Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Tutorial: Secure Your Network With Tomato
New Posts  All Forums:Forum Nav:

Tutorial: Secure Your Network With Tomato

post #1 of 14
Thread Starter 
This is going to be a tutorial to show you how to secure your network using the Tomato firmware. This is not a comprehensive tutorial on every aspect of Tomato, but rather focuses on the security.

This tutorial is going to assume that you have a router than can be flashed with the Tomato firmware. The routers that Tomato is capable of running on (as of April 2009) are the following:
Code:
Linksys:

 WRT54G v1-v4
 WRT54GS v1-v4
 WRT54GL v1.x
 WRTSL54GS (no USB support) 

Note: Most WRT54G and WRT54GS (not WRT54GL) sold in stores right now are the
v5.0+ variety and will not work with Tomato.

If you want to buy a Linksys router, then you definitely want to buy the WRT54GL.

Buffalo:

WHR-G54S
WHR-HP-G54
WZR-G54
WBR2-G54

Asus:

WL500G Premium

The SparkLAN WX-6615GT also is reported to work.
If you have one of the above routers you should definitely give Tomato a try. In my opinion, it is simpler, yet as fully functional as DD-WRT, while being more lightweight. Like DD-WRT, it runs a Linux kernel (which means it is really just a very small Linux distro). I am going to assume that you know how to flash the router with the firmware. If you don't, then go here. Once flashed, you should be able to login to your router by entering http://192.168.1.1 or whatever address your router used before.

Here is a screenshot of the introduction screen:



For brevity, I am not going to discuss the "Status," "Bandwidth," or "Tools" menus, as they are self-explanatory and not related to security. But you might want to go through them to make sure everything looks to be recognized properly.

I will start with the "Basic" menu. Click on it, and then on "Network." Under WAN/Internet, the settings are self-explanatory. You will probably want to use DHCP and keep the MTU at default. Under LAN, you can change the router's IP address, but I see little point in doing so.

Now for the first security tip, next to "IP Address Range" only allow a number of IP addresses to be assigned that are equal to the number of machines on the subnet. If you are using Tomato for, say, one wired machine and one wireless machine, then set the allowable IP addresses to something like

Code:
192.168.1.100 - 192.168.1.101
This will only allow 2 machines to be active at once on the network. The router will not allow any more IP's to be assigned. See the example below:


Now, move down to the "Wireless" section (still under Basic --> Network). Obviously you will only enable this is you have a need for wireless. If you do need it, then click "enable." If you don't need it, be sure to uncheck the box. Now, for "Wireless Mode" select Access Point. For "B/G mode" it is recommended to leave it "Mixed" but I prefer to keep it on "G Only" because my wireless adapter supports G (as most do). Under SSID, set it to whatever name you want to be broadcast. Under that you can check whether you want it to be broadcast at all (I recommend letting it broadcast). Next under "Channel" just select a channel that no neighbors are on.

Now, for the important part. The "Security" setting is going to depend on what your wireless adapter can handle (look in the instruction manual or Google if you don't know). If your adapter can handle WPA2, then you should definitely use that (select WPA2 Personal). If not, then use WPA Personal. If you are stuck with an ancient adapter that only can handle WEP, then enable that (though WEP sucks and is easy to crack). Now, for "Encryption" select AES. AES is pretty much the standard in strong encryption today and has been approved by the NSA for TOP SECRET data. It will not be broken in our lifetimes (but if it is broken it will be big news and everyone can switch).

Here is perhaps the most important part of wireless security: selecting a strong key. Here is a nice function of Tomato: next to "Shared Key" hit the "random" button. This will automatically generate a pseudo-random pass-key that is 60 characters in length. To brute force a pass phrase of this size would take longer than the age of the universe even if using every computer on earth (see the post in my sig for more detail).

You may ask, how will I remember this? You don't have to. Simply write the key down (or print it) and transfer it to your wireless PC. Most adapters will store the key so you don't have to enter it each time. What I did was e-mail the key to myself, then opened the email on my wireless PC and cut and pasted it. This way, I didn't have to enter it manually. I am not worried about my e-mail being "intercepted," but if you are, then encrypt your email or simply enter the pass key manually.

Once done with this, be sure to click SAVE.

Here is what my "Wireless" screen looks like:


Now, moving on. Click on Basic ---> Static DHCP. You don't have to do this, but I prefer both of my PC's to always have a static IP address. Simply enter your computer's MAC address, then enter the IP address you want it to always have (it has to be an address within the range you specified under "IP Address Range"). Then enter the hostname for the PC and click add. Do this for however many PC's you have. Save when done.

Now, click on Basic ---> Wireless Filter. Click on "Permit Only the Following Clients." Here you ONLY want to allow however many wireless PC's you have. So, if you only have 1 PC connecting wirelessly, then enter it's MAC address and it's "Description" (for this I entered the hostname). This will enable MAC filtering, which is not all that great of security by itself, but is a smart thing to do to stop casual intruders. Now, click save and let's move along.

Click on Advanced ---> Firewall. The firewall in Tomato is always enabled, but let's check it to make sure. If you want every inbound packet blocked, then uncheck "Respond to ICMP Ping." I have all of the three options unchecked. As for NAT Loopback, I have it set to "Forward Only" which is probably desirable for most people. NOTE: If you are a Linux guru and are familiar with IPtables rules, you can write your own custom firewall rules, though I see little reason to do so for a home network, as everything is already blocked on the inbound side by default.

Now click on Advanced ---> Wireless. Most of these settings have nothing to do with security, so I will skip them. The one that is important for our purposes is the "Maximum Clients" option. Here you want to set this to however many wireless PC's you will have connecting to the router. In my case, I only have one, so I set it to "1." This will make it so that as long as your wireless adapter is actively connected, no other wireless client can be connected at the same time.


Now, let's move down to Administration ---> Admin Access. At this screen, the first option is "Local Access". I prefer to change it to HTTPS, and put the port on 443. Now, here's the important part -- if you will NOT be connecting to your router from a remote location, then be sure to set "Remote Access" to DISABLED. Below this option is an option to "Allow Wireless Access." What this does is allow someone connected wirelessly to administrate the router. I prefer to leave this UNCHECKED. If I want to administrate the router, I will simply do it from my main wired box.

Now, for perhaps the most important security option of all: Under "SSH Daemon" you have the option to allow ssh connections or turn it off completely. The main reason you might want SSH is if you want to open a shell within your router for advanced configuration. If you have no need for this, then turn it OFF. If you choose to turn it off, then ignore the next couple of paragraphs. (Be sure to click Save when done).

If you DO want ssh access to the router, then click "Enable at Startup." Now, the biggest decision here is whether you want to be able to access SSH from the outside. If you do NOT need to access the router from outside the network, then be sure to UNCHECK "Remote Access." If you do want to access it remotely, then check the "Remote Access" box and change the Port to something other than 22 (port 22 is scanned constantly on the Internet).

Here is another big security enhancement. Uncheck the box "Allow Password Login." What, you say? Do not allow a password login? That's right, uncheck that box. Instead of using a password, you want to use a DSA or an RSA key. You will have to generate this key outside of Tomato. How to do this depends on what OS you are using. For Windows, click here. When you generate the key, then cut and paste the public key into the "Authorized Key" box in Tomato. (For Linux, simply install ssh, and then run from the terminal "ssh-keygen -t rsa" -- then navigate to /home/username/.ssh/id_rsa.pub. Open id_rsa.pub and cut and paste the key into the "Authorized Keys" box in Tomato. You can also create a DSA key instead of RSA and even change the key length).

Once you get the keys set-up, then you simply open a terminal and type "ssh root@name_of_your_router" That's it, it will not prompt you for a password because you are now using a ssh key.

Now, still on the same screen, look at "Remote Web/SSH Admin Restriction." If you plan to administer your router from the outside, then next to "Allowed IP Address" enter the IP address that you want to be allowed to connect (for more than one, separate them by commas). All IP addresses not listed will automatically be blacklisted.

Here's how I have mine set-up. I have it set where SSH is ONLY allowed locally. If you need it remotely, again, follow the directions above.


Under "Telnet Daemon," I recommend EVERYONE turn this OFF.

Under "Password" set your administrator password. Make it something strong, but also something you can remember.

Now click Save. You will probably also want to reboot the router.

That's it. This tutorial should provide more than adequate security for a wireless network, making your network far much more trouble to crack than its worth.
LL
LL
LL
LL
LL
Edited by thiussat - 4/8/09 at 7:50pm
Skylake Build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5-6600k Gigabyte Z-170 Gaming 7 Gigabyte R9 390  Gskill Ripjaws V DDR4 
Hard DriveCoolingOSMonitor
Samsung 850 Evo Corsair H115i Windows 10 Pro Asus  
KeyboardPowerCaseMouse
Generic EVGA NEX750 G1 Phanteks Eclipse P400 GSkill MX780 
  hide details  
Reply
Skylake Build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5-6600k Gigabyte Z-170 Gaming 7 Gigabyte R9 390  Gskill Ripjaws V DDR4 
Hard DriveCoolingOSMonitor
Samsung 850 Evo Corsair H115i Windows 10 Pro Asus  
KeyboardPowerCaseMouse
Generic EVGA NEX750 G1 Phanteks Eclipse P400 GSkill MX780 
  hide details  
Reply
post #2 of 14
Very Nice Tutorial, +rep for you man.
WannaBePhenom
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD 945 X4 3.0ghz Gigabyte UD4P HIS 6870x2 G.Skill 8gb DDR3 
Hard DriveOptical DriveOSMonitor
1.5gb Seagate Samsung DVD-ROM Windows 7 Pro 64bit 3x 24" LG 1920x1080s 
KeyboardPowerCaseMouse
Logitech G110 750 Watt Corsair TX Antec 900 Razer Naga/Deathadder 
Mouse Pad
Notta 
  hide details  
Reply
WannaBePhenom
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD 945 X4 3.0ghz Gigabyte UD4P HIS 6870x2 G.Skill 8gb DDR3 
Hard DriveOptical DriveOSMonitor
1.5gb Seagate Samsung DVD-ROM Windows 7 Pro 64bit 3x 24" LG 1920x1080s 
KeyboardPowerCaseMouse
Logitech G110 750 Watt Corsair TX Antec 900 Razer Naga/Deathadder 
Mouse Pad
Notta 
  hide details  
Reply
post #3 of 14
Great tutorial, it's a shame I can't use it. I got a v5.

I'll have to look around. If I can find a newer Linksys router with wireless N that I can use custom firmware with it may be worth the upgrade.

Quote:
Broadcom BCM5352EKPB Chipset - Switched to VxWorks OS and reduced Flash Memory and RAM; not compatible with most 3rd party firmware. Then, Vxworkskiller (by bitsum.com) was created, which restores compatibility with some 3rd party firmware. Since less physical RAM is available in this and future models, the 3rd party firmware (popular opensource projects) were modified into special "micro" versions

Edited by Redmist - 5/29/09 at 11:50am
For Sale: MSI Z97 SLI Plus, Corsair DDR3 2000, Noctua NH-U12P
$0.00 (USD) or best offer
SG13B
(16 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 4790K Gigabyte GA-Z97N-WIFI ZOTAC GeForce GTX 1060 Mini 6GB G.SKILL NS Series 8GB (2 x 4GB) DDR3 1333 
Hard DriveOSMonitorPower
Seagate ST3000DM001 3TB Window 10 Monoprice 144hz ??? 
CaseMouseMouse PadAudio
Silverstone SG13B-Q Zowie FK1 http://www.slothesports.com/ Beyerdynamic DT990 
AudioAudioOtherOther
Numark NPM5 Sennheiser PC 31-II CH Products Combatstick 568 Joystick Scythe BIG Shuriken 2 Rev. B 
  hide details  
Reply
For Sale: MSI Z97 SLI Plus, Corsair DDR3 2000, Noctua NH-U12P
$0.00 (USD) or best offer
SG13B
(16 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 4790K Gigabyte GA-Z97N-WIFI ZOTAC GeForce GTX 1060 Mini 6GB G.SKILL NS Series 8GB (2 x 4GB) DDR3 1333 
Hard DriveOSMonitorPower
Seagate ST3000DM001 3TB Window 10 Monoprice 144hz ??? 
CaseMouseMouse PadAudio
Silverstone SG13B-Q Zowie FK1 http://www.slothesports.com/ Beyerdynamic DT990 
AudioAudioOtherOther
Numark NPM5 Sennheiser PC 31-II CH Products Combatstick 568 Joystick Scythe BIG Shuriken 2 Rev. B 
  hide details  
Reply
post #4 of 14
I followed your instructions- very clear by the way - and now get the message that the link is broken and I can't log into the router. It appears to ne working, I just can't get to it any more. Any suggestions?
Thanks
post #5 of 14
Try to power cycle the router by unplugging it for thirty seconds and plugging it back in.
Gaming
(23 items)
 
  
CPUMotherboardGraphicsGraphics
AMD Phenom II X6 1090T Crosshair IV Formula GTX 560 GTX 580 
RAMRAMRAMRAM
G. Skill F3-12800CL6D-4GBPI G. Skill F3-12800CL6D-4GBPI G. Skill F3-12800CL6D-4GBPI  G. Skill F3-12800CL6D-4GBPI 
Hard DriveHard DriveHard DriveOptical Drive
Seagate Hard Drive Seagate Hard Drive Crucial M4 SSD Sony Optiarc 
CoolingOSMonitorMonitor
Corsair H70 Windows 7 Professional x64 ASUS VH242H 23" Monitor ASUS VH242H 23" Monitor 
MonitorKeyboardPowerCase
Samsung SyncMaster 906BW 19" Monitor Logitech G15 Corsair 1K PSU Lian-Li 70A 
MouseMouse PadAudio
Logitech Performance MX Razer Vespula HT Omega Pro+ 
  hide details  
Reply
Gaming
(23 items)
 
  
CPUMotherboardGraphicsGraphics
AMD Phenom II X6 1090T Crosshair IV Formula GTX 560 GTX 580 
RAMRAMRAMRAM
G. Skill F3-12800CL6D-4GBPI G. Skill F3-12800CL6D-4GBPI G. Skill F3-12800CL6D-4GBPI  G. Skill F3-12800CL6D-4GBPI 
Hard DriveHard DriveHard DriveOptical Drive
Seagate Hard Drive Seagate Hard Drive Crucial M4 SSD Sony Optiarc 
CoolingOSMonitorMonitor
Corsair H70 Windows 7 Professional x64 ASUS VH242H 23" Monitor ASUS VH242H 23" Monitor 
MonitorKeyboardPowerCase
Samsung SyncMaster 906BW 19" Monitor Logitech G15 Corsair 1K PSU Lian-Li 70A 
MouseMouse PadAudio
Logitech Performance MX Razer Vespula HT Omega Pro+ 
  hide details  
Reply
post #6 of 14
Did that -
No joy -
Perhaps a hard reset...
post #7 of 14
Quote:
Originally Posted by lockrob2000 View Post
Did that -
No joy -
Perhaps a hard reset...
Have you switched admin access to HTTPS as the tutorial suggests? If so, you will need to use: https://192.168.1.1 instead of http.
post #8 of 14
Can Tomato be used on a WRT54G2 v1? Currently I used dd-wrt but I hear tomato is faster.
post #9 of 14
bump for a great guide
i7 Build
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 4.0GHz ASUS P6X58D Premium Powercolor HD 5870 Crucial Ballistix Tracer DDR3 1600 6GB 
Hard DriveOptical DriveOSMonitor
3 x Samsung Spinpoint F4 HD204UI 2TB 2 x Asus Sata 24X DVD Burner Windows 7 Ultimate x64 LG Flatron W3000H 2560 x 1600 
KeyboardPowerCaseMouse
HP SK-2880 Corsair 1000HX 1000W SilverStone Fortress FT02B-W Logitech G9X 
  hide details  
Reply
i7 Build
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 4.0GHz ASUS P6X58D Premium Powercolor HD 5870 Crucial Ballistix Tracer DDR3 1600 6GB 
Hard DriveOptical DriveOSMonitor
3 x Samsung Spinpoint F4 HD204UI 2TB 2 x Asus Sata 24X DVD Burner Windows 7 Ultimate x64 LG Flatron W3000H 2560 x 1600 
KeyboardPowerCaseMouse
HP SK-2880 Corsair 1000HX 1000W SilverStone Fortress FT02B-W Logitech G9X 
  hide details  
Reply
post #10 of 14
I've been playing around with my Tomato firmware lately, but there are a couple things I can't figure out. First of all, I got the passwordless ("Authorized Keys") bit working thanks to this thread, but only for one of the two computers I want to access it from. Do you know what Tomato expects between the two keys? Just on the next line? Does it matter? Can more than one key be in the authorized key list?

I also got Transmission bittorrent daemon (via ipkg) working, but I don't really like the idea of it running as root the whole time. I managed to add a new user, but couldn't figure out how to define/change his password, which would be ideal as the torrent client has a web gui. Typical linux commands for this (changing password) don't seem to work.

Any suggestions are appreciated!
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Tutorial: Secure Your Network With Tomato