You should have pretty much everything on your router disabled for access from machines on the external network side of the router.
The typical example is the web admin interface, which should never be enabled for access from outside, only for access from machines on your internal network. The same applies to all other sorts of control interface, be they human interfaces or machine interfaces.
For any machines reaching it from the outside network interface the router should look the same as the most basic, dumbest router there is with no way to configure or control it.
So, yeah, enabling uPnP for external use is asking to be hacked, probably worse even that enabling the web admin interface for external access since the latter usually has username:password authentication, which although pretty crap (most people don’t even know its there and leave it at default and when not it often has character limitations that make it guessable or possible to brute force) it’s still way better than NO AUTHENTICATION WHATSOEVER which is what uPnP has.
Our ISP ships new routers that are admined from the cloud via a phone app. Its a disaster waiting to happen, so I told them I’m keeping my old outdated modem as a bridge and bought my own router.
You should have pretty much everything on your router disabled for access from machines on the external network side of the router.
The typical example is the web admin interface, which should never be enabled for access from outside, only for access from machines on your internal network. The same applies to all other sorts of control interface, be they human interfaces or machine interfaces.
For any machines reaching it from the outside network interface the router should look the same as the most basic, dumbest router there is with no way to configure or control it.
So, yeah, enabling uPnP for external use is asking to be hacked, probably worse even that enabling the web admin interface for external access since the latter usually has username:password authentication, which although pretty crap (most people don’t even know its there and leave it at default and when not it often has character limitations that make it guessable or possible to brute force) it’s still way better than NO AUTHENTICATION WHATSOEVER which is what uPnP has.
Our ISP ships new routers that are admined from the cloud via a phone app. Its a disaster waiting to happen, so I told them I’m keeping my old outdated modem as a bridge and bought my own router.