Securing Your Wireless Network (A Quick and Dirty HOWTO for Home 802.11b Users)
You just got a nifty new Access Point and want to surf while you sip cool drinks in the shade. I need to stoke my own ego by offering pedantic advice to unassuming newbies. We’re a match made in heaven my friend.
This is a meatier explanation to a thread I replied to in the Aximsite forums(
http://www.aximsite.com/boards/showt...&threadid=4086). It is not meant to be complete and I am sure there are people who know a sh|tload more than me. If you are one of those many, please add additional info! HOWTOs only work if they are living documents!
You will need to RTFM the docs for your AP or AP/Router. I’ve got a Linky and can offer some help if you email me offline. Perhaps those folks running different stuff can volunteer as well.
Some things I do to lock down my network.
1: CHANGE THE DEFAULT SSID AND PASSWORD! I can’t stress this enough. When I drive by your house using Netstumbler and see that you’re SSID is ‘linksys’ I’m not going to try ‘admin’ for the password. But the 13 year script-kiddie cruising by on his bike sure will. I’ve renamed my SSID to ‘Connect to My Network and Die You Unworthy Scum.’ (Well, not really, but you get the idea.) If you decide to leave your AP open, consider naming setting your SSID to something like ‘OPEN NETWORK’ ‘FREENET’) (Yet another note – if you decide to open up your AP, put it in a DMZ or outside of your network firewall – Google for more info.)
2: You should also consider disabling the broadcast of your SSID. Stumblers who use cards and tools that support promiscuous mode can still find you, but it’ll help keep people away.
3: Enable WEP and use 128bit keys if your cards and AP support it. You’ll need to have the same keys on both the cards and AP. Note the WEP is _completely_ crackable, but it takes time to do this, so you’ll discourage all but the most determined crackers. If you are truly paranoid, set up VPN. Whatever you do, don’t transmit sensitive data (even with WEP enabled) to websites that don’t use SSL.
4: Change your WEP keys often. It’s a pain in the ass. I know - the network I run with my neighbors has over 25 hosts so changing them all takes a while.
5: Disable DHCP or at least limit the number DHCP leases your AP/Router doles out. If you’ve got 5 computers on your network, give out 5 DHCP leases. Then only 5 machines can connect. To get more hardcore (but add to your setup time) consider using static IP addresses.
6: Get up and stretch. You must be bored already reading this.
7: Filter the MAC addresses that can connect to your device. Each network card (be it Ethernet, wifi, token ring etc) has a unique id assigned to it called a MAC address. Many routers allow you to specify what MAC addresses can connect to them. (You can hack you MAC addy, but the hassle to pay off factor for someone trying to comporimise your network is high and besides your neighbor left his stuff hanging out wide open so why bother with your rig…)
8: If you’re really paranoid or really geeky, think about getting (or building) specialized antennas. You can use an antenna to focus the broadcast area of your AP which will make it harder for stumblers to ‘see’ you.
Spend some time in the forums at
www.netstumbler.com and in the Wiki at
www.personaltelco.net freakishly smart people hang out there and they can provide far more info on this subject.
Follow Us
RSS Feed
Follow on Twitter
Facebook
YouTube
Wardriving
