India Broadband Forum

ensine

Thanks Just4Kix.
Now I feel my Wi-Fi is secured.
changed the IP of the router
changed the default password of the router
using WPA2-PSK

I think its more than enough.

ensine

I agree that now its not easy to get the passkey by tracing the packets, thanks to 'WPA2' and 'TKIP'.

We should make the entry to router difficult by using robust password, changing the IP of the router because even though one has implemented 'WPA2-PSK' encryption, anyone who can make a way to router can see the passkey.

just4kix

Goes without saying. But yes, many people do not realize that.

g710

Friend,

I have gone thru your Wireless Security Primer, Wireless Security Primer - II. thanks for the same.

I have bsnl type II modem wa3002g4. It is not mentioned in the above documents how to change the IP address of modem for security purpose. YOu just mentioned to change the IP address.

Please tell me how to change the IP adress. do I need to cahnge DHCP server starting Ip and ending IP if I change the modem IP? because it is the next number to 254 for the DHCP server.

I mean if the modem IP is 192.168.1.1 then DHCP starting and ending numbers are 192.168.1.2 to 192.168.1.254.


Thanks

just4kix

There is a sticky post on WA3002G4 in the Broadband How to section.

To change IP address of the modem go to LAN properties page. Keep DHCP enabled. When you change the IP address, the DHCP will change the change automatically. For example, if you change the IP address to 10.224.69.1, the DHCP range will change automatically to 10.224.69.2 to 10.224.69.255.

__________________

arindam1

Hi 1st many many thanks to just4kix,this is a very useful thread..keep it up


I am very worried about my newly installed bsnl broadband connection security.My problem is my modem is nokia siemens SL1_141,and it is in PPPoE mode with the passward and id installed in it (done by bsnl agent).some of my neighbours are accessing my net through the wireless,and I can see them in network & sharing centre but I can not do anything as I also dont need to type the passward & id everytime I open it...it is installed in modem itself.
I was looking for any way to switch off the wireless facility as it seemed t be simplest...but could not. IS THERE ANY WAY TO DO THAT?
So that only 2 or 3 comp can surf through wire?

or..


Can u please help me to use any security options (and how to)

crashpoint_zero

Nicely laid out article JFK. The information gathered from wikipedia has been edited to suit the end user and at the same time not compromising on the technical details.

I can add my two bits from the experience that I had:

1. Some modems/routers come with a set of different users : admin, user, etc. As you pointed out most of the users do not change the default admin password and some of them who do, do not bother to change the passwords of other users as they are not superusers.

But I just discovered a fatal security flaw in BSNL's ZTE ZXDSL 531B - I have reported it in the bsnl broadband forum. In that the user "user" can access all admin rights while using tftp - telnet modem_ip 23.

So when you are changing passwords - change them for all the available users.

2. In the access control portion of the configuration, add IP access control rules specifying which workstation's IP should be allowed to access the UI. Of course, anyone can change the IP if the mgmt workstation is down - but we can only raise the bar - there is no such thing as 100% security.

3. Most of the routers have various services enabled like - ftp, http, telnet, etc. Enable only the ones that you need. A good rule to follow is - block all, open few.

4. Change the IP of the router to an entirely different series from 192.168.1.1

5. If you do not know how to secure you wireless - do not turn it on.

6. Once you are done with these things, take a backup of your changes so that the next time you need to restore stuff from default - you don't have to do all these things all over again. The backup can easily be taken from the management section, which allows you to upload and download backup files.

arindam1

Thank for the useful and nice info..

How do I turn a wireless on when it is already on automatically?Is there any way to turn it off?

just4kix

Some (actually most) wi-fi modems/routers have an option to enable or disable wireless. Check if your modem's wireless basic settings.

arindam1

thank u again
I have opted for wpa2 psk,its working for blocking wireless,my comp shows ur comp settings are not matching the requirement 4 the coonection when i opt for wireless, its working 4 only wired connection

my question is, is there further modification to secure my network?
or how do I change my I.P address?

gg_bti

A simple Query -

I have turned Access control on in my wifi setup...that means any other hacker would not be able to connect to my wifi network at all....unless n until that fellow somehow manages to get my mac address....but even for accessing the wifi routers login page be it default 192.168.1.1, he ought to be connected to the network...right...or can the hacker without getting an ip address from my network still log on the router page..?

I still believe turning access control on is one of the simplest and the first securtiy measures to be taken along with switching on of WEP / WPA / IP changes etc.

just4kix

It is almost impossible to duplicate MAC address. If you feel threatened still, do the following:

a) Turn on Mac Address filtering (already done by you)
b) WPA-PSK with TKIP and use a really long key as suggesting in my guide
c) Secure router's admin password to a very strong pwd
d) Change router's LAN IP address
e) After your wi-fi SSID is stored on your laptop (this is done after the first time connect and stays stored till you delete it or format the OS), turn SSID broadcast off.

crashpoint_zero

From what I have seen of the pointers to thwart active attacks, you can do the following:

When using wireless

1. Go for an encryption protocol like WPA, preferably WPA2 + AES encryption.

2. Stop your modem from broadcasting your SSID.

3. Enter MAC filter rules to limit the addresses which can access your wireless network.

4. In the access control section, enable the rule for allowing only a specific IP to be a management station of the modem.

5. If possible, do not keep your modem near open areas like gallery, windows etc - this will limit the access domain to your home only.

Of course a mind determind to break the locks will bang his heads until he succeeds - We cannot prevent the inevitable but we can always ensure that the bars are raised high enough and the headaches to the crackers are of premium quality.

JFK has already discussed the pointers in his well written primer. And of course both us were typing a reply at the same time so both of our posts having a few things in common.

Talk about getting quick answers : )

If your OS permits you and respects WPA2 + AES go for it. Vista and Ubuntu 's networking programs support them.

The wifi alliance (the guys who are supposedly maintaining wi fi standards) came up with TKIP to solve the limitations of WEP - longer key length, static keys, etc. However the encryption algorithm is the same as used in WEP.

In case of WPA2 - the encryption algo is AES - harder to crack than the earlier ones.

But if your OS cribs, cries, cringes and holds it breath till its face turns blue - at least go for WPA

giay

this is good information, I'll give a try for some of those tricks

just4kix

The problem with WPA2-PSK-AES is that some mobile handheld devices do not support it. Also old generation wi-fi does not support it. Hence WPA-PSK-TKIP is suggested.

I have already said in the two primers that WPA2-PSK-AES is the best.

arvind296

hello everybody,
I have recently got my bsnl broadband connection. my modem is wa3002g4 type II. my computer is pentium III in which there is no LAN card so i decided to go for wireless lan. for that i purchased Netgear USB Adapter.
one friend of mine has done the setup and now i am able to connect to net. problem was I was not able to login router login page using 192.168.1.1 so as per the suggestion given in this forum, i assigned static ip address 192.168.1.3 by right clicking Wireless Network Connection 2 Netgear 111v3 and then selecting TCP/IP option. after that i was able to login 192.168.1.1
Now the problem is in the router setting i changed router ip address from 192.168.1.1 to something like 240.25.200.215 for the security reasons. it's subnet mask was 255.255.255.0. and then without configuring anything i save and reboot it. now i am not able to login to 192.168.1.1 or 24.25.200.215. what is the problem?
another thing is when i try to assign static ip address to Wireless Network Connection 2 Netgear 111v3, it does not take value greater than 223.
so plz somebody could tell what is the problem and how can i login my router login page. plz note that i am able to connect the net.
thanks in advance
regards
arvind

gg_bti

JFK, thank for the info..

But my question remains unanswered.... can the hacker without getting an ip address from my network still log on the router page..? even if my router is 192.1681.1.1 with default login name and password....

Of course as said in later post, if hacker wants to get in, in that case no amount of security is secure enough..

just4kix

To login to http://192.168.1.1, the hacker must first be connected to your network. To connect to your network, he/she needs to be connected to the wi-fi router first. So if your wi-fi security prvents this connection, there is nothing the hacker can do except keep trying to login by trying to guess the key.

By having WPA + Mac address filtering, it will be almost impossible to connect.

On the other hand if your telnet port is open and you do not have a good firewall, a hacker can remotely connect to your network/pc from the real IP address.

crashpoint_zero

When 2 machines are connected in a LAN - example - your machine and your router - they can communicate with each other only if both of them are having an IP in the same subnet.

e.g. if router IP is 192.168.1.X (where X is no. from 1 to 254) your computer's IP should be 192.168.1.Y (where Y is not equal to X and is in the range 1 to 254).

So in this case you changed your router's IP to 24.25.200.215 - you need to be in the same range - give your comp an IP like 24.25.200.X where X is not equal to 215. Keep both the subnet masks same.

When you change stuff for security reasons - know the implications - otherwise you will end up locking yourself out.

gg_bti

By having WPA + Mac address filtering, it will be almost impossible to connect.

On the other hand if your telnet port is open and you do not have a good firewall, a hacker can remotely connect to your network/pc from the real IP address.

Thanks a lot JFK once again

I do have MAC address filtering and WPA done to my wifi...I believe that amount of security is good enough... and as well another measure, I do SWITCH OFF my wifi when not in use....I guess technology is still not that advanced that hacker can remotely switch on my wifi...

Regarding telnet port being open - how to close the same...will any other services be affected if the same is closed...?

I do have the default Windows XP firewall ON as well as Norton Internet Security 2006 edition working, however at times I do receive a message from Norton that there has been an attampt to hack the computer which was blocked by Norton...