Thread: Wireless Security Primer - II

Last week, I wrote this article on improtance of Wireless Security. We all would agree that security should be of paramount importance but when it comes to implementation we are sometimes too lazy to do it. I have posted in this guide (Setup of ADSL Modem/Router UT-300R2U with Linksys Wireless Router WRT54G) steps on how to implement WPA or WPA2 security. It is not difficult at all and should not take more than 5 minutes.

However all security will be of no use if:

a) Your wireless router's password is known
b) People can freely access your wireless router

In this blog, I intend to discuss on how to plug this basic security hole as much as possible. Note that nothing is secure - a determined hacker can and will hack into networks. But considering that most of us live in residential neighbourhoods and expect that people living around you are not experts are hacking some of the methods discussed here should suffice.

Although this blog is being posted in the BSNL forum (because most people view this forum the most), the contents apply to any wireless network.

The following two steps are not an alternate to wireless security. Indeed you must implement wireless security over and above the following.

Steps to make your router password strong:

There are enough articles on the internet on how to build a strong password. Those of you who work in corporates are even aware that corporates now insist on very strong password policies. To reiterate these policies, you can make your password strong and secure if you do the following:

a) Make your password at least 10 characters long
b) Use a healthy mix of uppercase and lowercase letters, numbers, special characters, etc.
c) Avoid using dates of any kind such birthdays, anniverseries, etc.
d) Avoid using full or part of your or your family members' name or surname in your password
e) Do not use names of places of importance to you
f) Do not use repetitive characters
g) Finally change your password every 45 days or so

Make your wireless router inaccessible as far as possible

The best way is to disable Wireless SSID broadcast. But this will be of as much inconvenience to you as to everyone else. Herein, I will suggest some other methods to make your router inaccessible.

a) The first step is the name of your Wireless network (SSID). This is the name that appears in your wireless network on your PCs when you switch on wireless. Most of the times, we do not change the default name - the default names are often like 'default', 'linksys', 'netgear', etc. Change your network name to something weird. This will make the potential hacker think that your network is hard to crack.

b) Change your wireless router's IP address to something unguessable. And this is the main trick. A potential hacker knows that IP address of wireless router is likely to be 192.168.1.1 or 192.168.2.1 or 192.168.0.1, etc. A few tries and the hacker gets the router's login page. The username is almost always 'admin' and if the password is not strong - wham! the hacker is in and can see all your setup, WPA keys, etc.

Once the WPA key is known the hacker does not need to login again on your wireless router because it is unlikely that we will change WPA key again and again. The hacker has the WPA key and that is all is needed.

So the key is change your router's IP address to something unguessable such as 129.241.167.91 - well anything really - all those four digits could be any number from 0 to 255.

The above steps side by side with wireless security should be quite sufficient for most.

p/s Please rate this article and post your views, suggestions, diagreements, etc. I would like to hear more and more on this.

bro i know many tips and tricks as to how break all the security issues.

there are many softwares available as to how we can guess any ones router config.


except a cisco router........

Originally Posted by niraj8241

bro i know many tips and tricks as to how break all the security issues.

there are many softwares available as to how we can guess any ones router config.


except a cisco router........

I agree that no security is perfect. I said so in my fourth para.

Originally Posted by just4kix

Note that nothing is secure - a determined hacker can and will hack into networks. But considering that most of us live in residential neighbourhoods and expect that people living around you are not experts are hacking some of the methods discussed here should suffice.

actually wireless is still not a good solution to opt on

Originally Posted by niraj8241

actually wireless is still not a good solution to opt on

What do you suggest for me if I want to go and use my laptop in my living room? Pull a 50 meters Ethernet cable and run it across three floors?

but what will be the condition if some one has hacked ur network and is surfing at a random rate and will resiult u in a huge bill.... and same bandwidth prob is there with wireless one.

and with the fact of using a ethernet cable

1. no chance of hacking and so no huge bills

2. up to date bandwidth

Originally Posted by niraj8241

but what will be the condition if some one has hacked ur network and is surfing at a random rate and will resiult u in a huge bill.... and same bandwidth prob is there with wireless one.

and with the fact of using a ethernet cable

1. no chance of hacking and so no huge bills

2. up to date bandwidth

I do not understand you when you say - bandwidth problem with Wireless. Can you explain how? Wireless networks operate at 54 mbps. Even the best ISPs the world over do not offer that much speed.

And your whole argument is much flawed. It is as if stating that one should not buy a good mobile handset just because it is liable to stolen.

bandwidth prob is not there when u are there in a viable condition, when condition goes rough the bandwidth goes down, sometimes even half........

i would like to meet ppl who break into wpa/wpa2 encryptions!
i seen ppl break into wep encrypted connections in less than 10 mins but... wpa is no no for many ppl as it uses 64 hexadecimal characters and it will take hours,days,may be even years to break!
its not worth many of the hackers precious time and resources to hack a simple 2mbps internet connection!

-also for windows networking processes the ip address has to start from 192.168.xx.xx,it doesnt take a mastermind to find the ipaddress of a network!especially since most ppl use the dhcp server on their routers!

-turning off wireless broadcast is just the most basic simple defence! most hackers can get ur hidden ssid with a sniffer in seconds!but changing the name from the default name is a good idea!

Thanks for the valuable inputs (-N-).

Originally Posted by (-N-)

-also for windows networking processes the ip address has to start from 192.168.xx.xx,it doesnt take a mastermind to find the ipaddress of a network!especially since most ppl use the dhcp server on their routers!

I have changed the IP address of my wireless router to something totally different as suggested in the post. It works!!

This is really a good article to read. I have BSNL type 2 modem, Can some one help me in config and restricting the access to outsiders. Since i am new to network's and not from IT backround I am not able to understand most of the terms.

If you read the other guides in this section, they will explain the procedure for those router models.

Each router may have a different setup page and look and feel, but the principles are always the same.

Thanks Just4kix, With help of your article, I managed to configure my connextion with WPA-psk security today. Thanks again. But my IP address reads as 192.168.x.x, can i change to different IP#, say 192.454.234.324...eg? as a constant (static) ip #?.

Originally Posted by skolat

Thanks Just4kix, With help of your article, I managed to configure my connextion with WPA-psk security today. Thanks again. But my IP address reads as 192.168.x.x, can i change to different IP#, say 192.454.234.324...eg? as a constant (static) ip #?.

Yes. But each number cannot exceed 255. You IP can be anything like:

[1~255].[0~255].[0~255].[0~255].

Remember that this is the internal or local IP for the router. Your ISP will give your modem/router another IP address called as real or external IP. You cannot change that as it is assigned by the router of the ISP.

As i learnt from your article, changing the IP address will help in redusing the risk of getting hacked...Is it advisable to change the IP address? if yes would you be able to let me know procedure to change the same? Thanks

Originally Posted by skolat

As i learnt from your article, changing the IP address will help in redusing the risk of getting hacked...Is it advisable to change the IP address? if yes would you be able to let me know procedure to change the same? Thanks

It is not necessary to change IP address but it is useful to change it. Just to make it clear, changing IP address does not guarantee safety. It is an additional safety measure. If I were to give an analogy of cars, wearing safety belts and having airbags is the real safety. Some cars also have ABS that provide additional safety. This is just like that.

Of course, the real safety is staying within speed limits and not drinking and driving.

But I am digressing.

To change IP settings of the router, go to it's web configuration page and navigate to LAN settings. Sometimes it is also available in the main page itself. Please refer my guide on Linksys WRT54G in this section.

Will do as suggested.

Good points. Of course that it doesn't matter what security you have in place if everyone knows your passwords.

Its a really cool article. I have already changed the router password. Now I will change the IP also.
I was trying to switch from WEP to WPA. Mine is Linksys WRT45G router.
Will you spare some of your time to explain how to configure?

Thanks in advance...

Originally Posted by ensine

Its a really cool article. I have already changed the router password. Now I will change the IP also.
I was trying to switch from WEP to WPA. Mine is Linksys WRT45G router.
Will you spare some of your time to explain how to configure?

Thanks in advance...

Please read the guide posted in this very sub-section.

Thanks Just4Kix.
Now I feel my Wi-Fi is secured.
changed the IP of the router
changed the default password of the router
using WPA2-PSK

I think its more than enough.

Originally Posted by ensine

Thanks Just4Kix.
Now I feel my Wi-Fi is secured.
changed the IP of the router
changed the default password of the router
using WPA2-PSK

I think its more than enough.

I agree that now its not easy to get the passkey by tracing the packets, thanks to 'WPA2' and 'TKIP'.

We should make the entry to router difficult by using robust password, changing the IP of the router because even though one has implemented 'WPA2-PSK' encryption, anyone who can make a way to router can see the passkey.

Originally Posted by ensine

I agree that now its not easy to get the passkey by tracing the packets, thanks to 'WPA2' and 'TKIP'.

We should make the entry to router difficult by using robust password, changing the IP of the router because even though one has implemented 'WPA2-PSK' encryption, anyone who can make a way to router can see the passkey.

Goes without saying. But yes, many people do not realize that.

Friend,

I have gone thru your Wireless Security Primer, Wireless Security Primer - II. thanks for the same.

I have bsnl type II modem wa3002g4. It is not mentioned in the above documents how to change the IP address of modem for security purpose. YOu just mentioned to change the IP address.

Please tell me how to change the IP adress. do I need to cahnge DHCP server starting Ip and ending IP if I change the modem IP? because it is the next number to 254 for the DHCP server.

I mean if the modem IP is 192.168.1.1 then DHCP starting and ending numbers are 192.168.1.2 to 192.168.1.254.


Thanks

Originally Posted by g710

Friend,

I have gone thru your Wireless Security Primer, Wireless Security Primer - II. thanks for the same.

I have bsnl type II modem wa3002g4. It is not mentioned in the above documents how to change the IP address of modem for security purpose. YOu just mentioned to change the IP address.

Please tell me how to change the IP adress. do I need to cahnge DHCP server starting Ip and ending IP if I change the modem IP? because it is the next number to 254 for the DHCP server.

I mean if the modem IP is 192.168.1.1 then DHCP starting and ending numbers are 192.168.1.2 to 192.168.1.254.


Thanks

There is a sticky post on WA3002G4 in the Broadband How to section.

To change IP address of the modem go to LAN properties page. Keep DHCP enabled. When you change the IP address, the DHCP will change the change automatically. For example, if you change the IP address to 10.224.69.1, the DHCP range will change automatically to 10.224.69.2 to 10.224.69.255.