1 3 3 7 4 2 0 6 6 6 1 3 3 7 4 2 0 6 9 6 6 6 1 3 3 7 4 2 0 6 6 6 4 2 0 1 3 3 7 6 9 6 6 6 4 2 0 1 3 3 7 6 9 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 6 6 6 1 3 3 7 4 2 0 6 9 6 6 6 1 3 3 7 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 4 2 0 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 6 9 4 2 0 6 9 1 3 3 7 4 2 0 6 6 6 6 9 1 3 3 7 4 2 0 6 6 6 6 9 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 6 9 4 2 0 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6 4 2 0 6 9 1 3 3 7 6 6 6
Logo SCHEISSSEWASSER.XYZ
GUIDE NETWORK ROUTER

ROUTER_SECURITY

Secure your home network. FritzBox, AVM, and general router hardening. WiFi security, firewall, remote access.

INTERMEDIATE FRITZBOX FOCUSED NETWORK HARDENING
Router Security

WHY ROUTER SECURITY IS YOUR FIRST DEFENSE

Your router is the gateway to your entire network. If compromised, attackers can:

  • Monitor all traffic: See every website you visit, even with HTTPS
  • Inject malware: Replace downloads with malicious versions
  • Access devices: Exploit vulnerable devices on your network
  • Use your network: Route illegal activity through your connection

STEP 1: ROUTER BASICS (ALL ROUTERS)

CHANGE DEFAULT CREDENTIALS IMMEDIATELY

Routers ship with default passwords like "admin/admin" or "admin/password". These are publicly known and the first thing attackers try.

Common defaults to change:

  • • admin/admin
  • • admin/password
  • • admin/1234
  • • root/admin

UPDATE FIRMWARE

Router firmware contains security updates. Outdated firmware = known vulnerabilities.

AUTOMATIC UPDATES

  • • Enable if available
  • • Set to check daily
  • • Reboot when prompted

MANUAL UPDATES

  • • Check manufacturer site monthly
  • • Download from official source only
  • • Verify checksums

DISABLE REMOTE MANAGEMENT

Remote management lets you access router settings from outside your network. It's rarely needed and often exploitable.

  • Disable: "Remote Admin", "Web Access from WAN", "Remote Management"
  • If needed, use VPN + LAN access instead
  • Never enable telnet (use SSH if needed)

STEP 2: WIFI SECURITY

USE WPA3 (OR WPA2-AES)

WPA3 is the latest WiFi security protocol. If unavailable, WPA2-AES is minimum.

WPA3

Best. Use if available.

WPA2-AES

Acceptable minimum.

WEP/WPA-TKIP

Broken. Never use.

ENABLE GUEST NETWORK

Guest WiFi isolates visitors from your main network. They get internet but no access to your devices.

  • • Separate password for guests
  • • Isolates guest devices from LAN
  • • Use for IoT devices when possible
  • • Can be on timer (disable when not in use)

SHOULD YOU HIDE YOUR SSID?

Short answer: No. Hiding your SSID doesn't add security.

  • • Hidden networks are still visible to anyone with WiFi tools
  • • Devices "probe" for hidden networks, revealing them anyway
  • • Can cause connection issues
  • • Your security comes from WPA3 + strong password, not hiding

STEP 3: FRITZBOX HARDENING (AVM)

FritzBox routers are popular in DACH regions. They're generally secure out of the box, but these settings improve security:

FRITZBOX SECURITY SETTINGS

Access via fritz.box or router IP

Home → Network → Network Settings

  • • Enable "Airtime Fairness" (prevents WiFi hogging)
  • • Disable WPS (push button has vulnerabilities)

Home → System → FRITZ!OS Users

  • • Change default "fritz" password
  • • Create separate user for guests
  • • Disable unwanted services (NAS, media server)

Home → Internet → Permit Access

  • • Disable "MyFRITZ" if not used
  • • Review port forwarding rules
  • • Disable incoming connections unless required

Home → Home Network → Mesh

  • • Review mesh/repeater settings
  • • Only allow known devices

MYFRITZ REMOTE ACCESS

MyFRITZ allows remote access to your router. It's convenient but adds attack surface.

  • • If you don't need remote access: DISABLE IT
  • • If needed: Use unique, strong password
  • • Consider VPN instead of MyFRITZ

KEEP FRITZ!OS UPDATED

FritzBox updates are automatic but check manually:

Home → System → Update

  • • Check for new FRITZ!OS
  • • Enable automatic updates
  • • Review changelog for security fixes

STEP 4: DNS SETTINGS IN ROUTER

Change your router's DNS to block ads/malware at the network level. All devices benefit.

CLOUDFLARE

1.1.1.1
1.0.0.1

QUAD9

9.9.9.9
149.112.112.112

ADGUARD

94.140.14.14
94.140.15.15

Set in: Internet → DNS Settings (varies by router)

STEP 5: FIREWALL RULES

Most routers have SPI firewall enabled by default. Verify and configure:

  • • Ensure "SPI Firewall" or "Stateful Packet Inspection" is ON
  • • Block incoming ICMP ping requests (prevents network discovery)
  • • Review port forwarding - only forward what's absolutely necessary
  • • Enable "Stealth Mode" if available (drops unsolicited packets)

STEP 6: IOT DEVICE ISOLATION

IoT devices (smart bulbs, cameras, speakers) are notoriously insecure. Isolate them:

GUEST NETWORK

Put IoT on guest WiFi. Can't access main network.

VLAN (if supported)

Create VLAN for IoT. Advanced but more flexible.

SECURITY CHECKLIST

ADVANCED: CUSTOM FIRMWARE

For advanced users, custom firmware like OpenWrt or DD-WRT provides more control:

OPENWRT

  • • Full Linux environment
  • • Active development
  • • Supports many routers
  • • Steep learning curve

DD-WRT

  • • User-friendly interface
  • • Broad hardware support
  • • VPN server/client built-in
  • • Check compatibility first

WARNING: Installing custom firmware can brick your router. Only attempt if you know what you're doing and your router is supported.

AVM FritzBox → OpenWrt → ShieldsUP! Port Scan →