Linux + wireless = how big of a security threat?
 

For over 8 years I've used Linux with one direct connection to the internet via cable modem (Motorola SB5101), with my custom iptables rules on my Linux box.

Last month my father bought a wireless router so that everyone could use the internet here, so I went into it's configuration and that's how I set it up:

• WPA2/PSK-AES with 32 random character password
• MAC filters so only listed devices can access the wireless network
• Virtual server that redirects all invalid traffic from outside network to a non-existant computer on the local network. Ports range from 1 to 65534 (all the ports the router allows)
• VPN allowed
• DoS protection
• ICMP-FLOOD/UDP-FLOOD/TCP-SYN-FLOOD protection enabled, maximum of 5 packages/second on each
• Ping echo/requests will be DROPPED
• Router management available only from my machine's MAC address (embedded network card, can't be removed)
• My MAC address is associated to a desired IP adress that won't change unless I want to
• Router's admin panel IP changed from default (using random IP generated on random.org)
• Router's admin login and password changed, used a random password
• dhcp client list will last 48 hours so I can see every client on the last 2 days

I'm new to wireless and I've read that WPA2 is very easy to crak, but what about my secure password? Is WPA only vulnerable to weak passwords created from regular users? If the password doesn't matter (meaning the WPA protection is vulnerable regardless of the strenght of the passwrd), is the MAC filter a good thing or it's also vulnerable to attacks?

WiFi is not secure, period.
MAC filters (ACLs) are a good start.

Be sure to close down Remote access to the router admin interface.

It's already disabled because the management IP is set to 0.0.0.0 :)
It's disabled by default. The manual says:

"Remote management is disabled when the displayed IP address is 0.0.0.0. To enable remote management, change the default address (0.0.0.0) to a valid IP address."

• WPA2/PSK-AES with 32 random character password
  Good
• MAC filters so only listed devices can access the wireless network
  MAC addresses are easy to spoof, so no real protection added by this.
• Virtual server that redirects all invalid traffic from outside network to a non-existant computer on the local network. Ports range from 1 to 65534 (all the ports the router allows)
  Why? Unexpected inbound traffic goes to the bit bucket anyway, unless you have port forwarding, a DMZ server, etc. set up. And it sounds like you set up a DMZ server.
• VPN allowed
  If you need it, great. If you don't, why have it turned on in the first place?
• DoS protection
  Sounds like a router-specific software thing. Does it help? Who knows.
• ICMP-FLOOD/UDP-FLOOD/TCP-SYN-FLOOD protection enabled, maximum of 5 packages/second on each
  Ditto.
• Ping echo/requests will be DROPPED
  Doesn't provide any protection. Makes it harder for YOU to troubleshoot.
• Router management available only from my machine's MAC address (embedded network card, can't be removed)
  I don't have to remove your network card to clone its MAC address. May be a problem limiting MAC addresses if you want to work on the router and don't have your specificaly-allowed computer available. But then, you could always clone the missing computers MAC address. Which pretty much sums up why MAC filtering doesn't add any real protection in the fist place. If you are talking about accessing the router from the WAN (the internet at large), that itself is a security issue. I would NOT make it accessible from the WAN side at all. Technically, I can access my router from the WAN. But not via a login service the router makes visible to the WAN. I VPN in, then acecss the router from the LAN side. Everything I do on my home network from afar is via VPN, followed by access to local services. Nothing is acessible from the outside (other than the VPN, of course). VPN's can be set up quite securely. Someone may be able to guess or brute-force crunch your passwords, but those certificates used by VPN are more difficult to breach.
• My MAC address is associated to a desired IP adress that won't change unless I want to
  That describes every MAC address and IP address pairing. I don't understand your point.
• Router's admin panel IP changed from default (using random IP generated on random.org)
  Doesn't add any security. Just potential confusion for you.
• Router's admin login and password changed, used a random password
  Obvious. Must be a good password. "Random" means nothing if it's only 6 characters long, even if it really is random (six characters is way too short). Also, do you know what random really means? Some folks think using their first name with the "E" replaced with a "3" makes it random. I hope you're not one of those folks.
• dhcp client list will last 48 hours so I can see every client on the last 2 days
  Doesn't add any security.

I'm new to wireless and I've read that WPA2 is very easy to crak
You are probably thinking about WEP. WPA2 isn't bad for home use.
but what about my secure password?
A secure password is always manditory. Do you know what makes for a secure password? Many many people do not.
Is WPA only vulnerable to weak passwords created from regular users?
A weak password is a vulnerability for any encryption scheme
If the password doesn't matter
It does
(meaning the WPA protection is vulnerable regardless of the strenght of the passwrd)
It isn't (OK, it *is* vulnerable - everything is - but WPA2 is OK for home use)
is the MAC filter a good thing or it's also vulnerable to attacks?
MAC filtering doesn't add any security. But it doesn't make you more vulnerable either.

Some people go by the mantra, "every little bit helps". It's hard to argue against that. But things like MAC filtering and dropping ping requests add so very very little, as to be worthless in the practical sense. In general, (1) Use good strong passwords. (2) Turn off every service that you don't need (including VPN and your DMZ "bit bucket" phantom computer). (3) Banish the word "telnet" from your vocabulary and anything that has a CPU. (4) Use pubkey authentication (or other strong non-password authentication) in every situation that tolerates it. (5) Relegate newbies, dolts, and other less security concious users to pencil and paper, not computers. (6) Make sure your WAN-facing router is running secure firmware. Not everything you buy off a store shelf does. Buy a router that allows you to flash good quality 3rd party firmware, so you can up the functionality and security over the off-the-shelf software offerings.

What's the chance of an outside attacker actually knowing my MAC adress?

It makes the router firewall drop all non solicited packates instead of rejecting them, which makes me invisible in this regard.

I didn't set up a DMZ.

I need it.

It doesn't provide protection *if* the attacker knows my IP address. If he doesn't and try pinging me all he will receive is package loss instead of a response.
And I really don't need to troubleshoot ;)

I really don't want other people's computers accessing the router's interface. I can't trust them. Only my machine should be allowed, even if I really need to access it (the router) from a computer that's not mine, I rather not do it at all.

I'm all ears to find how someone would know how to clone the MAC address.. I really don't know how he/she would procceed.

I would never allow such thing :)

I only have one spair machine that I plan to make it as a firewall between my machine and the router. It will run OpenBSD with the most secure settings I can find, but that will be done after I read PF's manual for a while.
I'm not sure I can make that machine a firewall and VPN at the same time without compromising security, but my guess is yes.

The router is allowed to change the IP address of any machine if it's set to do so. This is a pain if I'm creating rules for traffic shaping that would range from ip .101 to .109, for example, and my machine's IP changed and went into that rule. Then I'd have to log into the router and change the rules to fit my new IP.
This may not add security, but that's a setting that I like, makes my life a lot easier.

If the router's IP is the default (10.0.0.1) and an attacker manages to crack the wireless security he/she would simply need to go to 10.0.0.1 so he/she could try cracking the admin's password. But in my case he/she would have to spend a few years trying every IP address, starting from 10.x.x.x to 198.255.255.255. It does add security and doesn't confuse me at all :) I have a pretty good memory, you'd be surprised.

I do know what is a good random password. I explained a little bit on Arch's forums, not exactly what a good random password is but why they're secure: https://bbs.archlinux.org/viewtopic....75311#p1375311

http://www.wilderssecurity.com/threa.../#post-2402801

The method I use to create my passwords is the following:

* Take a song I like and look for it's lyrics, For example:

* Extract the first letters of each word. So:

* Change some characters to Capital:

* Add some numbers:

* Add symbols:

There you go.
Obviously this is just an example, but sums a simple password easy to remember that is as random as you can make it, won't be present on anyone's dictionary and will take thousands of years to crack. Bruce Schneier also recommends the same method: https://www.schneier.com/blog/archiv..._secure_1.html

My passwords are usually 32 characters long, some are 26 depending on the value of the information stored on the website. My HD encryption passphrase is 64 characters long, with a waiting time of 10 seconds between each attempt. So unless someone discovers a flaw in Twofish it's impossible trying to crack it. I also keep backups of my MBR and /boot partition in case I think someone has tampered them.

But helps identify unwanted network access.

Not really. I can't find the article now, but it said WPA has a vulnerability, I don't remember which.

So there's basically no chance of an attack being successful considering I use a secure password as I descibed?

But how would it be possible to clone a MAC address without knowing the MAC in the first place? Just on guesses?

My router allows me to install 3rd party firmware, but I'll probably never do so unless I'm sure the firmware has been audited for security flaws or that I learn how to create my own firmware.

Linux + wireless = how big of a security threat?= 0 in my neck of the woods.

So I guess it depends on where you live?

I live in an area where 12 y-o kids are downloading Kali so that they can break Wi-Fi connections and screw other people's lives "just for the fun" of it. I also have some neighbours who are in the IT business, understand a lot about a lot of stuff and wouldn't mind cracking my Wi-Fi :P I would hate the idea that my Wi-Fi got cracked.

If your primary concern is security, why use OpenBSD on a separate machine to protect your Linux system? Why not just use OpenBSD?

I doubt you have anything to worry about from fools who believe using Kali will make them hackers.

Have you done something to piss off your neighbours?

I tried, I can't even move windows around without waiting 3 minutes. Maybe when OpenBSD's drivers are a little better.

Those are not the ones I'm afraid.

Some showed me how they cracked my uncle's Wi-Fi (he lives 5 yards from me). And since I'm new to Wi-Fi I came here asking if I'm protected from these kind of people :)

Don't need to.

Hi,
Evo2

Hi evo2,

Sorry, I expressed myself wrong. Actually, I wanted to know how an attacker would know my MAC address in the first place. (crystal ball, maybe?)

Or, you could shorten that timeframe up to about 3 seconds ... the time it takes to type "route -n" and display what your gateway address is.

In the same vein, don't assume that your MAC filtering will gain you security because the only way you can personally think of to defeat it is to guess and try every possible MAC address. You already assumed that by changing your default IP address that you gained security because "nobody could ever guess what IP address I was using". But as you see with the trivial route -n example, nobody has to "guess". Not for your MAC address either. Don't base your security on flawed assumptions.

This is considering the attacker had successfuly cracked the Wi-Fi password, right?

I'll look into that, but I also wouldn't mind a demonstration of this in action.
You're also making wrong assumptions. "Security" is a subject bigger than we could ever spend time writing here, and a simple router IP isn't all security is about. But as I said and will repeat: I'm new to Wireless, so if I make a few mistakes just bear with me here; but don't assume I base my security on a single little point I know almost nothing about.

They could use this link that I found to find out-
http://www.cyberciti.biz/faq/how-do-...reebsd-system/

You also may want to look into machine hardening-
-Don't allow the system to boot to removable media.
-Require a BIOS password (as far as boot options are concerned)
-Require a Grub password and encrypt your fs and HDD-

https://wiki.archlinux.org/index.php/disk_encryption
http://www.centos.org/docs/5/html/De...ation-boot-sec

I have to agree with Habitual:-
Wired is best especially if your pc is a production machine.

Well, of course. But that's what you said when you phrased your question ... "and an attacker manages to crack the wireless security"

Hey, I was just trying to help you. In your initial post, you appeared quite the newbie to all this. You even stated as much. You presented a list of items (which a normal person would assume to be questions you were having about your set up). So I responded to those questions, one by one, with my thoughts and personal experiences. Now you are presenting yourself as a security genious that knows it all. So why did you ask the questions in the first place?

Whatever. Strange post. But I think you are probably competant enough to manage things on your own, and you should do well.