What is a decent DOCSIS3.0 modem with WiFi?

Discussion in 'Wireless Internet' started by D. F. Manno, Jul 12, 2015.

  1. D. F. Manno

    D. F. Manno Guest

    I understand that, if hidden, a nonchalant passwerby won't casually "see"
    your SSID, but, are you really worried about such a passive non-chalant
    user, especially if you're using WPA2-PSK encryption?

    Since there decidedly *is* a security downside (at least for Windows
    PCs), I pretty much wouldn't recommend hiding it, unless you don't
    encrypt it, but who would do go to the trouble of hiding it but then not
    encrypting it?
     
    D. F. Manno, Jul 14, 2015
    #61
    1. Advertisements

  2. D. F. Manno

    D. F. Manno Guest

    You need to adjust your tinfoil hat a little tighter to understand why
    you need to be unique and to broadcast your SSID at home at the same time.

    I think the keyword is butterfly, or is it rainbow hash tables?
    I forget which, but anyone can download the hash for any of a million
    common passwords (this was years ago, so it's probably ten or twenty
    million by now) for all the common SSIDs.
     
    D. F. Manno, Jul 14, 2015
    #62
    1. Advertisements

  3. D. F. Manno

    Guest Guest

    that's an issue with windows, not with hiding an ssid.
     
    Guest, Jul 14, 2015
    #63
  4. D. F. Manno

    Guest Guest

    it's another layer to get past.

    while it might not be a big obstacle, it's yet another step someone
    needs to do, which makes the other networks an easier target.

    on the other hand, if someone is specifically targeting your network in
    particular, then you have far bigger problems than using wpa or ssid
    hiding.
    again, that's an issue with windows, not with hiding an ssid.
     
    Guest, Jul 14, 2015
    #64
  5. D. F. Manno

    D. F. Manno Guest

    I generally change the web port from 80, and I change the SSH port from,
    I think, 443, to something else, to make robo logins a bit more difficult
    (it won't help against a determined hacker, of course, nor a determined
    robot, but, it's easy enough to do, and, for me, it stopped a million
    login attempts that were hammering my router's cpu rejecting them).
     
    D. F. Manno, Jul 14, 2015
    #65
  6. D. F. Manno

    D. F. Manno Guest

    I login all the time to my rooftop router, and to my neighbor's rooftop
    routers (since we're all on the same subnet), just to see what's going
    on.

    It's how I found out that robots were hammering my system, and, how they
    stopped while still hammering my neighbor's systems, when I switched the
    ports.

    $ ssh -p 4545 -l adm1n 192.168.2.1

    BusyBox v1.11.2 (2014-10-01 16:45:24 EEST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    XM.v5.5.10# tail /var/log/messages

    In fact, you can see good stuff for debugging, for example, you can see
    what DHCP is used and what IP range is on the LAN, etc.
    $ cat /etc/dnsmasq.conf

    You can even log into your neighbor's rooftop router and see what domains
    they visit.
    $ cat /proc/net/nf_conntrack

    It's not wireshark nor netstumbler, but, it's a decent log of everywhere
    the router has been (less cryptic than wireshark output for example).
     
    D. F. Manno, Jul 14, 2015
    #66
  7. D. F. Manno

    tlvp Guest

    Beautiful :) ! I love it! Thanks! Cheers, -- tlvp
     
    tlvp, Jul 14, 2015
    #67
  8. D. F. Manno

    D. F. Manno Guest

    There's a setting to enable or disable hardware reset on *every* rooftop
    radio that I have seen.

    Here's a picture of one screen of my rooftop router's configuration:
    http://i.imgur.com/ow0WyR8.jpg

    Of course, these WiFi radios also have sliders for signal strength,
    distance, channel width, dynamic dns, telnet servers, web servers, ping
    watchdog, snmp agent, ssh server, ntp client, system log, etc.

    Point is that these routers have more features than your average mom-and-
    pop router, as Jeff well knows.
     
    D. F. Manno, Jul 14, 2015
    #68
  9. D. F. Manno

    D. F. Manno Guest

    D. F. Manno, Jul 14, 2015
    #69
  10. Ubiquiti wireless bridge (or router). Nice hardware.
    Yep. Features and functions get added faster than bugs get fixed.

    I really hate security discussions. They never end, never reach a
    consensus, there's always one more security hole, and even those
    routers that are certified and blessed by an expensive certification
    organization, are problematic.

    Anyway, permit me to point out the giant gaping monstrous security
    hole, that most users can't see or just ignore. It's the WPA-PSK
    shared key. Every computah, tabloid, smartphone, xbox, etc that
    connects to a single secured router uses the same pass phrase.
    Considerable effort has gone into making this pass phrase difficult to
    sniff and recover. Yet, all it takes is one insecure client radio,
    and the pass phrase or usable hash code can be recovered. Here's a
    good example:
    <http://www.nirsoft.net/utils/wireless_key.html>
    If you have an Android tablet that's been rooted, there are several
    utilities that will display the saved pass phrases. I use this one:
    <https://play.google.com/store/apps/details?id=com.wifipass.recovery>
    Steal my ancient Droid X2 and you can see *ALL* my wireless pass
    phrases. Note that it doesn't matter if you're using WEP, WPA-TKIP,
    or WPA2-AES encryption. The password is there in plain sight. I
    assume there's something similar for jail broken Apple products.

    So whatcha gonna do? Well, big business uses a WPA2-Enterprise-AES
    with 802.1x and EAP authentication. You could too, except that there
    is only one commodity grade wireless router that includes the
    necessary features (ZyXEL G-2000 Plus) and it's rather limited with
    only 5 logins. You'll either need to subscribe to a service, or build
    your own RADIUS server:
    <http://freeradius.org>
    <http://wiki.freeradius.org/guide/WPA-HOWTO>
    <http://wiki.freeradius.org/protocol/EAP>
    <https://play.google.com/store/apps/details?id=com.larscom.freeradiusandroid>

    So, how duz it work? Very roughly, each user gets a login and
    password from the RADIUS server when connecting. If they
    successfully login, the RADIUS server delivered a one time WPA2-AES
    key to the clients wireless device, which is only good the current
    session. Disconnect, and you get a new key. I won't go into the EAP
    authentication part (mostly because I barely understand how it works).
    There are also lots of variations, such as no user/password on login,
    which is the easy way to do encrypted coffee shop systems.

    The RADIUS server does not need to be inside or next to your wireless
    router. It can be anywhere on the internet. For example, the
    University of Calif runs one that covers all their facilities. A user
    can login literally anywhere on the UC system and get authenticated
    for the entire system. I run my RADIUS server in my office and in a
    server farm for several of my customers systems. There are also
    services that will do it for you. Here's an example of an online
    service that puts the RADIUS server in the "cloud":
    <http://cloudessa.com>

    Before the inevitable demise of wireless as we know it, perhaps the
    router manufacturers will cease advertising astronomical wireless
    speeds and do something about the pre-shared key security problem?
    Naw, it will never happen. Security doesn't sell routers, while big
    number do.
     
    Jeff Liebermann, Jul 14, 2015
    #70
  11. D. F. Manno

    D. F. Manno Guest

    Apparently the problem is with iOS, Mac, and Linux also, according to
    this answer I received today on the linux newsgroup:

    Yes. It's part of the wifi protocol, so it doesn't matter what os is
    being used. Don't ever use a hidden ssid.

    Regards,
    Dave Hodgins
     
    D. F. Manno, Jul 14, 2015
    #71
  12. []
    Not if you have to get it from Download.com with its download wrapper prog.
     
    Kerr Mudd-John, Jul 14, 2015
    #72
  13. D. F. Manno

    Char Jackson Guest

    I like http://camelcamelcamel.com to check [Amazon] pricing on things. Just
    enter one or more keywords, search, select the item from the list, and you
    get a price history that goes back at least several months so that you can
    see if the current price is a good deal or not.
     
    Char Jackson, Jul 18, 2015
    #73
  14. D. F. Manno

    Char Jackson Guest

    There are certain areas of Kansas City that have multiple (two) cable
    providers. As you mentioned, Google fiber is available in some areas as an
    overbuild, and in other areas there's a smaller ISP called Evergreen or
    Wintergreen, something like that, as an overbuild. The two big guys, though,
    Comcast and TWC, don't overlap each other. In general, Comcast has the
    Kansas side of the city and TWC has the Missouri side.
     
    Char Jackson, Jul 18, 2015
    #74
  15. D. F. Manno

    Char Jackson Guest

    Same experience here. I always hear the stories about them blaming a
    customer-owned modem, but I've never experienced it.
     
    Char Jackson, Jul 18, 2015
    #75
  16. D. F. Manno

    Char Jackson Guest


    I haven't checked in a long while, but I thought dd-wrt included the
    capability to do RADIUS, and thus WPA2-Enterprise.
     
    Char Jackson, Jul 18, 2015
    #76
  17. D. F. Manno

    Char Jackson Guest

    Comcast is apparently doing away with personal web pages, so I assume that
    link will die at some point in the not too distant future.
     
    Char Jackson, Jul 18, 2015
    #77
  18. D. F. Manno

    Char Jackson Guest

    All of my laptops are technically 'desktop replacements' and have always
    been wired. If I want wireless, I pick up a tablet. IMHO, wireless is too
    slow and unpredictable for everyday use.
     
    Char Jackson, Jul 18, 2015
    #78
  19. Yep. I forgot about that.
    <https://www.dd-wrt.com/demo/FreeRadius.asp>
    (click "enable").

    The RADIUS and MySQL servers are usually external, but there are those
    hardy souls that have gotten it to work in firmware.
    <http://www.matrix44.net/blog/wp-content/uploads/2014/05/DD-WRT-WPA2-Enterprise.pdf>
    Unfortunately, I gave up trying to make it work, and went to an
    external RADIUS server. I guess I should try again with some of the
    later builds (e.g. Kong).
     
    Jeff Liebermann, Jul 18, 2015
    #79
  20. Jeff Liebermann, Jul 18, 2015
    #80
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.