Binoculars

Due to way above average usage of my download limit I suspect somebody is helping themselves to my connection. The computer does warn me occasionally that my system is unprotected but I've ignored it so far just because I don't know how to do anything about it.

Basic steps to start with please? I haven't put in any details about my system because I don't know what info you would need.

berliner57

Hi, dont know what wireless modem you are using, but the first thing to do is restrict the access to the router to the computers you want by entering their MAC identity into the router, i did this after i found a neighbour was accessing my wireless, you should be able to tell who is connected to your router in the routers set up, mine is in advanced, wireless management.

I am using a D link 604 router.

green granite

Binos read this thread it may help http://www.pprune.org/forums/showthr...light=networks

Binoculars

Did you get all of that Max?

Not all of it, chief.

Which part didn't you get, Max?

The part after "Hi"...............

Actually not quite that bad; as it happens I am using the same router, and I'm in the page you mentioned, but how do I get the MAC address, whatever that is? I assume I have to tick the box "Enable Access List"?
Earlier in the setup process, (HOME-WIRELESS) the first page to appear is Wireless settings. I have ticked Enable AP. The SSID there is DLINK, and Security currently is None. I select WPA and another box comes up written in Swahili asking about things called radius servers and pre-shared keys. Que? I applied my usual approach to things I don't understand and ignored it then tried to Apply the new settings, only to be told I had an incorrect IP address.
Do I have to change these settings as well?

Crossed posts; thanks GG, I'll scrutinise it with an intense scrute.

BOAC

Assuming Windows XP???, Click on Run (Start panel), type CMD, then ipconfig /all (note space) into black box and the MAC for your wireless card/dongle/etc will be shown under 'Physical address'. Not familiar with your router but that is the MAC you need to 'enable' (somewhere!)

Good luck - I found it a black art, but I got there

ORAC

Binos, follow this idiots guide.

BOAC

...which triggers the thought.... IP addresses and WEP can be 'sniffed' via packets. MAC addresses also?

Binoculars

Thank you all. GG's link assumed a bottom line of knowledge a couple of rungs above mine. Orac's link looks more promising. I"ll check it out and let you know how I go.

For info, the original connection was to a Mac desktop, the network computers are a Macbook and an XP laptop.

rustle

Yes. MAC addresses are easily got hold of.

MAC spoofing is fairly straightforward too.

What MAC filtering does do though is limit the amount of "accidental" connections - if someone wants to use your MAC-restricted connection they have to purposefully spoof a valid MAC address (which they easily get by sniffing your data)

BOAC

Thanks, Rustle, so is WPA the only safe way to protect or is that crackable too?

bnt

To sniff IP and MAC addresses, you need to be "on" the wireless network in the first place, which can be done if you use no wireless security, or weak WEP security. That's why I'd recommend using WPA encryption instead, if you can. Unless you have the WPA key, it's like having the cable unplugged - sniffing tricks aren't possible. I could never say it's perfectly secure - that would be daft - but I'm not aware of any exploitable holes.

Atlas Shrugged

Found a little site a while ago that peeps may find useful:

http://www.auditmypc.com/firewall-test.asp

Tinstaafl

Some bits & pieces that might help:

Every network card has its own unique serial number, called its MAC address (Media Access Control address). To connect onto a network it must have a unique network address assigned to that MAC address. This can be done 'on the fly' for a limited duration as the card tries to connect to the network using a protocol called Dynamic Host Control Protocol (DHCP) or it can be permanently set within the network. Somewhere in the network there needs to be a device that controls such things for DHCP *or* each machine must be told what its address will be. DHCP is what is used for ad-hoc connections because it is convenient & requires little intervention from the user.

Think 'plug the wire into one network card, plug the other end into the network controller and the two will talk to each other. The DHCP host listens for a request for an address from each network card (ie MAC) that is connected, assigns a unique network address ('IP' eg 192.168.1.1) to each MAC & keeps track of them'. The machines are now capable of talking to each other. It could be via a wired network, or via a wireless network. Each device is *supposed* to only listen for data tagged with its own address.

If the network uses only wires then it's more difficult to tap in to it compared to a wireless network. Some network machines (switches) will only send the data down the wire that is connected to the MAC/IP combination. Other systems broadcast the tagged data packets down all the wires & each device grabs whatever packets are tagged with their address. Even a broadcast system is limited to the machines that have been plugged in.

A wireless connection is more akin to a wired but broadcast system but one where anyone can 'plug in' at anytime. This leads to the problems of how a wireless network can announce itself and how a device can connect and be uniquely identified while preventing unwanted devices to connect - hence the encryption methods WEP & later, WPA.

WEP has a flaw in its design that causes it to require each device to broadcast enough information that over time a nefarious person can reconstruct the encryption key that's being used to keep others out and join the network.

WPA uses a different method & also a key that is longer and therefore more difficult to calculate.

Some things that you can do to secure the wireless network:

1. Don't have the network announce itself. To the casual user, an un-announced network is invisible although not to those with the correct tools. In your WiFi router you need to switch off the function that announces the network name. In your PC you'll need to tell it what network name to connect to

2. Use WPA instead of WEP. Use the longest key that all machines you want on the network can use.

3. Limit the network connections to *specific* machines ie MACs. This facility is built into the WiFi router.

4. Some WiFi routers have directional antenna or allow you to reduce the signal strength. The worse the signal that escapes your building the more difficult for someone to eavesdrop.

5. Use a wired network...

airborne_artist

6. Live at least 200m from your nearest neighbour

makintw

7. Better make that >10km

http://wok-fi.com/info.html

IO540

Unfortunately this one, also called "SSID broadcast disabled", introduces a load of compatibility problems with many devices, even the most modern ones.

Out of my collection of wifi PDAs, laptops, etc, about 30% will connect and the rest won't. Some laptops connect only following a reboot.

Always enable SSID broadcast initially and only when everything is working (with the desired encryption mode e.g. WPA) turn off SSID, and see if it still works.

I don't think there is any way to hack WPA so there should be no harm in having the SSID broadcast enabled.

I would also avoid a common thing which is setting the access point name to one's house name or street number - why do people do that?? It just tells everybody where to go to get a better signal I set mine to something like "f**k off" Great fun until you have a guest who wants to use their laptop

Otherwise, I agree about a wired network. 100% compatible, much faster, cannot be hacked into (well other than by GCHQ using Van Eck etc).

BOAC

- I'm relieved to hear someone else has that problem - I thought it was just my inept wifi set up

Saab Dastard

For true security, fibre is the way to go - no EMR to be picked up and converted back to recover the electrical signal, and can't be tapped into without being discovered (provided you are looking).

But we are venturing into the realms of the paranoid here (i.e. government).

SD