OT: unathorized network user.

John Summerfield debian at herakles.homelinux.org
Thu Jan 24 13:47:46 UTC 2008 

Jacques B. wrote:
> On Jan 23, 2008 8:55 PM, Frank Cox <theatre at sasktel.net> wrote:
>> On Thu, 24 Jan 2008 10:24:09 +0900
>> John Summerfield <debian at herakles.homelinux.org> wrote:
>>
>>> WEP's good for about two minutes these days.
>> Interesting.
>>
>> What should you do to protect access to your wireless network?
>>
>> --
>> MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com
>>
>> --
>>
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>
> 
> Use WPA, MAC filtering (only allow connections from ...), don't

As someone's already noted in this thread, MAC addresses can be forged. 
And discovered.

> broadcast SSID (and don't use a SSID that provides someone with an

Hiding the SSID is faily useless. Just download and fire up kismet and 
you'll see what I mean.

> indication of who owns the AP - more for privacy reasons), subnet mask
> to minimize the # of possible IPs on your network (use a subnet mask
> that will provide you with the required # of IPs only, with a few
> spares only if your situation requires it), monitor router logs for

I don't think that's particularly useful. I can find what IP addresses 
you're using and self-assign a suitable one. It's not hard do see what 
you're using.


> unauthorized attempts or successful connections.  You could also used
> static DHCP if your router supports it, or turn off DHCP and manually
> assign IPs to your machines.  If your wireless router supports

Does not help.

> modifying the signal strength you could do some testing to see if you
> can scale back its strength to cut down on the distance from which
> someone can connect (recognizing that people can use directional
> antennas to improve their reception even with a weaker signal strength
> from your part).

Reduced strength can help. It can also make your wireless network work 
less well for you.

Shielding can help. Do you really want the signal to cross the road to 
the neighbours, or to someone else in the same block of flats?


> 
> Ultimately you want to be less of a target than others.  The casual
> hacker will move on to a lesser challenge.  With the exception of your
> neighbour who has all the time in the world, for most hackers (using
> the term loosely) the rewards would have to outweigh the effort.
> Implementing the various layers of security I've suggested should
> avoid you from being the low hanging fruit.

Seems to me most networks around where I live are secured; if I wanted 
one I'd have to try a little harder.

Bear in mind that if an attack can be automated, you are low-hanging fruit.

There's about 1.2 million hits for this search:
http://www.google.co.uk/search?q=%22how+to%22+secure+wireless+network&ie=UTF-8&oe=UTF-8
Disregard any that recommend WEP. Anything else your router supports is 
probably okay.

So is a firewall at each important end that only allows a VPN (say 
openvpn on UDP port 1194). People can get an IP address, but they're not 
going anywhere (unless your router also manages your Internet connexion).



-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the users mailing list