I’ve got a Linksys BEFSR41 (4-port ethernet router, cables only) and because it doesn’t always play nice with my cable modem, I occasionally have to reset it. Because of this, I tend to leave its web-based maintenance program set to the default password (because if it’s on a non-default password, I tend to forget the password, and then I have to… reset it again). I can access this program from inside the firewall, but I was under the impression that nobody could even see the login screen to try a password if they weren’t in my house.
Am I deluding myself into a false sense of security? If someone could get through my router, they’d bump into ZoneAlarm, but I still ph33r my b0x would get Pwn3d. I mean, I’m worried that someone might use my computer for evil.
You’re right. The router setup can only be accessed from the internal LAN. The password protection is for people setting up a network in situations where a) they are concerned about teenage kids or other family members messing with the settings, or b) networks set up in public or semi-public places where anyone can access the network.
Be sure you have the latest firmware for this device. Older versions had the WAN admin side open by default. With a default password set, that means anyone could access your router!
It is a really, really, really, Bad Idea to leave default passwords on any network connected device. An extremely, horrible, terrible Not A Good Thing.
Example:
A script gets thru via an email attachment, visiting the wrong web page, the last MS screwup in IE, whatever.
The script checks what type of router you have, sees the Linksys, tries the default password, gets in and reconfigures it. Then it sets up an Evil Server on your PC (or any PC on your network) and people from outside can now do Whatever They Want on your computer. And you don’t want to know what these people will do with your computer.
So always change the default password. Write it down and tape it to the router if need be.
I understand the threat from the inside, and I do my best to keep my nose clean on that score (no e-mail attachments, everything patched well, etc. etc.). And your idea for taping the password onto the hardware is brilliant. Given how little trouble it is (and how much more secure it makes me), I’ll implement that solution as soon as I get home tonight. Thanks!
What I am really curious about is the external threat – assuming my router’s firmware is the latest version, am I really safe from external attack? Fat Bald Guy seems to think so, and I’m inclined to believe him unless someone says otherwise.
The scenario I want to avoid is someone pinging my address and “seeing” a Linksys router, then using some cunning script to do an end-run around it.