Harden Your Home Network

Practical, defensive steps you can implement in a single afternoon.

Quick note: apply these changes to devices you control. Some steps may disrupt connectivity (e.g., changing DNS, enabling firewall rules). Keep admin credentials safe and record changes for rollback.

1. Inventory & Baseline

Know what you have. List routers, APs, NAS, IoT devices, cameras, smart bulbs, and printers. Record model, firmware, and default credentials status.

  • Use a simple spreadsheet or note app.
  • Label devices physically if helpful.
  • Prioritize internet‑exposed devices for immediate attention.

2. Network Segmentation

A

Separate your IoT/guest devices from your main workstation and NAS. Options:

  • Create a Guest Wi‑Fi SSID with client isolation.
  • If your router supports VLANs, create a VLAN for IoT devices and another for trusted devices.
  • Use a secondary AP or an inexpensive managed switch if VLANs aren't available.

3. Router & Firmware

  • Change default admin passwords and use a strong, unique passphrase (or passphrase manager).
  • Disable remote admin (WAN) access unless you need it — prefer VPN for remote management.
  • Enable automatic firmware updates if available; otherwise check quarterly.
  • Consider replacing ISP‑provided routers with a privacy-forward router or using your own behind their gateway (bridge mode).

4. DNS, Filtering & Privacy

  • Use a trusted DNS resolver (Quad9, Cloudflare 1.1.1.1, or your own Pi‑hole) to block malicious domains and telemetry.
  • Set DNS at the router to enforce for all clients.
  • Consider DNS over HTTPS/TLS on client devices where supported.

5. WPA3, Strong Wi‑Fi

  • Use WPA2‑AES at minimum; enable WPA3 where supported.
  • Use a long passphrase (12+ words) for Wi‑Fi; avoid simple common passwords.
  • Disable WPS (Push‑button/pin pairing) — it's often insecure.

6. Device Hardening

  • Change default credentials on cameras, NAS, and IoT.
  • Turn off unnecessary services (UPnP, Telnet, older protocols).
  • Enable automatic updates where safe; for devices that can't update, isolate them or replace them.

7. Monitoring & Logging

  • Enable router logs and forward to a small syslog server or NAS.
  • Use a simple network scanner (e.g., Fing, Nmap) periodically to detect new devices.
  • Consider a lightweight IDS like Suricata on a dedicated VM or on pfSense for advanced users.

8. Backup & Recovery

  • Keep router config backups and export them after major changes.
  • Use encrypted backups for NAS and critical data.
  • Keep a recovery USB and maintain a short runbook for restoring network services.

9. VPN & Remote Access

  • Prefer a VPN (WireGuard/OpenVPN) into your home network rather than exposing management interfaces.
  • Use MFA where available for remote access services.

10. IoT & Physical Controls

  • Place cameras and sensors on their own segmented network.
  • Consider network-enabled smart plugs vs. cloud-only devices when privacy matters.
  • Physically secure network equipment; limit who can access the cabinet or wiring closet.

Quick Commands & Checks

# Scan local subnet
nmap -sV -O 10.10.0.0/24

# Check for open SSDP/UPnP devices
nmap --script upnp-info -p 1900 10.10.0.0/24