You should have pretty much everything on your router disabled for access from machines on the external network side of the router.
The typical example is the web admin interface, which should never be enabled for access from outside, only for access from machines on your internal network. The same applies to all other sorts of control interface, be they human interfaces or machine interfaces.
For any machines reaching it from the outside network interface the router should look the same as the most basic, dumbest router there is with no way to configure or control it.
So, yeah, enabling uPnP for external use is asking to be hacked, probably worse even that enabling the web admin interface for external access since the latter usually has username:password authentication, which although pretty crap (most people don’t even know its there and leave it at default and when not it often has character limitations that make it guessable or possible to brute force) it’s still way better than NO AUTHENTICATION WHATSOEVER which is what uPnP has.
Our ISP ships new routers that are admined from the cloud via a phone app. Its a disaster waiting to happen, so I told them I’m keeping my old outdated modem as a bridge and bought my own router.
Curiously, the installer of my ISP - which is one of the smaller ISPs around here - says it’s very common for their clients to just want the ISP’s box to do bridging (or even just act as a Fiber-modem) and use their own router behind it.
Guess the techies tend to flock to the more obscure ISPs that pretty much just provide “data pipe to the Internet” rather than use the big ISPs which tend to do stuff like push their own TV Boxes and even bundles of Home Internet + TV + Mobile.
I am very happy with this ISP - cheap, fast, reliable, no bullshit.
Never turn on uPnP for external use, its a way to let hackers manipulate your network. It should never have existed as an option.
You should have pretty much everything on your router disabled for access from machines on the external network side of the router.
The typical example is the web admin interface, which should never be enabled for access from outside, only for access from machines on your internal network. The same applies to all other sorts of control interface, be they human interfaces or machine interfaces.
For any machines reaching it from the outside network interface the router should look the same as the most basic, dumbest router there is with no way to configure or control it.
So, yeah, enabling uPnP for external use is asking to be hacked, probably worse even that enabling the web admin interface for external access since the latter usually has username:password authentication, which although pretty crap (most people don’t even know its there and leave it at default and when not it often has character limitations that make it guessable or possible to brute force) it’s still way better than NO AUTHENTICATION WHATSOEVER which is what uPnP has.
Our ISP ships new routers that are admined from the cloud via a phone app. Its a disaster waiting to happen, so I told them I’m keeping my old outdated modem as a bridge and bought my own router.
Yeah, I do the same thing.
Curiously, the installer of my ISP - which is one of the smaller ISPs around here - says it’s very common for their clients to just want the ISP’s box to do bridging (or even just act as a Fiber-modem) and use their own router behind it.
Guess the techies tend to flock to the more obscure ISPs that pretty much just provide “data pipe to the Internet” rather than use the big ISPs which tend to do stuff like push their own TV Boxes and even bundles of Home Internet + TV + Mobile.
I am very happy with this ISP - cheap, fast, reliable, no bullshit.