Skip to main content

Manuale Utente (Inglese)

Keenetic router security

Keenetic devices have a built-in Firewall with connection control and attack prevention and a network address translation (NAT) mechanism enabled by default. They restrict incoming connections from the Internet or the WAN interface to home network devices. It allows you to hide and protect your network devices from other people and threats from the Internet. The access to the Keenetic router (to its web interface) from the Internet is blocked by default. It is implemented to guarantee the security of the router, local network, and protection against unauthorized access.

As for the security of information on the Wi-Fi network, the Keenetic router's wireless network is protected by IEEE 802.11i (WPA2 AES) security standard by default. It is impossible to connect to such a network and read the information transmitted without its password (security key).

Starting from KeeneticOS version 3.1, the up-to-date security algorithms (WPA3-PSK, OWE, WPA/WPA2/WPA3-Enterprise, and WPA3-192 Enterprise) were implemented to provide improved protection for wireless Wi-Fi network. See the article 'Latest Wi-Fi security: WPA3 and OWE setup' for details.

The Keenetic devices also support the IEEE 802.11w standard from the IEEE 802.11 series of standards for Protected Management Frames. This functionality enhances security by ensuring data privacy within management frames.

Importante

With the factory settings, the router is fully protected from attacks and threats from outside and requires no additional configuration other than creating a complex* administrator password for the router. Architecturally, the router's services do not use any constantly open ports or backdoors that hackers can use.

To ensure the safety of the Keenetic router, we recommend you check updates regularly and install them in time. Use the automatic OS update function (enabled by default). If you have an up-to-date version of KeeneticOS installed on your device, you will not have to waste time updating it.

Keep your information secure — do not share your router administrator's password with strangers.

* — A complex (secure) password is a password that is difficult to guess and takes a long time to be found by a brute force attack.

When using our KeenDNS service, the digital certificate and the HTTPS private key are stored directly on the destination device (router). With access via a cloud server, using the HTTPS protocol, a secure tunnel is built to the router; it ensures the security and confidentiality of data transmitted over the Internet. The session is established using end-to-end encryption. This means that information transmitted between the router and browser via HTTPS is not available to KeenDNS cloud servers that provide transport layer data transmission. With cloud access over HTTP, a secure channel is established between the router and the KeenDNS server using the KeenDNS digital certificate, which also guarantees data security and protection against interception.

Be careful when using 4-th level KeenDNS domain names for remote access to network devices. Some devices have a public web interface that is free to access without authentication (no password). It is not safe to open remote access to such a device using KeenDNS. You can enable forced authentication in the KeeneticOS for remote access to such devices through the router.

However, the user can create a security vulnerability (a loophole) by configuring the router by himself. Especially it concerns setting up firewall rules, port forwarding, remote connection to the router, access to home network resources, and Wi‑Fi wireless/guest network settings.

In theory, a potential attacker can access the router remotely (from an external WAN interface, such as the Internet or ISP network) or locally (for example, from a Wi-Fi router network). It is the user's responsibility to ensure that the device is not accessible to unauthorized persons.

Importante

Do not use an open Wi-Fi network (without protection) unless necessary; it is not secure, as your network will be free to connect to other clients, and there is no encryption of the transmitted data in open networks.

If you use a private IP address to access the Internet, you don't have to worry about extra protection for your router from Internet attacks. With a private IP address, the router is not accessible from the Internet for direct access. In addition, by default, external access is prohibited by the firewall and network address translation (NAT) mechanism. It is enough to set a complex password for the router's administrator account (admin).

When using a public IP address, you should use additional security rules. In this case, the router is visible on the Internet, and various threats and attacks are possible against it.

Importante

Starting with KeeneticOS 3.4.6, the digital certificate for the firmware signature on the cloud infrastructure and Keenetic devices is periodically renewed. Previous digital certificates are then revoked. This is done to improve the security of KeeneticOS updates and Keenetic services.

Extra protection instruments:

  • Set a complex admin password for the router that is at least 8 characters long; Generate random passwords; Include numbers and other characters in the password; Avoid using the same password for different sites or purposes; Check the password strength here; Use a password manager to create complex passwords;

  • Use a strong password to connect to your Wi-Fi network. The default router has a strong password that's hard to guess and take a long time to find by a brute force attack;

  • Register all your devices in the router, and set a 'No Internet' access profile (to deny access to all unregistered devices) or speed limit for unregistered devices;

  • Use one of the pre-installed Internet filters (SafeDNSAdGuard DNSCloudflare DNS, NextDNS) for secure Internet access, to protect all home devices from dangerous sites, online services, and other threats;

  • To protect DNS traffic, you can use protocols DNS over TLS and DNS over HTTPS, which allow you to encrypt DNS requests. Support for these protocols is available from KeeneticOS version 3.0. Their main purpose is to encrypt DNS traffic to prevent interception and provide additional privacy and security. You can find more information in the 'DNS-over-TLS and DNS-over-HTTPS protocols to encrypt DNS queries' instructions;

  • You can use the Wi-Fi Access Control feature by creating a 'White List'. In this case, the router will block the connection for all clients that are not on this list;

  • If you need to provide temporary Internet access to third parties, use the Wi-Fi Guest Network for this purpose. This is a separate network with Internet access only. At the same time, devices connected to the Guest Network will be isolated from the resources of your home network to protect and secure it from viruses and malware, for example, contained on the devices of your friends;

  • You can disable the WPS Quick Setup feature to improve the security level of your Wi-Fi network;

  • To improve local network security, you can use our Keenetic mobile app to send notifications of a new unregistered device connecting to the network to your e-mail address, via push notifications (notifications from the Keenetic app on your mobile device) or as a Telegram messenger alert. For more information, please refer to the 'Setting up notifications to turn on / turn off a certain home network device' guide;

  • To connect to the router via a third-party application, we recommend creating a dedicated user account, only allowing access to the desired server (e.g. SMB USB storage only, WebDAV server or VPN server). For security reasons, do not use a router administrator account, apply a user account with restricted rights.

  • The Hide SSID function enables the wireless network's hidden SSID mode. If you use it, the name of your Wi-Fi network won't be displayed in the list of available wireless networks on users' devices (no SSID will be visible), but users who know the network exists and know its name will be able to connect to the network.

Also for devices with a public IP address for Internet access:

  • Do not allow remote access from the Internet to the Keenetic web interface over HTTP and even more so over TELNET unless necessary;

  • We recommend changing the standard control ports of the router. For example, change the control port via HTTP from 80 to 8080, and the control port via TELNET from 23 to 2023; Enable the use of a remote connection to the router web interface only via the HTTPS protocol (this feature is implemented from KeeneticOS version 3.1);

  • Starting from KeeneticOS version 2.12, the SSH (Secure Shell) server was added, allowing us to connect to the router command line securely. We recommend using an SSH connection instead of TELNET when connecting to the device from the Internet. Change the standard SSH control port from 22 to another, e.g., 2022;

  • For remote access to the local network, including network devices (e.g., IP camera, network media player, or USB drive), we recommend using a VPN server on Keenetic (e.g., L2TP/IPsec, WireGuard, SSTP or PPTP) rather than opening access using port forwarding rules. In this case, create a separate user account to connect to the VPN and use a complex user password. In the 'VPN types in Keenetic routers' manual, you will find a brief description of all types of VPNs that are implemented in our routers;

  • If you're not using the UPnP service, disable it. In this case, you will be sure that NAT rules and firewall will not be automatically created. For example, the UPnP service may use malware from the localhost;

  • In some cases, you may need to open certain ports manually (set up port forwarding). In port forwarding, we recommend you open only certain ports and protocols that are required for the server or network device to operate, rather than forwarding all ports and protocols to a LAN host;

  • When using forwarding rules and the firewall, it is possible to restrict access, for example, by allowing access from only one IP address or a specific subnet while prohibiting all others;

  • If necessary, you can use firewall rules to block access to the router's web interface for certain LAN hosts, block Telnet connections, allow only certain LAN computers to access the Internet and block access for all others, etc. For more information, see the Firewall rule examples tutorial;

  • Do not allow ping requests on the firewall for all users on the external network (from the Internet).

Suggerimento

  1. Keenetic routers have support for different types of VPN connections for all occasions and any connection: Wireguard, IPsec, SSTP, PPTP, OpenVPN, L2TP/IPsec, and the so-called IPSec Virtual Server (Xauth PSK). You can find more details in the article 'Types of VPN in Keenetic'.

  2. Starting from KeeneticOS version 2.08the protection of the router against robots searching for passwords was improved (protection against the brute force attack). The protection is used for external interfaces of the device via HTTP (TCP/80) and Telnet (TCP/23) protocols. By default, this protection is enabled in the router. If someone enters incorrect login credentials to the router 5 times within 3 minutes, his IP address will be blocked for 15 minutes.

  3. Starting from KeeneticOS version 2.12, it is possible to set parameters for tracking intrusion attempts by searching SSH and FTP server passwords for public interfaces (by default, the function is enabled).

  4. The OpenSSL library is continually updated.

  5. Starting from KeeneticOS version 3.1, we added the ability to set parameters for tracking intrusion attempts by searching passwords of the PPTP VPN server (by default, this feature is enabled).

  6. In Keenetic, all potentially vulnerable WPS options are disabled (Pin-code usage is disabled by default, and the Pin-code entry algorithm is specially modified against hacking). Support for the WPSv2 mechanism and protection against all known vulnerabilities related to WPS protocol (including Pixie Dust attacks) are used.

  7. In KeeneticOS, protection against WPA2 KRACK vulnerability (WPA2 protocol vulnerability known as KRACK key reinstallation attack) was improved.

  8. As for attacks like 802.11r Fast-BSS Transition (FT) CVE-2017-13082, they do not affect Keenetic routers, which support the IEEE 802.11r standard.

  9. Keenetic routers are not vulnerable to CVE-2017-7494 (WannaCry, SambaCry).

  10. Protection against DoS and SYN-flood attacks is in the Linux kernel used by the router operating system.

    Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are based on opening many connections to the device. DDoS attacks are indistinguishable from peer-to-peer network operations in terms of the object to which they are directed. Due to its features, DDoS attacks and protection against them are of low relevance for both home access devices and the SOHO segment. DDoS attacks are usually aimed at corporate structures, public sites, data centres, etc. Distributed denial of service attacks is usually effectively resolved on the ISP side.

  11. Starting from KeeneticOS version 3.1, the 'HTTPS Access' mode is implemented — prohibiting direct access to IP addresses and router domain names without a certificate.

  12. Starting from KeeneticOS version 3.4.1, the blocking of attacks like DNS Rebinding is implemented in routers, and it is enabled by default.

  13. KeeneticOS 3.6.6 adds fixes for Wi-Fi network security vulnerabilities known as FragAttacks (Fragmentation and Aggregation Attacks): CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26146, CVE-2020-26147. The update applies to all KN-indexed models.

  14. From Keenetic release 3.7.1, KeeneticOS clears active management sessions via the Keenetic web interface and mobile app to improve security after a change in user credentials.

  15. From KeeneticOS 3.7.1, password brute force protection is implemented for remote access to the device via the KeenDNS domain name in the cloud mode.