Linux + wireless = how big of a security threat?
For over 8 years I've used Linux with one direct connection to the internet via cable modem (Motorola SB5101), with my custom iptables rules on my Linux box.
Last month my father bought a wireless router so that everyone could use the internet here, so I went into it's configuration and that's how I set it up:
I'm new to wireless and I've read that WPA2 is very easy to crak, but what about my secure password? Is WPA only vulnerable to weak passwords created from regular users? If the password doesn't matter (meaning the WPA protection is vulnerable regardless of the strenght of the passwrd), is the MAC filter a good thing or it's also vulnerable to attacks? |
WiFi is not secure, period.
MAC filters (ACLs) are a good start. Be sure to close down Remote access to the router admin interface. |
It's already disabled because the management IP is set to 0.0.0.0 :)
It's disabled by default. The manual says: "Remote management is disabled when the displayed IP address is 0.0.0.0. To enable remote management, change the default address (0.0.0.0) to a valid IP address." |
I'm new to wireless and I've read that WPA2 is very easy to crak You are probably thinking about WEP. WPA2 isn't bad for home use. but what about my secure password? A secure password is always manditory. Do you know what makes for a secure password? Many many people do not. Is WPA only vulnerable to weak passwords created from regular users? A weak password is a vulnerability for any encryption scheme If the password doesn't matter It does (meaning the WPA protection is vulnerable regardless of the strenght of the passwrd) It isn't (OK, it *is* vulnerable - everything is - but WPA2 is OK for home use) is the MAC filter a good thing or it's also vulnerable to attacks? MAC filtering doesn't add any security. But it doesn't make you more vulnerable either. Some people go by the mantra, "every little bit helps". It's hard to argue against that. But things like MAC filtering and dropping ping requests add so very very little, as to be worthless in the practical sense. In general, (1) Use good strong passwords. (2) Turn off every service that you don't need (including VPN and your DMZ "bit bucket" phantom computer). (3) Banish the word "telnet" from your vocabulary and anything that has a CPU. (4) Use pubkey authentication (or other strong non-password authentication) in every situation that tolerates it. (5) Relegate newbies, dolts, and other less security concious users to pencil and paper, not computers. (6) Make sure your WAN-facing router is running secure firmware. Not everything you buy off a store shelf does. Buy a router that allows you to flash good quality 3rd party firmware, so you can up the functionality and security over the off-the-shelf software offerings. |
Quote:
Quote:
I didn't set up a DMZ. Quote:
Quote:
And I really don't need to troubleshoot ;) Quote:
Quote:
Quote:
Quote:
I'm not sure I can make that machine a firewall and VPN at the same time without compromising security, but my guess is yes. Quote:
This may not add security, but that's a setting that I like, makes my life a lot easier. Quote:
Quote:
http://www.wilderssecurity.com/threa.../#post-2402801 The method I use to create my passwords is the following: * Take a song I like and look for it's lyrics, For example: Quote:
Quote:
Quote:
Quote:
Quote:
Obviously this is just an example, but sums a simple password easy to remember that is as random as you can make it, won't be present on anyone's dictionary and will take thousands of years to crack. Bruce Schneier also recommends the same method: https://www.schneier.com/blog/archiv..._secure_1.html My passwords are usually 32 characters long, some are 26 depending on the value of the information stored on the website. My HD encryption passphrase is 64 characters long, with a waiting time of 10 seconds between each attempt. So unless someone discovers a flaw in Twofish it's impossible trying to crack it. I also keep backups of my MBR and /boot partition in case I think someone has tampered them. Quote:
Quote:
Quote:
Quote:
Quote:
|
Quote:
So I guess it depends on where you live? |
I live in an area where 12 y-o kids are downloading Kali so that they can break Wi-Fi connections and screw other people's lives "just for the fun" of it. I also have some neighbours who are in the IT business, understand a lot about a lot of stuff and wouldn't mind cracking my Wi-Fi :P I would hate the idea that my Wi-Fi got cracked.
|
Quote:
Quote:
Quote:
|
Quote:
Quote:
Some showed me how they cracked my uncle's Wi-Fi (he lives 5 yards from me). And since I'm new to Wi-Fi I came here asking if I'm protected from these kind of people :) Quote:
|
Hi,
Quote:
Code:
ifconfig eth0 hwaddr ether AA:BB:CC:DD:EE:FF |
Hi evo2,
Sorry, I expressed myself wrong. Actually, I wanted to know how an attacker would know my MAC address in the first place. (crystal ball, maybe?) |
Quote:
In the same vein, don't assume that your MAC filtering will gain you security because the only way you can personally think of to defeat it is to guess and try every possible MAC address. You already assumed that by changing your default IP address that you gained security because "nobody could ever guess what IP address I was using". But as you see with the trivial route -n example, nobody has to "guess". Not for your MAC address either. Don't base your security on flawed assumptions. |
Quote:
Quote:
Quote:
|
Quote:
http://www.cyberciti.biz/faq/how-do-...reebsd-system/ You also may want to look into machine hardening- -Don't allow the system to boot to removable media. -Require a BIOS password (as far as boot options are concerned) -Require a Grub password and encrypt your fs and HDD- https://wiki.archlinux.org/index.php/disk_encryption http://www.centos.org/docs/5/html/De...ation-boot-sec I have to agree with Habitual:- Wired is best especially if your pc is a production machine. |
Quote:
Quote:
Whatever. Strange post. But I think you are probably competant enough to manage things on your own, and you should do well. |
All times are GMT -5. The time now is 04:22 AM. |