Home Network | PC | Wallet security - Step-by-Step GUIDE


#1

The following is a step by step guide on securing your home network. This guide borrows basic network security principals as well as those outlined in the SEC security bulletin. This guide makes 2 assumptions:

  1. your are in a home office environment.
  2. You dont not have the equipment or means to set up a windows domain. (for the windows domain guide click here: Link to come)

Step 1: Physical Security

This may seem obvious or unnecessary, but the first layer of security is always the physical layer. Specifically If you live with roommates or in a share space you are going to want to restrict physical access to your edge devices (your modem, router, firewall, switches, etc). Having them in a key locked room, closet, or enclosure is recommended. When I lived with roommates i kept it all in a locked wall mount rack like this: Rack

Step 2: Edge Devices/Hardware

Your Edge devices are those that connect you directly to the internet/outside world. In a home office this would be your ISP/Cable Modem and Firewall or Router. It is recommend to use a business grade firewall and not an “off the shelf” router such as a linksys or netgear router. These at best use scaled back software firewalls which provide very basic security and by default are left pretty open. The following is recommended hardware:

Modem: The supplied cable modem from your ISP is fine to use. but you want to take the following precautions:

  1. Change the default modem password. these are published and known. if not changes your modem is vulberable
  2. Change the default Lan subnet. again this is public and known for most ISPs. Your ISP’s technical support team can help you change it. i’d suggest something off the 192.168.x.0/24 subnet. something along the lines of: 10.10.x.0/24

Firewall Off the shelf Routers dont not provide much as far as edge security. it is STRONGLY recommended that you invest the money in a hardware firewall such as a SonicWALL TZ Soho or TZ 300 firewall to replace your router. These provide much more in terms of edge security:

  1. multiple interfaces to separate traffic at a physical layer.
  2. stateful packet inspection, gateway security/antivirus protection
  3. strong firewall and port security, locked down by degault

stand-alone wieless access point I reccomend stand alone access points, not those built into a router or firewall. this allows you to place the access point on a segment of your network physically seperate from computers that store crypto wallets prevent access to them from computers connected to your wifi.

Step 3 - Securing network devices Your Network devices should have all the publicly known defaults changed. All default usernames and passwords should be changed to something complex (8 or more characters, capital letters, numbers,and symbols). You should NEVER write these passwords down or attached them to the devices. store them either in a keylocked safe or encrypted file.

Network subnets should be changed from the defaults. most routers/switches come sub-netted at 192.168.1.0/24. This is in the hardwares documentation and anyone with this knowledge would potentially be able to access your gateway/edge devices and attempt to log in. I’d suggest changing it to something very different. such as 10.10.100.0/24 or 10.10.254.0/24.

Step 4 - patching your network hardware Best practices dont do much help if you dont apply the newest firmware updates to your network devices. not doing so may leave known security holes unpatched allowing access to your firewall, switch, or router.

Always check monthly for new firmware. export your devices settings BEFORE applying the new firmware. then apply the firmware. I can nto stress this step enough. Linksys STILL has unpatched routers being hacked every day,

step 5 - Network Typology Your network should be configured in a logical way to maximize security. You should have 3 different subnets:

  1. your many data subnet for all your comptuers with normal internet traffic
  2. your wireless subnet for all your devices that connect wirelessly
  3. an high security subnet, for devices that no other LANS/computers can access

these 3 subnets can be achieved by using the interfaces on the firewall.
X0 - default LAN (all computers). your network switch should connect to his interface
X2 - your wireless Lan. your wireless access point should connect to this interface
X3 - your security LAn. only your computer with your crypt wallets should connect to this interface

a firewall rule should be created so that there is no trust between X3 and any other interface.

NOTE: if you dont have a firewall with multiple interfaces (like a TZ SOHO or TZ300) there are other ways to seperate traffic which i can address later in this thread.

Step 6 - Wireless Security Your wireless access point is the most common point of unwanted entry since its physically accessible anywhere your wifi signal reaches. The following at a minimum should be set:

  1. do NOT broadcast your SSID
  2. set your wifi security to WPA2/PSK
  3. set a complex passphrase (12+ charecters, cap letters, symbols)
  4. change the wifi password monthly
  5. turn off remote management
  6. give your access point a static IP address
  7. use MAC access list to make sure only your devices can connect. restrict access to any device not in your MAC list

Step 7 - computer accounts All your computers should have unique logins for users. computers should never auto login and should always be password protected:

  1. create an admin account on all machines, with a complex password
  2. set the password to expire every 9- days
  3. disable guest accounts
  4. set the screen lockout to 10 minutes
  5. require the password be entered after returning from lockout
  6. set a polcy so non-admin users can not use USB media

Step 8 - Software protection The use of antivirus is key. but web filtering at the DNS level is even more important. your comptuers should all be protected at a minimum with:

  1. up to date anti-virus software (i recommend webroot)
  2. you should check for virus definitions/updates weekly and apply them or set to auto apply
  3. point the DNS forwarders/set your DNS servers on your router or firewall to point to Umbrella openDNS servers: https://use.opendns.com/

these are free to use and help protect you from ransomeware/malware at a DNS level.

Step 9 - Monitoring You need to constantly monitor your networks. Check your DHCP leases on your firewall for unkown machines. check you access point for unkown connected devices. do an ip scan for unknown devices. check the warnings/alerts in your firewall/router/WAP logs.

it is very critical to keep an eye on your network. if you had people lingering in your yard or near your back yard you would want to keep an eye on them. same goes for your network!

Step 10 - Backups! backup and disaster recovery is part of network security. losing your data to a disater is just as bad or worse then being hacked. i recommend a local + cloud based backup solution such as carbonite, intronis, acronis, crashplan, or mozy pro.

do both a hourly file backup and daily image backup to the cloud. if anything happens to your drives or hardware you can then restore.

Step 11 - encryption and endpoint security A computer account password is great. but if your computer is lost or stolen, it is not of much use. as windows passowrds are easily cracked with a CDd or USB utility. your hard drive can also be removed and accessed via another machine. to prevent this you can do 2 things:

  1. set a bios password. unlike windows, bios passwords are touch to crack/hack.
  2. change your bios password every 9- days
  3. encrypt your hard drive (id recommend bitlocker, which is free with windows 10). if the drive is encrypted it cant be accessed from another machine physically

Step 12 - MFA/2FA all your online accounts should use multifactor authentication. Google or RSA tokens can be used with most crypto sites. enable this and use it! also NEVER save your psswords into your browser and always log off on public machines… or better yet, never check your accounts on public machines!

step 13 - securing your crypto wallets unless its short term for trading, always keep your crypto currency in an offline//oaoer or hardware wallet. the following are critical ways to secure your offline wallets:

  1. Restrict the wallet software to only being run by certain users (your user account only). windows 10 this is pretty easy to setup: https://www.howtogeek.com/howto/8739/restrict-users-to-run-only-specified-programs-in-windows-7/

  2. Print out your private keys/restore passphrases. store them in a locked fireproof/waterproof safe as well as in a safety deposit box. this is NOT overkill. if your safe is lost or your house explodes you still have the safety deposit box backup. you ALWAYS want redundancy!

  3. take a screen shot of all your private keys. convert that screen shot to a PDF. encrypt that .PDF file. add the PDF files to a password protected zip file. store that in a password protected folder on your computer. make sure that folder is backed up on your cloud backups. make sure those cloud backups are encrypted (intronis,acronis, and crashplan are by defaut)

  4. close all wallets and log off your computer while not in use. shut the computer down or lock the screen out.

Please let me know if i missed anything or if you have specific questions on any of these steps or how to set it up… i can also provide info on even more advanced security… this is just basic/best practice for a home office with some borrowed protocol from compliance standards.


What is private key?
Beginner Security Tips
November 22, 2017 - ROLL CALL! - Secure Your Coins! Please Read!
Great Links NEEDED!
Help me have gone my money
Keeping the home network more secure
[WIP] - EPIC Bitcoin Resource List! :rocket: :bomb: :fire:
Set a calendar reminder to update and patch ALL THE THINGS!
What is a VPN? 10 Things To Know... :thinking: :eyes:
#2

this looks good thanks for putting it together


#3

A bit overkill. The side effect of that is you end up by writting your password on a post-it…

Also, no mention of password manager like KeePass ? :thinking:


#4

Great writeup. I have a few points though.
Step6)

  1. This is worse than broadcasting the SSID. Your devices will send out broadcasts looking for the SSID when you are away.
  2. I don’t think this is necessary since breaking a 20 character CCMP passphrase will take (96^20)/2 tries.
  3. MAC filters are useless because you can just spoof the MAC address of a legit device.

Step11)

  1. Might be useful for a notebook. On a PC you just take out the BIOS battery and it will reset.

#5

#6

typo… should be 90 days not 9-


#7

Agreed on the 9 days. Stuff looks good tho.


#8

I’m not a fan of password managers. I dont like the idea of having the keys to everything all in one place, even if it is highly encrypted.

some people might say “what if you keep forgetting your password”?

there is nothing more secure then forgetting your password. it requires you to frequently change/reset it which typically goes through a multi factor authentication process


#9

not true. depending on what the multi factor auth is you have to go throu. and how your e-mail is stored or provided.
How tin hat you want me to take this? I can call out a few attack vectors on this.

on person I am fine with them. I have issues with the files being stored on a shared computer like dropbox or lastpass.


#10

Looking at setting one of these up this winter. I have never setup a firewall like this with seperate zones so got a couple of questions.

First I see they have x0/1/2/3/4 From your description above it sounds like if I put my computers on X1 and wireless on X2 they will not be able to talk to each other. Is this the case as I have a wireless printer.

Secondly never setup a separate access point. Do you have any you recommend? This one came up on Amazon when looking for the firewalls.


#11

Awesome article I will have to implement t some of these


#12
  1. X0 through X4 are interfaces. By default there is a trust between all interfaces. you can change it so that interfaces can no access one another. You can also allow just 1 IP from one interfance/LAN to access the other. it is highly flexible in that manner.
  1. Yes, the Ubiquity unifi AC pro is what id recommend

#13

Thank you for the response. Will let you know how it goes. My adventure’s into crypto’s has lead me down a path of viewing security differently and in more detail so this is going to be a wonderful learning experience.


#14

I’m screwed:( Thought it was hard enough learning Crypto, Now I gotta learn this stuff
:stuck_out_tongue:


#15

It’s worth taking the time to learn it!


#16

Holy shit. I have work to do. I was going to switch my laptop from Windows 7 to Linux Mint. Linux will be new to me. I’m going to be busy figuring everything out.


#17

Yes this is work we all need to do. Posting again here to bump this. Not sure if we can or not but can we make this a sticky at the top of the security thread as it is starting to get buried.


#18

Thank you! This is something that I don’t know much about and honestly, it intimidates me. I appreciate the step by step instructions, it’s a really big help!


#19

Lots of really valuable information here. Thank you!
I feel like my coins are pretty secure but after an aquantance had their Blockchain.info wallet raided I’m just after a quick picking of brains…

My coins are on hardware wallets, and while I have some on exchanges, ready for trading, it’s not significant amounts.
I live in the middle of nowhere. Nearest neighbour 2km away. No mobile phone reception, no 3G.
My access to exchanges is through a MacBook Pro and only from my home connection. Usually through a vpn.
How much should I worry about phishing sites? What are my possible blind spots?

Thanks gang!


#20

I had to take a “protect your data” class for a client quite a few years ago and he said this exact same thing.