are these router settings safe?

That doesn't answer any of the questions that I asked in the previous section in response to your post. Could you try and answer them for me and clear everything up? Thanks, I appreciate it.

Did you read the "tutorials"? They are on hacking wireless networks. They give it step by step, in linux and on windows. I did post one link though on how to get up and running for security, which posted all the pertinent methods of securing

If you properly implement WPA/WPA2 with strong passphrases, everything else is useless because it has already been broken, and can quickly be broken at that. So yes, you are correct.

Cheers,

Alphalutra1

 

ALpha,
You're quoting the wrong people. I didn't say those things.

 

. This is obvious. I see nothing to explain here

Since I have 3 comps, and they're always on, all the IPs are used up. No one else can connect.

This is also obvious. If they cant find you, they can't steal from you. If they really wanna find you...well...you did what you could.

 

Hi, iceni60

You will get lots of information given to you about safe wireless security with the best of intension's but most will urban legen and myths.

Alphalutra1, I know gives very good advice i have found, and does try to break these old myths.

Here are Six of of those myths

Take Care,
TheQuest

 

Yup I am a myth breaker.

Okay, for the run down of all the things I asked questions on. For the MAC address filtering, every MAC address of your computer is transmited in the air without encryption, despite whatever setting you have on your router. Therefore, all you need to to look at packets for about a second, then it will be transmitted and you can get the MAC address.

For the limiting the DHCP for three IP addresses, that only limits the number of addresses the router hands out for DHCP (opposite of static IPs). Therefore, all a person needs to do to connect is to assign themselves a static IP and they are ready to get in. The hassle with the limiting is that sometimes the router messes up and assigns different IPs to your computer while not keeping track that one has already been given out, creating a situation where you can't accses the internet.

For disabling the SSID broadcast, it only disables one or two of the several beacons your access point has to send out in order for clients to work. You can't make your network invisible, packets are being continually sent and so are different beacons besides the SSID broadcast, and most good tools for connecting to wireless networks automatically detect the other ones.

Hopefully that clears up some confusion. I was asking the questions to try and get you guys to think about what you said and how it would really increase security. To remain secure, at this present day, only WPA/WPA2 with a random and long passphrase is needed, all of the other technologies have already been broken. Also, if you have OpenBSD for your router, authpf + openvpn are cool (actually, the thing I like about authpf is that I can leave my network so that it seems unencrypted, so people keep on trying to connect , then I just add openvpn or ipsec encryption to all my communications and it is good to go. I like it a lot actually)

Cheers,

Alphalutra1

 

thanks for the help.

the only thing i'm not sure about is how important the router password is. to get to the login box you have to be on the network and that's secured by the PSK. is that correct? so if i'm using WPA-PSK then i can use a weak router password if i want?

 

A weak password is a bad idea. You want to use a combination of upper and lower case characters and numbers as well. it should not be a common acronym and of course it should not be found in the dictionary. Minimum number of characters to use? I don't know. You will get all kinds of opinions on that. Mine is 14. Check for a limited "user" login and secure it as well.

As for Alpha and his methodology of challenging statements, no one should get too upset about it. After some consideration, I have to admit they are not attacks, even though initially I thought he was being beligerent and clearly he knows what he is talking about. In the end I feel I have learned something about securing routers (overkill is not required) and iceni60's question was answered.

 

thanks, so there's no way of stopping people getting on your wireless network and trying to login to the router?

i can't find a limited account in my router where is it.

 

As long as no one can crack the passkey, they can not get into your wireless network, so no worries there. As Alphalutra aluded to, there are tools where wardrivers can find the beacon and decipher some info such as the MAC address, but as long as they can't crack a lengthy and complex passkey, you will be alright. The passkey is well encrypted using WPA or WPA2 so it will not appear as plain text.

I am not familiar with Netgear, but maybe there isn't one afterall. Unless someone else knows and can help, I would just carefully go through all the menus in the router's web-based interface and even check the documentation to be certain.

 

thanks, so that has nothing to do with ESSID filtering? i would have thought it was ESSID that kept people off the network

my friends don't really like me using their computers so i haven't used stuff like kismet more then a few times. but, i suppose i can run all the tools i want now so i can work it out.

 

ESSID stands for "Extended Service Set ID", and is a specific type of SSID (name of your access point). It is called ESSID for wireless access points (what you have), while for ad-hoc (directly computer to computer) it is called BSSID (Basic Service Set ID). There really is no ESSID filtering, unless you are talking about changing your preferences to connected networks? It is quite easy to find the ESSID since you need to broadcast it in some way shape or form in order to actually enable other computers to connect to it.

Without the encryption key, the router will not allow you to connect since it will not send packets back and forth to a location that does not have the proper key to encrypt all communications. Thus, it effectively stops anyone from connecting without your authorization (you giving them the key).

As for having a strong password for administration of the router, that may come down to how much trust you have in the people on the network (ie kids who you don't want forwarding ports), or trust in how well secured your networked access to the network is. I would just add a strong password for administration regardless, since that could save you if someone somehow manages to access your network from having stuff that messed up.

Cheers,

Alphalutra1

 

OK, thanks for the help. i got some books about wireless security now, i even got one about wireless networking that uses the same router i have throughout the whole book

i still don't know how to connect to an unsecured network though i uninstalled all the network GUI apps when i was setting up the router/laptop because they were interfering with the connection, so i'm only using the CLI now. so, if i see an unsecured network with iwlist scan what's the command to connect to it? is it another of the iw* commands?, or do you have to manually add it to the /etc/network/interfaces file i don't know how it works!

 

I am currently using WPA, but haven't in the past so if someone had my MAC address I suppose it wouldn't matter with WPA enabled, right? Also can having MAC Address Filtering enabled slow down wireless speed or connectivity in any way? My neighbors signal seems stronger than mine. They have 5 bars I have 4 and sometimes my speed drops from 54bps or whatever it is to 36. This just may be the nature of wireless though I suppose. I usually am on Channel 11, but sometimes swithching to 6 or 1 makes a difference for awhile. Thanks.