PCWorld Forums: How To Lock Down Your Wireless Network - PCWorld Forums

Post your comments for How To Lock Down Your Wireless Network here

Finally, an intelligent article on wi-fi security. I use every one of these suggestions except blocking incoming connection requests. With Orb running, I don't really want that on.

for the majority of people out there, great advice though.

One change I would make - instead of leaving a 'guest' IP open, close off everything. A would be hacker can use that guest address just as easily as you can.

Every 90 days or sooner I re-create the "64-bit password from hell".
Also, try renaming your SSID something interesting like "DHS" or "FBI" or "LAPD". Give them an extra minute of hesitation that may make them decide it's not worth the risk. Another fun SSID is "Black Honeypot"

StevenGalindo, on 10 November 2011 - 09:50 PM, said:

Nope, all of those indicate to me that someone wants the attempt made. By using wifi cards with modifiable MAC addresses, I can safely hack just about any wifi network with little chance of anyone proving I did it. SO why not hack the wanna-be LAPD network that never moves?

I don't know about you, but it kind of weirded me out that there is no mention of any Linux distro. Even though windows and mac os x mentioned in this article .

Another good additional option just to cause headaches for a hacker is change the default IP from the standard 192.168.2.1 or 1.1 to like 202.101.203.1... Again, not real security thing here but it's the equivalent of changing your password from "password" to something a bit more original.

dk3d, on 14 November 2011 - 12:51 PM, said:

That wouldn't help in the slightest....

To find your routers IP address, just do an IPconfig /all, find the wireless adapter, the default gateway address is the router address.

Thanks this page has been of great help to me.

deokanon, on 13 November 2011 - 04:49 AM, said:

That's because it's so simple to on Linux.

These Wi-Fi Designers are in the dark ages when it comes to simplyfying design and use. They need to increase the size of that label which carries all the critical information and make it easier to access and read. How about providing users a quick tutorial or resetting your router or making initial installations easier??

Spoofing a MAC address maybe simple, but you have to first capture a viable addres to clone and gain access. IF you have the right password, you might get in. The analyzer needed to capture a WIFI signal and pick it apart to find the workable MAC address and then spoof it unto your card might be easy but that analyzer is not cheap and renting one would be problematic. I'm not saying it can't be done, but the hacker who has the skills and the equipment isn't looking to steal my ID, I'm a nobody with no job (retired).

mjd420nova, on 29 December 2012 - 08:52 AM, said:

That isn't nearly as hard as you imply. There are several wifi cards that will operate in a purely "listening" mode. Sadly, the MAC addresses are not encrypted during most transmissions, only the data. So sorry to say, that is something that takes a few seconds, and is hardly problematic.

dk3d, on 14 November 2011 - 12:51 PM, said:

This wouldn't work at all. Why? That IP is routable. Now the principle is good, but it must be set as follows:

Every common router uses something called NAT (Network Address Translation) by default, unless otherwise specified.

Google network address translation for more:



NAT addresses must be non routable over the Internet.
Google non routable ip for more:



http://en.wikipedia....Private_network


~~~~~~~~~~
All truths are easy to understand once they are discovered; the point is to discover them.
~ Galileo Galilei

To recognize losers, watch for any signs of gossip.
~ John Hayes

Those who make no mistakes, never learn.
{Old Proverb}

A point missed in this article is a simple one, yet critical IMHO.

Do not broadcast your SSID. That's what I do, in addition to MAC filtering at the Wi-Fi level, and also MAC filtering at the DHCP level (separately done via a Microsoft Active Directory Domain Controller running Windows Server 2012 @ home of course).



Nothing is 100% bullet-proof, but if someone can somehow break into my Intranet, the funny thing is he/she can't get out. Triple-LOL! (Because I'm behind 3 levels of firewalls, with distinct hardware routers, before it gets to my Intranet.)

And I consider Wi-Fi insecure to say the least.

But heck, all my mobile devices, use Wi-Fi. So I must.

~~~~~~~~~~
Excellence is never an accident.
{Old Proverb}

No man is a failure who enjoys life.
William Feather

The man who has done his level best... is a success, even though the world may write him down a failure.
~ B.C. Forbes, 1880-1954, Scottish Journalist

WinTard, on 29 December 2012 - 02:30 PM, said:

There is no need to run more than on MAC filter. In truth, once I have the MAC address for ANY one of your devices, I have everything I need. SSID doesn't need broadcast for me to see that an AP exists, open monitor will still show me that something is there, then it is simply a matter of patient monitoring. At some point, devices will re-authenticate, then I will have the SSID.

As you said, wifi is completely insecure. There is no way to stop a determined hacker. What you can do though, is use the latest security measures, and make sure you monitor your own network.

This post has been edited by waldojim: 29 December 2012 - 03:16 PM

waldojim, on 29 December 2012 - 03:14 PM, said:

Well I agree, but since the functionality is there for the taking, why not stop broadcasting your SSID. One more step for the hacker to overcome. Did you miss the part I say, even if you could break into my Wi-Fi, then what? You are in an untrusted DMZ within one of my segments. Nothing will talk to you back. You can't go to the default gateway either. And in all probability, the MAC address is already in use.

Using the ISO seven-layer model architecture, none of my other systems will even consider talking to you, therefore, you suddenly jumped into a void space. Except of course my totally non-essential mobile devices. Even the new Microsoft Windows 8 Surface Pro tablet wouldn't talk to you.

All my Windows systems would detect and notify about an attempt to usurp their MAC / IP address. And log it. Automatically. Which would raise push-alarms!

Basically, the hacker is rendered completely impotent. Castrated or neutered if you will. Yeah, he might have got in. Then what? Can't get out anywhere. Nothing will talk to it. Not even the default gateway(s) thanks to the MAC filtering and intrusion detection.

Go ahead, make my day!


PS: I'm not saying that I'm invincible. I'm merely thinking hackers are lazy. Just like me. Oh, and I must say every system runs PeerBlock with custom perm-allow + perm-deny lists. At the level above TCP/IP. No it ain't a firewall.

~~~~~~~~~~~
The Stone Age did not end because humans ran out of stones. It ended because it was time for a re-think about how we live.
~ William McDonaugh

Beauty without virtue is as a flower without perfume.
{French Proverb}

Perplexity is the beginning of knowledge.
~ Kahlil Gibran

This post has been edited by WinTard: 29 December 2012 - 04:47 PM

Actually, you made me catch the upgradeitis... Cool idea! I shall setup a honeypot just in case it happens. So I can log all failed attempts, just for fun! Ah, my next project. Thank you.

~~~~~~~~~~~
Never measure the height of a mountain, until you have reached the top. Then you will see how low it was.
~ Dag Hammarjskold

A noble ancestry cannot guarantee a noble character.
{Chinese Proverb}

Judge not the horse by his saddle.
{Chinese Proverb}

WinTard, on 29 December 2012 - 04:59 PM, said:

You are quite welcome. The problem, of course, is finding someone willing to make the attempt.