Intruder in the wireless network

[Stuey]

Ok, so my fiance has an early generation Linksys wireless B router. I don't remember the model, but I can ask tomorrow. It's a bit thicker than the notorious lemon model.

One computer is connected via wire, and two via linksys USB B adapters.

After I pointed out that they could be vulnerable, they discovered other people were connected to their network.

They cannot disable SSID broadcast b/c then one of the computers can never reconnect.

They have WEP encryption.

They have MAC filtering enabled, but one of the filtered out MACs pops up until the "apply fliter" button is hit. Then it disappears for a few hours.

So... without purchasing any new equipment, how can I ensure that the unauthorized user is unable to connect to the network?

it shows up in the "active MAC table", but is it possible that it only means that this particular wireless device is in range but not connecting to the wireless network?

[matthews]

Try changing the WEP password to include numbers, letters, and symbols. See if that works for you.

[Stuey]

I checked her password two weeks ago and it seemed pretty strong.

[matthews]

Can you try changing the encryption type to WPA or something stronger?

Are they using XP? If they are then you shouldn't normally have to broadcast the SSID.

If I knew the model I might be able to help you some more.

Edit:

If you have the access restrictions tab then disable access to the MAC addresses of the computers illegally connecting.

[glc]

I don't believe any of the Linksys B models have WPA, but I may be wrong.

WEP is hexadecimal only as far as I know - symbols won't work.

[Stuey]

You're right, WEP is all its got. Both wireless systems have XP but for some reason the newer one is very fickle.

When I took a look at the settings, there was no way to change the filtering such that ONLY the two authorized users could connect. The only filter setting was to filter out MAC addresses, and one of them keeps coming back onto the active list.

I also thought about setting static IPs and limiting the number of IPs distributed, but the router doesn't have any of those settings.

I'm satisfied with my two WRT54Gs (thanks for the recommendation, GLC), and want to install one with G+speedbooster cards (to get the WPA2), but for now we're trying to come up with a free solution.

When I see them next weekend, I'm thinking a firmware upgrade might be called for.

[revron]

my guess is that you have a simplified router username and password and that even though you have a great wep it won't matter because the person is getting to you via the simplified router username/password.

change it to only something you know and make sure you write it down as you and then only you will know it!

what i'm saying is that some wireless adapters will have utilities that will show you the ascii characters of the wep encryption if you can open the router utilities. so, stop the culprit from getting inside the router to then be a ble to write down the wep code.

whatcha thin of this???

(i was a criminal before i was a pastor!) ;-)

[Stuey]

She changed the router password after I hijacked it myself.

[glc]

Can't you turn off DHCP on the LAN side of the router?

[Stuey]

Quote:

Originally Posted by glc Can't you turn off DHCP on the LAN side of the router?

I'm not sure what you mean by that. Would/should we assign static IPs before we try that?

[glc]

Yes. Assign static local IP's, using the router's IP for the default gateway (probably 192.168.1.1) and the actual ISP's DNS servers (from the WAN status in the router). Subnet mask is 255.255.255.0. Default DHCP scope is 192.168.1.100 to 192.168.1.149 so make your statics outside of that range, then disable the DHCP server in the router. This will prevent any outsiders from obtaining an IP address if they should associate.

[AlwaysUp]

Does your router log connection attempts?

[Stuey]

Thanks GLC, I'll try that this weekend.

AlwaysUp, I'm not sure but I'll check when I go over to play with it next time.

[matthews]

Yes you can disable DHCP. But that won't help you because the intruder knows what the IP of your router. But if you assign static IP you may want to change the ip range to something totally different than the default. For example I set my router for the IP 203.173.75.1. I then gave all my servers and workstations static IP's. Then for wireless, I made my router give out only 2 DHCP IP's. I have a pic that shows what my computers with static are set to. ftp://sawatzky.dns05.com/ip.bmp Use the router IP for the gateway and DNS server name. That should hopefully work for you.

[glc]

Assigning local IP's in that range is illegal, matthews. You must use a range that's allocated for that exclusive purpose. You are using an IP that's reserved for the Internet.

Old Linksys routers do not pass DNS through reliably when using a static IP, hence my recommendation.

[matthews]

what???????? Since when is using your own LAN IP range illegal? Why the would the router let me change the routers LAN IP address? Are we talking about the same thing here? Im now confused.

[glc]

http://www.jpsdomain.org/networking/nat.html

Private IP Address Ranges

This is the "classic" RFC1918.Class
From To CIDR Mask Decimal Mask
Class "A" or 24 Bit 10.0.0.0 10.255.255.255 /8 255.0.0.0
Class "B" or 20 Bit 172.16.0.0 172.31.255.255 /12 (or more typically /16) 255.240.0.0 (or 255.255.0.0)
Class "C" or 16 Bit 192.168.0.0 192.168.255.255 /16 (or more typically /24) 255.255.0.0 (or 255.255.255.0)

The IP you chose is owned by someone.

[matthews]

So what your saying is that what I am currently using an illegal internal IP address? Can you get in trouble or anything for that? I don't see why you can't use whatever IP you want if its your own private network. So in other words I have to change my IP's for everything in my network? I learn something new everyday....

[mbossman2]

is someone going to come and arrest you? no

are you courting a problem? yes

you see most internet devices are designed to ignore traffic headed "to" private IP address ranges which is why you will NEVER see a public IP address in the 192.168.XXX.XXX range. You, OTOH, are using a public IP address range assigned to someone else so it is possible that your traffic may be negative impacting someone else's public network which could attract the attention (and ire) of your ISP.

IMO it would be best to do as GLC suggests: narrow the DHCP pool and then statically assign an IP address within the "private" range but outside the scope of the DHCP pool.

[matthews]

So to avoid any problems I want to be changing my IP address range from 203.173.75.1 -203.173.75.255 to 192.168.x.x - 192.168.x.x? Do I have to?

[glc]

Nobody is going to force you to unless it causes issues with your ISP, but let's just say that it's HIGHLY recommended.

[Floppyman]

While it would seem that this would work fine on the LAN side, what would happen if you actually tried to a site that has that same IP? You would type in www.blahblah.com, the DNS server would hand you back the IP of the server (which is the same as one of your machines) and you would not be able to connect because you would be trying to connect to a machine on your network. In case you were wondering, the range you chose is used by Singtel in Japan according to a whois query.

I bet if you tried setting the LAN side DHCP range the same as a site you visit often, I'm pretty sure you won't be able to connect to that site anymore (even though I havent' tried this yet).

Therefore, it's best you either use the ranges glc described in his earlier post instead.

HTH

[matthews]

I will have to change that. Thanks for the headsup about this. I never knew that. Guess I have some reconfiguring to do tomorrow. Thanks for the advice.