LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-09-2014, 06:55 PM   #1
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Rep: Reputation: Disabled
Linux + wireless = how big of a security threat?


For over 8 years I've used Linux with one direct connection to the internet via cable modem (Motorola SB5101), with my custom iptables rules on my Linux box.

Last month my father bought a wireless router so that everyone could use the internet here, so I went into it's configuration and that's how I set it up:
  • WPA2/PSK-AES with 32 random character password
  • MAC filters so only listed devices can access the wireless network
  • Virtual server that redirects all invalid traffic from outside network to a non-existant computer on the local network. Ports range from 1 to 65534 (all the ports the router allows)
  • VPN allowed
  • DoS protection
  • ICMP-FLOOD/UDP-FLOOD/TCP-SYN-FLOOD protection enabled, maximum of 5 packages/second on each
  • Ping echo/requests will be DROPPED
  • Router management available only from my machine's MAC address (embedded network card, can't be removed)
  • My MAC address is associated to a desired IP adress that won't change unless I want to
  • Router's admin panel IP changed from default (using random IP generated on random.org)
  • Router's admin login and password changed, used a random password
  • dhcp client list will last 48 hours so I can see every client on the last 2 days

I'm new to wireless and I've read that WPA2 is very easy to crak, but what about my secure password? Is WPA only vulnerable to weak passwords created from regular users? If the password doesn't matter (meaning the WPA protection is vulnerable regardless of the strenght of the passwrd), is the MAC filter a good thing or it's also vulnerable to attacks?

Last edited by Amarildo; 10-09-2014 at 07:00 PM.
 
Old 10-09-2014, 07:11 PM   #2
Habitual
LQ Addict
 
Registered: Jan 2011
Location: Youngstown, Ohio
Distribution: LM17.1/Xfce4.11.8
Posts: 7,163
Blog Entries: 10

Rep: Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979
WiFi is not secure, period.
MAC filters (ACLs) are a good start.

Be sure to close down Remote access to the router admin interface.

Last edited by Habitual; 10-09-2014 at 07:12 PM.
 
1 members found this post helpful.
Old 10-09-2014, 07:20 PM   #3
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
It's already disabled because the management IP is set to 0.0.0.0
It's disabled by default. The manual says:

"Remote management is disabled when the displayed IP address is 0.0.0.0. To enable remote management, change the default address (0.0.0.0) to a valid IP address."
 
Old 10-09-2014, 07:45 PM   #4
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,115

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
  • WPA2/PSK-AES with 32 random character password
    Good
  • MAC filters so only listed devices can access the wireless network
    MAC addresses are easy to spoof, so no real protection added by this.
  • Virtual server that redirects all invalid traffic from outside network to a non-existant computer on the local network. Ports range from 1 to 65534 (all the ports the router allows)
    Why? Unexpected inbound traffic goes to the bit bucket anyway, unless you have port forwarding, a DMZ server, etc. set up. And it sounds like you set up a DMZ server.
  • VPN allowed
    If you need it, great. If you don't, why have it turned on in the first place?
  • DoS protection
    Sounds like a router-specific software thing. Does it help? Who knows.
  • ICMP-FLOOD/UDP-FLOOD/TCP-SYN-FLOOD protection enabled, maximum of 5 packages/second on each
    Ditto.
  • Ping echo/requests will be DROPPED
    Doesn't provide any protection. Makes it harder for YOU to troubleshoot.
  • Router management available only from my machine's MAC address (embedded network card, can't be removed)
    I don't have to remove your network card to clone its MAC address. May be a problem limiting MAC addresses if you want to work on the router and don't have your specificaly-allowed computer available. But then, you could always clone the missing computers MAC address. Which pretty much sums up why MAC filtering doesn't add any real protection in the fist place. If you are talking about accessing the router from the WAN (the internet at large), that itself is a security issue. I would NOT make it accessible from the WAN side at all. Technically, I can access my router from the WAN. But not via a login service the router makes visible to the WAN. I VPN in, then acecss the router from the LAN side. Everything I do on my home network from afar is via VPN, followed by access to local services. Nothing is acessible from the outside (other than the VPN, of course). VPN's can be set up quite securely. Someone may be able to guess or brute-force crunch your passwords, but those certificates used by VPN are more difficult to breach.
  • My MAC address is associated to a desired IP adress that won't change unless I want to
    That describes every MAC address and IP address pairing. I don't understand your point.
  • Router's admin panel IP changed from default (using random IP generated on random.org)
    Doesn't add any security. Just potential confusion for you.
  • Router's admin login and password changed, used a random password
    Obvious. Must be a good password. "Random" means nothing if it's only 6 characters long, even if it really is random (six characters is way too short). Also, do you know what random really means? Some folks think using their first name with the "E" replaced with a "3" makes it random. I hope you're not one of those folks.
  • dhcp client list will last 48 hours so I can see every client on the last 2 days
    Doesn't add any security.

I'm new to wireless and I've read that WPA2 is very easy to crak
You are probably thinking about WEP. WPA2 isn't bad for home use.
but what about my secure password?
A secure password is always manditory. Do you know what makes for a secure password? Many many people do not.
Is WPA only vulnerable to weak passwords created from regular users?
A weak password is a vulnerability for any encryption scheme
If the password doesn't matter
It does
(meaning the WPA protection is vulnerable regardless of the strenght of the passwrd)
It isn't (OK, it *is* vulnerable - everything is - but WPA2 is OK for home use)
is the MAC filter a good thing or it's also vulnerable to attacks?
MAC filtering doesn't add any security. But it doesn't make you more vulnerable either.

Some people go by the mantra, "every little bit helps". It's hard to argue against that. But things like MAC filtering and dropping ping requests add so very very little, as to be worthless in the practical sense. In general, (1) Use good strong passwords. (2) Turn off every service that you don't need (including VPN and your DMZ "bit bucket" phantom computer). (3) Banish the word "telnet" from your vocabulary and anything that has a CPU. (4) Use pubkey authentication (or other strong non-password authentication) in every situation that tolerates it. (5) Relegate newbies, dolts, and other less security concious users to pencil and paper, not computers. (6) Make sure your WAN-facing router is running secure firmware. Not everything you buy off a store shelf does. Buy a router that allows you to flash good quality 3rd party firmware, so you can up the functionality and security over the off-the-shelf software offerings.

Last edited by haertig; 10-09-2014 at 07:50 PM.
 
1 members found this post helpful.
Old 10-09-2014, 08:42 PM   #5
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by haertig View Post
MAC addresses are easy to spoof, so no real protection added by this.
What's the chance of an outside attacker actually knowing my MAC adress?

Quote:
Originally Posted by haertig View Post
Why? Unexpected inbound traffic goes to the bit bucket anyway, unless you have port forwarding, a DMZ server, etc. set up. And it sounds like you set up a DMZ server.
It makes the router firewall drop all non solicited packates instead of rejecting them, which makes me invisible in this regard.

I didn't set up a DMZ.

Quote:
Originally Posted by haertig View Post
If you need it, great. If you don't, why have it turned on in the first place?
I need it.

Quote:
Originally Posted by haertig View Post
Doesn't provide any protection. Makes it harder for YOU to troubleshoot.
It doesn't provide protection *if* the attacker knows my IP address. If he doesn't and try pinging me all he will receive is package loss instead of a response.
And I really don't need to troubleshoot

Quote:
Originally Posted by haertig View Post
May be a problem limiting MAC addresses if you want to work on the router and don't have your specificaly-allowed computer available.
I really don't want other people's computers accessing the router's interface. I can't trust them. Only my machine should be allowed, even if I really need to access it (the router) from a computer that's not mine, I rather not do it at all.

Quote:
Originally Posted by haertig View Post
But then, you could always clone the missing computers MAC address. Which pretty much sums up why MAC filtering doesn't add any real protection in the fist place.
I'm all ears to find how someone would know how to clone the MAC address.. I really don't know how he/she would procceed.

Quote:
Originally Posted by haertig View Post
If you are talking about accessing the router from the WAN (the internet at large), that itself is a security issue.
I would never allow such thing

Quote:
Originally Posted by haertig View Post
VPN's can be set up quite securely.
I only have one spair machine that I plan to make it as a firewall between my machine and the router. It will run OpenBSD with the most secure settings I can find, but that will be done after I read PF's manual for a while.
I'm not sure I can make that machine a firewall and VPN at the same time without compromising security, but my guess is yes.

Quote:
Originally Posted by haertig View Post
That describes every MAC address and IP address pairing. I don't understand your point.
The router is allowed to change the IP address of any machine if it's set to do so. This is a pain if I'm creating rules for traffic shaping that would range from ip .101 to .109, for example, and my machine's IP changed and went into that rule. Then I'd have to log into the router and change the rules to fit my new IP.
This may not add security, but that's a setting that I like, makes my life a lot easier.

Quote:
Originally Posted by haertig View Post
Doesn't add any security. Just potential confusion for you.
If the router's IP is the default (10.0.0.1) and an attacker manages to crack the wireless security he/she would simply need to go to 10.0.0.1 so he/she could try cracking the admin's password. But in my case he/she would have to spend a few years trying every IP address, starting from 10.x.x.x to 198.255.255.255. It does add security and doesn't confuse me at all I have a pretty good memory, you'd be surprised.

Quote:
Originally Posted by haertig View Post
Obvious. Must be a good password. "Random" means nothing if it's only 6 characters long, even if it really is random (six characters is way too short). Also, do you know what random really means? Some folks think using their first name with the "E" replaced with a "3" makes it random. I hope you're not one of those folks.
I do know what is a good random password. I explained a little bit on Arch's forums, not exactly what a good random password is but why they're secure: https://bbs.archlinux.org/viewtopic....75311#p1375311

http://www.wilderssecurity.com/threa.../#post-2402801

The method I use to create my passwords is the following:

* Take a song I like and look for it's lyrics, For example:

Quote:
You'll take my life but I'll take yours too
* Extract the first letters of each word. So:

Quote:
ytmlbityt
* Change some characters to Capital:

Quote:
yTmlBItyT
* Add some numbers:

Quote:
1yT4m90lB5I7ty3T2
* Add symbols:

Quote:
@1%yT}4m>9(0l#B5!I7t*y3)T2=
There you go.
Obviously this is just an example, but sums a simple password easy to remember that is as random as you can make it, won't be present on anyone's dictionary and will take thousands of years to crack. Bruce Schneier also recommends the same method: https://www.schneier.com/blog/archiv..._secure_1.html

My passwords are usually 32 characters long, some are 26 depending on the value of the information stored on the website. My HD encryption passphrase is 64 characters long, with a waiting time of 10 seconds between each attempt. So unless someone discovers a flaw in Twofish it's impossible trying to crack it. I also keep backups of my MBR and /boot partition in case I think someone has tampered them.

Quote:
Originally Posted by haertig View Post
Doesn't add any security.
But helps identify unwanted network access.

Quote:
Originally Posted by haertig View Post
You are probably thinking about WEP.
Not really. I can't find the article now, but it said WPA has a vulnerability, I don't remember which.

Quote:
Originally Posted by haertig View Post
It does
So there's basically no chance of an attack being successful considering I use a secure password as I descibed?

Quote:
Originally Posted by haertig View Post
MAC filtering doesn't add any security.
But how would it be possible to clone a MAC address without knowing the MAC in the first place? Just on guesses?

Quote:
Originally Posted by haertig View Post
Buy a router that allows you to flash good quality 3rd party firmware, so you can up the functionality and security over the off-the-shelf software offerings.
My router allows me to install 3rd party firmware, but I'll probably never do so unless I'm sure the firmware has been audited for security flaws or that I learn how to create my own firmware.
 
Old 10-09-2014, 08:57 PM   #6
rokytnji
Senior Member
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: AntiX 15 , Slackel 14.1, ChromeOS
Posts: 4,700
Blog Entries: 19

Rep: Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952
Quote:
Linux + wireless = how big of a security threat?
Linux + wireless = how big of a security threat?= 0 in my neck of the woods.

So I guess it depends on where you live?
 
Old 10-09-2014, 09:17 PM   #7
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
I live in an area where 12 y-o kids are downloading Kali so that they can break Wi-Fi connections and screw other people's lives "just for the fun" of it. I also have some neighbours who are in the IT business, understand a lot about a lot of stuff and wouldn't mind cracking my Wi-Fi :P I would hate the idea that my Wi-Fi got cracked.
 
Old 10-09-2014, 09:41 PM   #8
Randicus Draco Albus
Senior Member
 
Registered: May 2011
Location: Hiding somewhere on planet Earth.
Distribution: OpenBSD
Posts: 1,644
Blog Entries: 8

Rep: Reputation: 577Reputation: 577Reputation: 577Reputation: 577Reputation: 577Reputation: 577
Quote:
Originally Posted by Amarildo View Post
I only have one spair machine that I plan to make it as a firewall between my machine and the router. It will run OpenBSD with the most secure settings I can find, but that will be done after I read PF's manual for a while.
If your primary concern is security, why use OpenBSD on a separate machine to protect your Linux system? Why not just use OpenBSD?

Quote:
I live in an area where 12 y-o kids are downloading Kali so that they can break Wi-Fi connections and screw other people's lives "just for the fun" of it.
I doubt you have anything to worry about from fools who believe using Kali will make them hackers.

Quote:
I also have some neighbours who are in the IT business, understand a lot about a lot of stuff and wouldn't mind cracking my Wi-Fi :P I would hate the idea that my Wi-Fi got cracked.
Have you done something to piss off your neighbours?
 
Old 10-09-2014, 09:49 PM   #9
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Randicus Draco Albus View Post
If your primary concern is security, why use OpenBSD on a separate machine to protect your Linux system? Why not just use OpenBSD?
I tried, I can't even move windows around without waiting 3 minutes. Maybe when OpenBSD's drivers are a little better.

Quote:
Originally Posted by Randicus Draco Albus View Post
I doubt you have anything to worry about from fools who believe using Kali will make them hackers.
Those are not the ones I'm afraid.

Some showed me how they cracked my uncle's Wi-Fi (he lives 5 yards from me). And since I'm new to Wi-Fi I came here asking if I'm protected from these kind of people

Quote:
Originally Posted by Randicus Draco Albus View Post
Have you done something to piss off your neighbours?
Don't need to.

Last edited by Amarildo; 10-09-2014 at 09:52 PM.
 
Old 10-09-2014, 09:50 PM   #10
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Hi,
Quote:
Originally Posted by Amarildo View Post
I'm all ears to find how someone would know how to clone the MAC address.. I really don't know how he/she would procceed.
Code:
ifconfig eth0 hwaddr ether AA:BB:CC:DD:EE:FF
Evo2
 
Old 10-09-2014, 10:00 PM   #11
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
Hi evo2,

Sorry, I expressed myself wrong. Actually, I wanted to know how an attacker would know my MAC address in the first place. (crystal ball, maybe?)

Last edited by Amarildo; 10-09-2014 at 10:03 PM.
 
Old 10-09-2014, 10:52 PM   #12
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,115

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
Quote:
Originally Posted by Amarildo View Post
If the router's IP is the default (10.0.0.1) and an attacker manages to crack the wireless security he/she would simply need to go to 10.0.0.1 so he/she could try cracking the admin's password. But in my case he/she would have to spend a few years trying every IP address, starting from 10.x.x.x to 198.255.255.255.
Or, you could shorten that timeframe up to about 3 seconds ... the time it takes to type "route -n" and display what your gateway address is.

In the same vein, don't assume that your MAC filtering will gain you security because the only way you can personally think of to defeat it is to guess and try every possible MAC address. You already assumed that by changing your default IP address that you gained security because "nobody could ever guess what IP address I was using". But as you see with the trivial route -n example, nobody has to "guess". Not for your MAC address either. Don't base your security on flawed assumptions.
 
1 members found this post helpful.
Old 10-09-2014, 11:06 PM   #13
Amarildo
Member
 
Registered: Jun 2014
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by haertig View Post
Or, you could shorten that timeframe up to about 3 seconds ... the time it takes to type "route -n" and display what your gateway address is.
This is considering the attacker had successfuly cracked the Wi-Fi password, right?

Quote:
Originally Posted by haertig View Post
In the same vein, don't assume that your MAC filtering will gain you security because the only way you can personally think of to defeat it is to guess and try every possible MAC address. You already assumed that by changing your default IP address that you gained security because "nobody could ever guess what IP address I was using". But as you see with the trivial route -n example, nobody has to "guess". Not for your MAC address either.
I'll look into that, but I also wouldn't mind a demonstration of this in action.
Quote:
Originally Posted by haertig View Post
Don't base your security on flawed assumptions.
You're also making wrong assumptions. "Security" is a subject bigger than we could ever spend time writing here, and a simple router IP isn't all security is about. But as I said and will repeat: I'm new to Wireless, so if I make a few mistakes just bear with me here; but don't assume I base my security on a single little point I know almost nothing about.

Last edited by Amarildo; 10-09-2014 at 11:18 PM.
 
Old 10-09-2014, 11:21 PM   #14
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 6,387
Blog Entries: 6

Rep: Reputation: Disabled
Quote:
Originally Posted by Amarildo View Post
Hi evo2,

Sorry, I expressed myself wrong. Actually, I wanted to know how an attacker would know my MAC address in the first place. (crystal ball, maybe?)
They could use this link that I found to find out-
http://www.cyberciti.biz/faq/how-do-...reebsd-system/

You also may want to look into machine hardening-
-Don't allow the system to boot to removable media.
-Require a BIOS password (as far as boot options are concerned)
-Require a Grub password and encrypt your fs and HDD-

https://wiki.archlinux.org/index.php/disk_encryption
http://www.centos.org/docs/5/html/De...ation-boot-sec

I have to agree with Habitual:-
Wired is best especially if your pc is a production machine.
 
Old 10-09-2014, 11:25 PM   #15
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,115

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
Quote:
Originally Posted by Amarildo View Post
This is considering the attacker had successfuly cracked the Wi-Fi password, right?
Well, of course. But that's what you said when you phrased your question ... "and an attacker manages to crack the wireless security"

Quote:
You're also making wrong assumptions. "Security" is a subject bigger than we could ever spend time writing here...
Hey, I was just trying to help you. In your initial post, you appeared quite the newbie to all this. You even stated as much. You presented a list of items (which a normal person would assume to be questions you were having about your set up). So I responded to those questions, one by one, with my thoughts and personal experiences. Now you are presenting yourself as a security genious that knows it all. So why did you ask the questions in the first place?

Whatever. Strange post. But I think you are probably competant enough to manage things on your own, and you should do well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Microsoft disregards Linux as threat. Big mistake LXer Syndicated Linux News 0 08-14-2011 11:50 PM
MadWiFi security threat... fpd MEPIS 9 04-29-2007 02:41 PM
Is this a security threat? ifm Linux - Security 3 06-14-2002 11:58 AM


All times are GMT -5. The time now is 02:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration