner paid over 100 bucks for it. That should last almost forever, as long as it’s only used for playing video’s and has no moving parts, lol. We’ve never used it for fuzzball or anything…

I just want to add one shameless self promotion to my post here.

There is about a decade of experience, highly highly distilled and condensed into the video playlist I posted. It’s value, if it were on the market as a consulting service, is probably extremely high.

I apologize for the incredible boring-ness of it, but I promise if you make it to the end of all three video’s you’ll have a great “easy method” of setting up any router anytime in the future because the material is agnostic and made easy to understand.

I would like to get monetized, not as a lifestyle choice but just to make a few bucks on the side… someday for all the work that’s going into this for my family.

I still haven’t gotten them to watch the video’s, which is totally frustrating, lol.

It’s also worth noting that application level firewalling requires a lot of ongoing maintenance, it doesn’t sound like @ioridracu has a strong use case to spend that much time on it.

In other words, this magical “Intrusion detection cyber something deep inspector engine cyber applicance” b.s. is usually just marketing fluff … spare yourself the hassle.

Stick to basic stateful firewalling (ie. Allow incoming packets for connections originating from inside), you can get pretty far with just that.