Printable View
ive been operating on a wifi connection fer about a year or more, and ive been noticingit seems to be a lil more simpler fer"attackers" to get in... mite i get a few suggestions on how to make my system a lil more secute, how to lock it down with out lockin it up totaly?
snax,
Basic things to help secure WAP are:
Turn off your SSID broadcast - This will help, but only a little bit, it does not keep someone from getting your SSID only keeps your WAP from advertising it.
Turn on encryption - Turn on the highest level of encryption your WAP and NIC can negotiate. Wep is surely available, though not the best choice WPA is better. If you can, configure your WAP so that it is accessable only via VPN.
Turn on Mac filtering - Your Wap should alow you to specify those MAC addresses that are allowed to connect.
For more advise you should post the type, model, etc.. of your WAP and Nic that you are using so folks get an idea of what hardware to consider in their responses. If the folks here know what devices you ae dealing with they will be able to be more specific in their responses and you will be happier in the end.
As well as the points mentioned above:
1. Move your AP in to the centre of your house if you can (away from any windows etc)
2. If it has two antenna's disable one, providing if the signal is still strong enough for you
3. If you a really worried about it, unplug it when you are not using it
4. Regualry check your logs
5. Set it to only issue out 1 or 2 IP addresses (or as many IP addresses as you have wireless clients) usually they will issue out 254 IP addresses.....if you only have two computers, you only need 2 IP addresses.....
6. You could even turn of DHCP altogether and assign yourself a static IP, so the attacker will not know your subnet and will have to guess at an IP before he can associate with it
7. If the AP allows it change the subnet to a non default one, i.e 192.168.32.0/24 etc
8. There are programs you can run from your laptop that will alert you when ever someone connects to your AP, but I can't think of one of the top of my help but I am sure someone here will know of one, or search around for one.
9. Disable remote administration (so people on the internet can not connect to the admin page of it
10. Disable wireless administration, so you have to physically be wired in to the AP to get to the admin page
11. If the AP allows it you can disable communication between wireless clients associated with that AP.
Each one one their own will not do much to secure it but the more of them you implement, the more secure you make it.
IMHO I would say the best single security measure you can take it to limit the ammount of IP addresses available, if you only have 1 wireless client, you only need 1 IP address, so set it to only ever issue out the 1 IP. If your connection suddenly starts dropping you are probably subject to some sort of deauth attack and know someone is trying to access your AP.
//It goes without saying use WPA/WPA2 and not WEP.
You should also assume from the beginning that your wireless is compromised. Use local security policies accordingly.Quote:
Originally posted here by Nokia
As well as the points mentioned above:
1. Move your AP in to the centre of your house if you can (away from any windows etc)
I believe that some routers have the ability to adjust signal strength. Might be worth looking into.
2. If it has two antenna's disable one, providing if the signal is still strong enough for you
3. If you a really worried about it, unplug it when you are not using it
This will not make it more secure, it merely cause extra hassle for the user.
4. Regualry check your logs
5. Set it to only issue out 1 or 2 IP addresses (or as many IP addresses as you have wireless clients) usually they will issue out 254 IP addresses.....if you only have two computers, you only need 2 IP addresses.....
MAC Filtering. Only allow certain clients to connect.
6. You could even turn of DHCP altogether and assign yourself a static IP, so the attacker will not know your subnet and will have to guess at an IP before he can associate with it
This accomplishes nothing as any packet sniffer will give you the subnet/IPs
7. If the AP allows it change the subnet to a non default one, i.e 192.168.32.0/24 etc
Again, security through obscurity. You should know better.
8. There are programs you can run from your laptop that will alert you when ever someone connects to your AP, but I can't think of one of the top of my help but I am sure someone here will know of one, or search around for one.
9. Disable remote administration (so people on the internet can not connect to the admin page of it
Also disable wireless administration, I am not sure if you were referring to this as well. Ideally, only an SSL connection from a wired host should be able to administer the router.
10. Disable wireless administration, so you have to physically be wired in to the AP to get to the admin page
Nevermind...
11. If the AP allows it you can disable communication between wireless clients associated with that AP.
This may be severely counter-productive.
Each one one their own will not do much to secure it but the more of them you implement, the more secure you make it.
IMHO I would say the best single security measure you can take it to limit the ammount of IP addresses available, if you only have 1 wireless client, you only need 1 IP address, so set it to only ever issue out the 1 IP. If your connection suddenly starts dropping you are probably subject to some sort of deauth attack and know someone is trying to access your AP.
An IDS on the wireless portion is good.
[/B]
Quote:
Originally posted by Synful
MAC Filtering. Only allow certain clients to connect.
Quote:
http://blogs.zdnet.com/Ou/index.php?p=43
Wireless LAN security hall of shame
MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person’s name tag and compares it to his list of names and determines whether to open the door or not. Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person’s name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.
Touché.
I don't know why I keep suggesting that.
I'm familiar with the thread, and the technical aspects of it.Quote:
For some reason, there are a few things that are just permanantly stuck in my head as being good ideas. Even when experience and logic says otherwise. That may explain why my life has gone the way it has... Meh.
Because Mr Doppy/Synja you evidently don't understand wireless security very well.Quote:
I don't know why I keep suggesting that.
I'm going to go ahead and use my Vicodin, Alcohol, and weird antibiotic excuse....
Not to mention my lack of sleep.
Anyone got a place I can crash tonight?