Quote:
Originally Posted by rknichols
The point is that even though access is blocked from the external (WAN) interface (as is usually the case by default), a web site that you visit can cause your browser to access the router's management page via the local (LAN) interface. You can't block that without losing the ability to manage the router. Your only protection is by changing the password.
|
Right. And there are still random other similar vulnerabilities that we find out about all the time. Often associated with "features" that help make it easier to set up and/or reset a home router, but which can easily make the router vulnerable to any compromised computer within wifi range.
This is why I prefer to use a Debian box I've set up as a secured router rather than a home router appliance. No web interface for administration, just ssh (with passcode protected ssh key authentication, not password authentication, of course, on a custom port). No special "features" to make it easier to remotely reset/administer the box. I switch on the monitor and log in directly if things are somehow too messed up for ssh to work.
I still have a commercial wireless access point attached to that Debian router, though. The point is, though, to try and keep that WAP simple and minimize the functions its supposed to perform.