tsubasa74j
asked on
how can i verify if someone is using my wireless router furtively?
how can i verify if someone is using my wireless router furtively?
i've a dlink but it's a general question.
what program can i use?
i've a dlink but it's a general question.
what program can i use?
PUNKY
I think you better increase the security to prevent people using your wireless signal than tracing them. Dont broastcast and use better security features.
Enable logging on the wireless router if it has the capability and analyse the logs, should be as simple as that.
Most DLinks have a WLAN 'Status' button on the Tools tab in the web configuration... that will tell you the MAC address[es] of any wireless card[s] connected, in real time.
You can take the MAC address from there and use it in the filters section to block their access altogether, even if they do manage to crack the security passphrase.
You can also log it, as AccyStanley said, and usually even have the log emailed to you when it's full.
Not broadcasting the SSID is pretty-much worthless as a security measure... so-called 'hidden' networks still show up on wireless monitors, just as [unknown], and not being broadcast doesn't slow down sniffers like aircrack, airsnort, omnipeek, et al one iota; if you're using your network, it won't take them long to break WEP security even with the SSID not broadcast.
Definitely use WPA with TKIP+AES ciphers (falls back to TKIP if AES isn't supported by the client card) if you can. And have it change keys every 900-1000 packets (most default to every 1800 packets).
If you need specific instructions, you'll need to tell us specifically what router you have (i.e. not just ''a dlink'').
You can take the MAC address from there and use it in the filters section to block their access altogether, even if they do manage to crack the security passphrase.
You can also log it, as AccyStanley said, and usually even have the log emailed to you when it's full.
Not broadcasting the SSID is pretty-much worthless as a security measure... so-called 'hidden' networks still show up on wireless monitors, just as [unknown], and not being broadcast doesn't slow down sniffers like aircrack, airsnort, omnipeek, et al one iota; if you're using your network, it won't take them long to break WEP security even with the SSID not broadcast.
Definitely use WPA with TKIP+AES ciphers (falls back to TKIP if AES isn't supported by the client card) if you can. And have it change keys every 900-1000 packets (most default to every 1800 packets).
If you need specific instructions, you'll need to tell us specifically what router you have (i.e. not just ''a dlink'').
ASKER
i've a dlink dsl g624t and i'm agree with your opinions.
in specific i use kiwi syslog daemon but no logs are generated by this for my dlink.
is there some particular settings to enable?
i've enabled the log to my pc setting in the dlink but no string is generated in the kiwi syslog monitor
can you tell me another valid syslog program for my dlink?
is propably a dhcp problem (i've set it on the dlink)?
last question is this:
i've noticed that my router has a macaddress, and my wireless pc card has another macaddress,
so i've 2 different macaddress, is this right?
in specific i use kiwi syslog daemon but no logs are generated by this for my dlink.
is there some particular settings to enable?
i've enabled the log to my pc setting in the dlink but no string is generated in the kiwi syslog monitor
can you tell me another valid syslog program for my dlink?
is propably a dhcp problem (i've set it on the dlink)?
last question is this:
i've noticed that my router has a macaddress, and my wireless pc card has another macaddress,
so i've 2 different macaddress, is this right?
First, if you haven't already, on the Tools tab, System button, use the Save button to backup the router's settings to your hard drive (e.g. in a folder named G624T or DSL-G624T in My Documents).
Have you ever upgraded its firmware, btw?
If you ever upgrade its firmware or have to use the Reset button on the back you SHOULD be able to reload all settings using that file and be back in business in a couple minutes. I say 'should' because if the firmware upgrade adds more features the saved settings might not import correctly. :-(
To enable WPA encryption, in the router's web configuration interface, click Home along the top, then Wireless along the left side. Punch the WPA radio button, then more info will open below that. The ''Group Key Interval'' tells it how often to change keys (looks like the G624T's default is every hour; I would lower that to 900 seconds or so, but you can leave it at 3600 if you want).
Enter a passphrase of at least 10 characters (use non-sequential letters AND numbers, e.g. NOT a1b2c3d4e5, ABCDEFG12345678, q1w2e3r4t5y6 et cetera - I've seen all such sequences in brute-force dictionaries) in the PSK String field, and click Apply.
Now your wireless network is secure. If you have to restore your settings using the saved file, remember to repeat the steps enabling WPA, or even back up the settings again adding 'withWPA' to the filename. If you ever need to reload the saved settings, you might be glad you have it saved both ways, though. ;-)
> in specific i use kiwi syslog daemon but no logs are generated by this for my dlink.
> is there some particular settings to enable?
In the DLink's web configuration, on the Status tab along the top, then the Log button on the left. I'm not sure what the page limit is for the G624T; on the DI-524 and DI-624 it's about 5 pages (the oldest entries just scroll off into the bit bucket), and can be configured so when it's full or an attack is detected the router emails the log to an address you can enter on that same page. I don't see that particular provision in the G624T, but it looks like you can send different levels of logging to multiple remote machines on the Tools tab, using the Remote Log button. Otherwise you have to access the log in the DLink's web configuration interface, and it's cleared completely whenever the power to the router is turned off (or when the 'Clear Log' button is clicked on that page), and you can save a hard copy to disk if you need it for some reason (e.g. copy and paste MAC addresses from it into the Static IP setups, or into the Filters).
You can also see real-time who's connected to your router... see the Status tab, DHCP Client button.
While you're on that page, click+hold and drag the icon just to the left of 'http' on the Address bar and drop it on your desktop. Then you'll have a shortcut to that page so you can quickly check it whenever you want... the login box should still popup before letting you access it from that shortcut, of course.
> i've enabled the log to my pc setting in the dlink but no string is generated in the kiwi syslog monitor
> can you tell me another valid syslog program for my dlink?
I'm not sure which log setting you're talking about there... is that the one on the Status tab or the one on the Tools tab?
One thing I REALLY dislike about DLinks is having to click Apply on every page you make a change to (or else the changes are lost if you switch pages without clicking Apply), which proceeds to reboot the router, wait 30-45 seconds, then make you login to the web configuration interface again. :-(
> is propably a dhcp problem (i've set it on the dlink)?
I don't understand the question. What is probably a DHCP problem?
> last question is this:
> i've noticed that my router has a macaddress, and my wireless pc card has another macaddress,
> so i've 2 different macaddress, is this right?
3, actually. Your PC's ethernet card has one; the DLink has one for its ethernet/ADSL port[s] and yet another MAC address for its wireless interface. In addition, the DLink can clone your PC's MAC address and pretend to be that MAC address when talking to/through the ADSL port... in that way if your PC was used to setup the connection originally, the DLink can be added later, the PC's MAC cloned, and the telco still thinks it's talking to the same piece of hardware so you don't need to call them to reset things to work with the new MAC address. Generally that shouldn't be necessary, anyway - just powering down the router/modem, then powering them back up a few minutes later should cause the account credentials to be presented again and if those match the telco really shouldn't care what MAC address it sees. Some do, though.
Have you ever upgraded its firmware, btw?
If you ever upgrade its firmware or have to use the Reset button on the back you SHOULD be able to reload all settings using that file and be back in business in a couple minutes. I say 'should' because if the firmware upgrade adds more features the saved settings might not import correctly. :-(
To enable WPA encryption, in the router's web configuration interface, click Home along the top, then Wireless along the left side. Punch the WPA radio button, then more info will open below that. The ''Group Key Interval'' tells it how often to change keys (looks like the G624T's default is every hour; I would lower that to 900 seconds or so, but you can leave it at 3600 if you want).
Enter a passphrase of at least 10 characters (use non-sequential letters AND numbers, e.g. NOT a1b2c3d4e5, ABCDEFG12345678, q1w2e3r4t5y6 et cetera - I've seen all such sequences in brute-force dictionaries) in the PSK String field, and click Apply.
Now your wireless network is secure. If you have to restore your settings using the saved file, remember to repeat the steps enabling WPA, or even back up the settings again adding 'withWPA' to the filename. If you ever need to reload the saved settings, you might be glad you have it saved both ways, though. ;-)
> in specific i use kiwi syslog daemon but no logs are generated by this for my dlink.
> is there some particular settings to enable?
In the DLink's web configuration, on the Status tab along the top, then the Log button on the left. I'm not sure what the page limit is for the G624T; on the DI-524 and DI-624 it's about 5 pages (the oldest entries just scroll off into the bit bucket), and can be configured so when it's full or an attack is detected the router emails the log to an address you can enter on that same page. I don't see that particular provision in the G624T, but it looks like you can send different levels of logging to multiple remote machines on the Tools tab, using the Remote Log button. Otherwise you have to access the log in the DLink's web configuration interface, and it's cleared completely whenever the power to the router is turned off (or when the 'Clear Log' button is clicked on that page), and you can save a hard copy to disk if you need it for some reason (e.g. copy and paste MAC addresses from it into the Static IP setups, or into the Filters).
You can also see real-time who's connected to your router... see the Status tab, DHCP Client button.
While you're on that page, click+hold and drag the icon just to the left of 'http' on the Address bar and drop it on your desktop. Then you'll have a shortcut to that page so you can quickly check it whenever you want... the login box should still popup before letting you access it from that shortcut, of course.
> i've enabled the log to my pc setting in the dlink but no string is generated in the kiwi syslog monitor
> can you tell me another valid syslog program for my dlink?
I'm not sure which log setting you're talking about there... is that the one on the Status tab or the one on the Tools tab?
One thing I REALLY dislike about DLinks is having to click Apply on every page you make a change to (or else the changes are lost if you switch pages without clicking Apply), which proceeds to reboot the router, wait 30-45 seconds, then make you login to the web configuration interface again. :-(
> is propably a dhcp problem (i've set it on the dlink)?
I don't understand the question. What is probably a DHCP problem?
> last question is this:
> i've noticed that my router has a macaddress, and my wireless pc card has another macaddress,
> so i've 2 different macaddress, is this right?
3, actually. Your PC's ethernet card has one; the DLink has one for its ethernet/ADSL port[s] and yet another MAC address for its wireless interface. In addition, the DLink can clone your PC's MAC address and pretend to be that MAC address when talking to/through the ADSL port... in that way if your PC was used to setup the connection originally, the DLink can be added later, the PC's MAC cloned, and the telco still thinks it's talking to the same piece of hardware so you don't need to call them to reset things to work with the new MAC address. Generally that shouldn't be necessary, anyway - just powering down the router/modem, then powering them back up a few minutes later should cause the account credentials to be presented again and if those match the telco really shouldn't care what MAC address it sees. Some do, though.
ASKER
very complete explanation Darr 247! :-)
i thinnk your answers are complete but only last observation before assign you points.
if i 've understood in the right way, i can use dlink to clone mac address of my wireless pc card to clone and use the same mac of it.
what menu in the dlink can i use for it and what must i indicate for this goal!
very thanks and bye
i thinnk your answers are complete but only last observation before assign you points.
if i 've understood in the right way, i can use dlink to clone mac address of my wireless pc card to clone and use the same mac of it.
what menu in the dlink can i use for it and what must i indicate for this goal!
very thanks and bye
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.