Re: [SLUG] Is someone is snooping my wireless?
Glen Turner wrote: You really can go too far, and wireless security is a prime example of pointless defence in depth. All that not using a ESSID broadcast, no DHCP, MAC address filtering do is the raise the time and hassle it takes to get on the network. Which means that there is (or soon will be) a script somewhere that will do all this hassle in a few seconds. I have never understood that whole don't broadcast your ESSID thing. Security by obscurity, surely? -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
On Tue, Jun 24, 2008, Daniel Morrison wrote: I have never understood that whole don't broadcast your ESSID thing. Security by obscurity, surely? I had one place in dim memory that implemented that specifically so arbitrary devices wouldn't associate-by-passing and tie up valuable slots on their WAP. Read, too many associations, AP blows up.. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Jonathan Lange wrote: Recent events have reminded us that randomness is just as important in SSH key generation. I'd save my dice (and my time) for things that actually guard my data. The entire strength of WPA2-PSK depends on the shared key being unguessable; that is, random. So the WPA2-PSK key is actually one of your things that actually guard my data. The thread was discussing using ineffective but very inconvenient barriers to unauthorised home WLAN use. I was simply making the point that secure configuration of WPA2-PSK is all that is required. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Jonathan Lange wrote: Of course, the more interesting question is WHY!?!?! Apologies, I had thought it was obvious. Keys are often given in a hexadecimal representation. Each 4 bits is a hex digit, written using 0...9A...F. So a d16 will generate a hex digit of randomness. Two d16s will generate two hex digits, which is 2*4=8 bits, which is commonly called a byte. With a pair of d16s a 63-byte key can be generated in 63 throws, five minutes or so. The other side of this is (1) it's very hard for computers to generate random numbers, and using a computer to generate a random key you then use on the same computer is full of security issues. (2) it's very hard for humans to generate strings of random numbers. They avoid number at the extremes and avoid repeated digits (a 60 byte string would have a run of 6 repeated digits about one time in five). The result is very non-random. So you can see the attraction of a d16 dice. Secret shared keys are very common in computing (not just WPA-PSK, but RADIUS and BGP). Having difficult-to-guess (ie, random) keys is very important and a vital assumption in their security. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Glen Turner wrote: They avoid number at the extremes and avoid repeated digits (a 60 byte string would have a run of 6 repeated digits about one time in five). The result is very non-random. Yes indeed. I've read about complaints from consumers about seemingly non-random behaviour in the shuffle function on iPods. Apple tries to explain that yes, the iPod can easily play 3 songs in a row by the same artist when in random mode. This is the nature of randomness. Usually falls on deaf ears. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor A lie can travel halfway around the world while the truth is putting on its shoes. -- Mark Twain -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
I'd just like to add an anecdote on pseudo-random number generation: several years ago, a group of Canadian comp. sci. students were arrested for fraud. A casino made the charges, claiming the students 'hacked' into their computer which dealt the numbers for one of their random-draw games. Naturally, everyone suspected that the boys had done something nefarious, since they were in the black magic arts of computing. The boys came away with several thousand dollars in winnings. When they arrested the college kids, they sheepishly explained how they did it: the computer, which drew the random numbers, used the last few digits of the clock as the pseudo-random number. This is a standard method of picking random numbers, though it's awfully insecure. The computers were started, every day, automatically, at precisely the same moment. Due to the nature of the game, the draws were fixed in time, as well, for example, a draw would occur exactly every 15 minutes. The boys realized that the same numbers appeared at the same time of day, and simply bet on them. I can't seem to find a link to this story, though. Is it bogus? Cibby 20/20 Filmsight http://moviecritic.com.au --- On Mon, 6/23/08, Rick Welykochy [EMAIL PROTECTED] wrote: From: Rick Welykochy [EMAIL PROTECTED] Subject: Re: [SLUG] Is someone is snooping my wireless? To: Glen Turner [EMAIL PROTECTED] Cc: Jonathan Lange [EMAIL PROTECTED], slug@slug.org.au Received: Monday, June 23, 2008, 7:57 AM Glen Turner wrote: They avoid number at the extremes and avoid repeated digits (a 60 byte string would have a run of 6 repeated digits about one time in five). The result is very non-random. Yes indeed. I've read about complaints from consumers about seemingly non-random behaviour in the shuffle function on iPods. Apple tries to explain that yes, the iPod can easily play 3 songs in a row by the same artist when in random mode. This is the nature of randomness. Usually falls on deaf ears. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor A lie can travel halfway around the world while the truth is putting on its shoes. -- Mark Twain -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html __ Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail. Click on Options in Mail and switch to New Mail today or register for free at http://mail.yahoo.ca -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Quoting Cibby Pulikkaseril [EMAIL PROTECTED]: I'd just like to add an anecdote on pseudo-random number generation: several years ago, a group of Canadian comp. sci. students were arrested for fraud. . ... Good story.. I can't seem to find a link to this story, though. Is it bogus? try sending it to mythbusters maybe they might know... David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
On Mon, Jun 23, 2008 at 8:47 PM, Glen Turner [EMAIL PROTECTED] wrote: Jonathan Lange wrote: Of course, the more interesting question is WHY!?!?! Apologies, I had thought it was obvious. You've missed the spirit of my question, I think. I looked only at Kenneth's post and saw something that described a complex and (I think) wrong way to generate a random byte. More broadly, generating your wireless key with a cryptographically secure RNG seems to me to be overkill for most people. Buying specialty dice for it seems plain silly.[1] Flipping a coin eight times doesn't take much longer than rolling 4d4, 2d16 or rolling 3d8 and dropping a bit, and saves you a trip to the shops. Recent events have reminded us that randomness is just as important in SSH key generation. I'd save my dice (and my time) for things that actually guard my data. jml [1] The last time I went dice shopping, I didn't see any d16s for sale. They are uncommon even in the world of tabletop roleplaying. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Jonathan Lange wrote: Recent events have reminded us that randomness is just as important in SSH key generation. I'd save my dice (and my time) for things that actually guard my data. An old favourite is to pick a song you know well and grab the first letters of a line or two in the song. Apply a standard substitution rule to the letters and voila! ttl8hIwwyA This is for passphrases (usually for keys) that you have to remember and type in often. cheers rickw p.s. Twinkle twinkle little bat, how I wonder where you're at! -- Rick Welykochy || Praxis Services || Internet Driving Instructor A lie can travel halfway around the world while the truth is putting on its shoes. -- Mark Twain -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Quoting Jonathan Lange [EMAIL PROTECTED]: More broadly, generating your wireless key with a cryptographically secure RNG seems to me to be overkill for most people. Buying specialty dice for it seems plain silly.[1] Flipping a coin eight times doesn't take much longer than rolling 4d4, 2d16 or rolling 3d8 and dropping a bit, and saves you a trip to the shops. Sorry, but all this talk of dice reminded me of this: http://xkcd.com/221/ Just about sums it up really ;-) Craig -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
You really can go too far, and wireless security is a prime example of pointless defence in depth. All that not using a ESSID broadcast, no DHCP, MAC address filtering do is the raise the time and hassle it takes to get on the network. Which means that there is (or soon will be) a script somewhere that will do all this hassle in a few seconds. The only thing you need to do is to configure well the single defence which can't be subverted: only offer WPA2 with CCMP (which includes AES encryption) for connecting to the access point. For a home you'd use WPA2-PSK (pre-shared key). Make that secret key random and long (more than 40 characters). But there's little security reason not to put that password on a post-it note on the access point for the convenience of visitors. Then you can run ESSID broadcast and DHCP and your valid machines will automatically connect when they see the network. Security and convenience. From a IP point of view, the aim is to limit the broadcasts on the wireless LAN, since 802.11 performs poorly when broadcasting. So the WLAN gets its own routed subnet. It gets DHCP responses containing the address of a Samba WINS server. Then Windows machines don't broadcast service information, but use unicast to register them with the WINS server. [ Note that Windows machines need Xp SP3 or a download for Xp SP2 to run WPA2. Also the authentication is limited to pre-shared key (PSK, which is OK) or protected EAP (PEAP, which has a designed-in security issue). Linux's Network Manager/wpa_supplicant supports WEP/WPA/WPA2 and all authentication methods which uses passwords or secrets. Note that older chipsets won't support AES and performance can suffer when the WPA2 AES encryption is done by software instead. If you find youself being dragged along by the Dungeons and Dragons crowd to the shops one day, then grab a pair of 16-sided dice. Each throw will give one byte of randomness for keys.] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
On Mon, 2008-06-23 at 12:19 +0930, Glen Turner wrote: If you find youself being dragged along by the Dungeons and Dragons crowd to the shops one day, then grab a pair of 16-sided dice. Each throw will give one byte of randomness for keys.] Should that closing bracket have been a smiley? Surely a fair die could have only 4, 6, 8, 12 or 20 faces. I guess one solution would be to throw three dice consisting of two octahedrons and a tetrahedron and multiply the results. Is there a more elegant solution? cheers, Ken -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
On Mon, Jun 23, 2008 at 3:45 PM, Kenneth Caldwell [EMAIL PROTECTED] wrote: Surely a fair die could have only 4, 6, 8, 12 or 20 faces. I guess one solution would be to throw three dice consisting of two octahedrons and a tetrahedron and multiply the results. Is there a more elegant solution? You can have a fair die for any even number. Lots of roleplaying games use ten-sided dice, which are a little like two five-sided pyramids stuck together. If you don't have a d16 handy, you could do something like this: Roll a four-sided die, subtract one, multiply by four, roll a four sided die, add to first number, subtract one. Of course, the more interesting question is WHY!?!?! jml -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
why not have a little fun instead of locking everything down immediately :) http://ex-parrot.com/~pete/upside-down-ternet.html and anyway, setting up a proxy server, forcing them through it and logging all requests may give you an insight into what they are doing on your network, and maybe who they are.. much more interesting than securing your network On Tue, Jun 17, 2008 at 7:13 PM, Sonia Hamilton [EMAIL PROTECTED] wrote: Rick Welykochy wrote: A new icon I have never seen before for a PC connection to my wireless LAN has alerted me that someone the area is attempting to connect. The icon only indicates that it is a PC. No IP or any info like that. What I am after is intrusion detection software for a wireless LAN. * how can I get the IPs of the connected or trying to connect? * can I snort out those trying to break in with WEP cracks? Lots of replies to this - mac filtering, WPA2, limited ip range, etc. Whilst mac filtering and a limited ip range are passable, security is usually a layered approach, so use them in combination. Also, keep in mind that upgrading the firmware on your wireless router may give you new features (like ips of those trying to connect, or showing the DHCP lease table). In addition some products eg WRT54G have open source replacement firmware that give you tonnes of additional features that may help you here. -- Sonia Hamilton. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Tony Sceats wrote: why not have a little fun instead of locking everything down immediately :) http://ex-parrot.com/~pete/upside-down-ternet.html and anyway, setting up a proxy server, forcing them through it and logging all requests may give you an insight into what they are doing on your network, and maybe who they are.. much more interesting than securing your network Excellent! kittennet and blurnet. Ain't technology wonderful. I like the guy's domain name. Spam comes from Monty Python. So do ex-parrots. thanks rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor ... wanted me to be a Win2K admin with emphasis on security. That's like a job as a SCUBA diver with an emphasis on keeping things dry. -- Anthony de Boer -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Looks like it is going to be a boring day on slug from now on cos this one was really great... does kindof makes you think about all sorts of bizzarre possibilities... I've been working with regexes and search and replace... mixing that in with the http streaming (changing words in web pages on the fly) you could play some funny tricks on the wife when she is using the computer alone or on the teenage boys if they try to misuse the internet with their friends.. damn funny. damn damn funny (is it time for a prize system? - this post has my vote) Quoting Tony Sceats [EMAIL PROTECTED]: why not have a little fun instead of locking everything down immediately :) http://ex-parrot.com/~pete/upside-down-ternet.html and anyway, setting up a proxy server, forcing them through it and logging all requests may give you an insight into what they are doing on your network, and maybe who they are.. much more interesting than securing your network -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Rick Welykochy wrote: A new icon I have never seen before for a PC connection to my wireless LAN has alerted me that someone the area is attempting to connect. The icon only indicates that it is a PC. No IP or any info like that. What I am after is intrusion detection software for a wireless LAN. * how can I get the IPs of the connected or trying to connect? * can I snort out those trying to break in with WEP cracks? Lots of replies to this - mac filtering, WPA2, limited ip range, etc. Whilst mac filtering and a limited ip range are passable, security is usually a layered approach, so use them in combination. Also, keep in mind that upgrading the firmware on your wireless router may give you new features (like ips of those trying to connect, or showing the DHCP lease table). In addition some products eg WRT54G have open source replacement firmware that give you tonnes of additional features that may help you here. -- Sonia Hamilton. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Is someone is snooping my wireless?
This may be off topic, but there is a lot of networking talent on SLUG. And the answers to this query will be very useful in general. A new icon I have never seen before for a PC connection to my wireless LAN has alerted me that someone the area is attempting to connect. The icon only indicates that it is a PC. No IP or any info like that. What I am after is intrusion detection software for a wireless LAN. * how can I get the IPs of the connected or trying to connect? * can I snort out those trying to break in with WEP cracks? That kind of stuff. I feel like I'm running blind right now, and disconnecting the wireless is the only option until I know what is going on. FWIW I've run this wireless for about five years now and this is the first time I've seen anything like this. I am in inner Sydney and there are heaps of wireless LANs around, and an office block full of PCs 10m across the alley from me. One idea comes to mind: tcpdump, which has been an excellent tool in the past, esp. to point the finger at a stray device that is flooding the LAN. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor My advice to the women's clubs of America is to raise more hell and fewer dahlias. -- William Allen White -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Hi Rick if someone is 'trying to connect' then fortunately they arent actually connecting. there isnt much you can do about people attempting to connect (unless you hire some sort of sniper on top of your building). however. if someone is actually attaching to your wireless lan, that is a different story. firstly. use MAC filtering second. get rid of WEP and use WPA or WPA2 if someone is using your network, you should be able to see a dhcp lease from your dhcp server (which might just be an adsl/ip router). this is a good place to start! from there you can block their mac address otherwise take a look in the routers arp table and look for strange MAC addresses - then block them. thats a few quick ideas. Dean Rick Welykochy wrote: This may be off topic, but there is a lot of networking talent on SLUG. And the answers to this query will be very useful in general. A new icon I have never seen before for a PC connection to my wireless LAN has alerted me that someone the area is attempting to connect. The icon only indicates that it is a PC. No IP or any info like that. What I am after is intrusion detection software for a wireless LAN. * how can I get the IPs of the connected or trying to connect? * can I snort out those trying to break in with WEP cracks? That kind of stuff. I feel like I'm running blind right now, and disconnecting the wireless is the only option until I know what is going on. FWIW I've run this wireless for about five years now and this is the first time I've seen anything like this. I am in inner Sydney and there are heaps of wireless LANs around, and an office block full of PCs 10m across the alley from me. One idea comes to mind: tcpdump, which has been an excellent tool in the past, esp. to point the finger at a stray device that is flooding the LAN. cheers rickw -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
DaZZa wrote: You should make sure you take the simple steps which *everyone* running wireless should do. 1) Disable SSID broadcast 2) Disable DHCP unless you absolutely *have* to use it. Already do the above two. SSID should only be used for public nets, I presume. And no DHCP. 3) Make the Wireless subnet as small as you can possibly go for the number of machines you have. The one I use at home is set to 192.168.25.0 with a 255.255.255.252 netmask - leaving room for only the router's IP address, and the one machine I have running wireless. The cable LAN segment has a completely different range. Excellent advice. Thanks. I am completely statically addressed here with a number of machines. I'll partition the address space and separate out the cabled LAN. Would this suffice: LAN: 192.168.100.0 255.255.255.whatever WiFi: 192.168.50.0 255.255.255.252 Or better: LAN: 10.1.100.0 255.255.255.whatever WiFi: 192.168.50.0 255.255.255.252 4) Use WPA or WPA2. WEP is badly broken, and was cracked years ago. Will do. It's long overdue. Laziness == !Secure. Depending on your wireless AP, you can require authentication (if supported) before allowing a wireless connection. Yes indeed. I already require authentication. I am beginning to think that this icon I saw was someone's PC trying to get on the wireless but they failed. I've turned the wireless back on and they've vanished. But I will remain vigilant and implement as much security as possible. thanks rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor My advice to the women's clubs of America is to raise more hell and fewer dahlias. -- William Allen White -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Dean Hamstead wrote: (unless you hire some sort of sniper on top of your building). Good idea! That mob from the APEC summit must be bored these days. firstly. use MAC filtering Yup. I have an ACL for MAC addrs. Can that be cracked? i.e. keep trying the *huge* MAC address space until they get in? Must take until the heat death of the universe to do that. second. get rid of WEP and use WPA or WPA2 if someone is using your network, you should be able to see a dhcp lease from your dhcp server (which might just be an adsl/ip router). this is a good place to start! from there you can block their mac address otherwise take a look in the routers arp table and look for strange MAC addresses - then block them. Thanks for the advice. And something new to investigate. I'll try to figure out how to ssh to the WiFi (it's an airport ... might have trouble there!) and look around. Apple products are so dumbed down that the Airport Base Stn Utility doesn't give you much in that regard. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor My advice to the women's clubs of America is to raise more hell and fewer dahlias. -- William Allen White -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
On Tue, Jun 17, 2008 at 2:49 PM, Rick Welykochy [EMAIL PROTECTED] wrote: You should make sure you take the simple steps which *everyone* running wireless should do. 1) Disable SSID broadcast 2) Disable DHCP unless you absolutely *have* to use it. Already do the above two. SSID should only be used for public nets, I presume. And no DHCP. Only for nets you *want* to be open for potential unauthorised use. Even in public nets, I disable it, and require potential users to come ask for the SSID before connecting. 3) Make the Wireless subnet as small as you can possibly go for the number of machines you have. The one I use at home is set to 192.168.25.0 with a 255.255.255.252 netmask - leaving room for only the router's IP address, and the one machine I have running wireless. The cable LAN segment has a completely different range. Excellent advice. Thanks. I am completely statically addressed here with a number of machines. I'll partition the address space and separate out the cabled LAN. Would this suffice: LAN: 192.168.100.0 255.255.255.whatever WiFi: 192.168.50.0 255.255.255.252 Or better: LAN: 10.1.100.0 255.255.255.whatever WiFi: 192.168.50.0 255.255.255.252 Either will do - it's up to you what you use. I'd just go with 255.255.255.0 for your LAN (cabled) network. The point of using a 255.255.255.252 netmask is that it only allows two nodes in the network (plus the one network and one broadcast address), and leave much less wriggle room for people to get in via an unallocated IP address open in the subnet. 4) Use WPA or WPA2. WEP is badly broken, and was cracked years ago. Will do. It's long overdue. Laziness == !Secure. Yup. No argument with that one. Depending on your wireless AP, you can require authentication (if supported) before allowing a wireless connection. Yes indeed. I already require authentication. Then you're probably 99.9% secure from someone sniffing you out and hacking access. I am beginning to think that this icon I saw was someone's PC trying to get on the wireless but they failed. I've turned the wireless back on and they've vanished. Most likely someone just attempted a connect and failed, yes. But I will remain vigilant and implement as much security as possible. Constant vigilance! DaZZa -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
DaZZa [EMAIL PROTECTED] writes: On Tue, Jun 17, 2008 at 2:49 PM, Rick Welykochy [EMAIL PROTECTED] wrote: You should make sure you take the simple steps which *everyone* running wireless should do. 1) Disable SSID broadcast 2) Disable DHCP unless you absolutely *have* to use it. Already do the above two. SSID should only be used for public nets, I presume. And no DHCP. Only for nets you *want* to be open for potential unauthorised use. Hiding the SSID doesn't add any significant security because... Even in public nets, I disable it, and require potential users to come ask for the SSID before connecting. ...you can sniff it out of the air, using tools such as kismet. You may get less drive-by connection attempts, but it will not secure the network any further. Oh, and neither will avoiding DHCP: it is a trivial inconvenience, since kismet and friends will sniff your network details over the air also. 3) Make the Wireless subnet as small as you can possibly go for the number of machines you have. The one I use at home is set to 192.168.25.0 with a 255.255.255.252 netmask - leaving room for only the router's IP address, and the one machine I have running wireless. The cable LAN segment has a completely different range. Excellent advice. Thanks. I am completely statically addressed here with a number of machines. I'll partition the address space and separate out the cabled LAN. That shouldn't make much difference to security, because by the time someone has broken it to have access to the IP level you have already lost, more or less. This will make it marginally inconvenient for someone to abuse your service, but only marginally. Just like DHCP it really doesn't add anything but momentary inconvenience. [...] 4) Use WPA or WPA2. WEP is badly broken, and was cracked years ago. Will do. It's long overdue. Laziness == !Secure. Yup. No argument with that one. These will add real security and are very valuable. I like WPA2 Enterprise, backed with a real username and password database, and a real authentication protocol, but a shared key is probably good enough. [...] But I will remain vigilant and implement as much security as possible. Constant vigilance! Heh. :) Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Daniel beat me to the punch on all counts, and have to agree. Locking down MAC addresses and not using DHCP are probably the most easily circumventing - the former can be done by just configuring you NIC with that MAC address, and overriding a fixed IP address is basically as trival as responding to ARP requests quicker than the real guy ;-) I have to admit I am slightly lazy at home and using WEP - my previous excuse was that I had some devices that didn't support WEP (and that WPA support on Linux was poor) but I think I probably can't call on that one now. Martin On Tue, Jun 17, 2008 at 3:10 PM, Daniel Pittman [EMAIL PROTECTED] wrote: DaZZa [EMAIL PROTECTED] writes: On Tue, Jun 17, 2008 at 2:49 PM, Rick Welykochy [EMAIL PROTECTED] wrote: You should make sure you take the simple steps which *everyone* running wireless should do. 1) Disable SSID broadcast 2) Disable DHCP unless you absolutely *have* to use it. Already do the above two. SSID should only be used for public nets, I presume. And no DHCP. Only for nets you *want* to be open for potential unauthorised use. Hiding the SSID doesn't add any significant security because... Even in public nets, I disable it, and require potential users to come ask for the SSID before connecting. ...you can sniff it out of the air, using tools such as kismet. You may get less drive-by connection attempts, but it will not secure the network any further. Oh, and neither will avoiding DHCP: it is a trivial inconvenience, since kismet and friends will sniff your network details over the air also. 3) Make the Wireless subnet as small as you can possibly go for the number of machines you have. The one I use at home is set to 192.168.25.0 with a 255.255.255.252 netmask - leaving room for only the router's IP address, and the one machine I have running wireless. The cable LAN segment has a completely different range. Excellent advice. Thanks. I am completely statically addressed here with a number of machines. I'll partition the address space and separate out the cabled LAN. That shouldn't make much difference to security, because by the time someone has broken it to have access to the IP level you have already lost, more or less. This will make it marginally inconvenient for someone to abuse your service, but only marginally. Just like DHCP it really doesn't add anything but momentary inconvenience. [...] 4) Use WPA or WPA2. WEP is badly broken, and was cracked years ago. Will do. It's long overdue. Laziness == !Secure. Yup. No argument with that one. These will add real security and are very valuable. I like WPA2 Enterprise, backed with a real username and password database, and a real authentication protocol, but a shared key is probably good enough. [...] But I will remain vigilant and implement as much security as possible. Constant vigilance! Heh. :) Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Rick, It isn't clear what you are seeing. Is this just an *available* adhoc network appearing in network-manager? This just means that there is someone nearby advertising their PC as an ad-hoc network. It is then up to you to decide if you want to connect to them. Martin On Tue, Jun 17, 2008 at 2:10 PM, Rick Welykochy [EMAIL PROTECTED] wrote: This may be off topic, but there is a lot of networking talent on SLUG. And the answers to this query will be very useful in general. A new icon I have never seen before for a PC connection to my wireless LAN has alerted me that someone the area is attempting to connect. The icon only indicates that it is a PC. No IP or any info like that. What I am after is intrusion detection software for a wireless LAN. * how can I get the IPs of the connected or trying to connect? * can I snort out those trying to break in with WEP cracks? That kind of stuff. I feel like I'm running blind right now, and disconnecting the wireless is the only option until I know what is going on. FWIW I've run this wireless for about five years now and this is the first time I've seen anything like this. I am in inner Sydney and there are heaps of wireless LANs around, and an office block full of PCs 10m across the alley from me. One idea comes to mind: tcpdump, which has been an excellent tool in the past, esp. to point the finger at a stray device that is flooding the LAN. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor My advice to the women's clubs of America is to raise more hell and fewer dahlias. -- William Allen White -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Rick Welykochy wrote: firstly. use MAC filtering Yup. I have an ACL for MAC addrs. Can that be cracked? i.e. keep trying the *huge* MAC address space until they get in? Must take until the heat death of the universe to do that. If an attacker has successfully associated with your access point through whatever means, be it that the AP was open, or be it that they obtained the WEP key, it's simple for them to sniff the traffic going to and from your machines with allowed MAC addresses. Those MAC addresses are of course in the ethernet headers of those packets, so it's trivial for an attacker to obtain whitelisted MAC addresses as long as there is any legitimate traffic on the network. You definitely can't rely on MAC filtering alone. Just make sure to use WPA or WPA2 as suggested, as well as other sensible security measures suggested in this thread. You can additionally set up MAC filtering if you want to be able to say to people, I use MAC filtering. That's about all it's useful for. Cheers, David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Is someone is snooping my wireless?
Martin Visser wrote: It isn't clear what you are seeing. Is this just an *available* adhoc network appearing in network-manager? This just means that there is someone nearby advertising their PC as an ad-hoc network. It is then up to you to decide if you want to connect to them. I strongly suspect that all it was was someone advertising their PC (not another WiFi network). There is no evidence they obtained access. I am moving to WPA as we speak. All other measures have been implemented so I feel much more secure now. Thanks to all for the great advice. -rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor ... wanted me to be a Win2K admin with emphasis on security. That's like a job as a SCUBA diver with an emphasis on keeping things dry. -- Anthony de Boer -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html