What is a decent DOCSIS3.0 modem with WiFi?

Yes, but, other than at work, I haven't seen a "wire" from a router to a laptop in years! :)

Of course, the Ooma is wired, as is the printer, but, not the laptops.

Reply to
D. F. Manno
Loading thread data ...

While I have updated the firmware on my routers over the years, it's not something I consciously think about day to day. I doubt the kids are doing anything so worrisome that they need to be extra cautious, so, no, to answer your question, I'm not much worried about the router updates.

Apple works a lot off of FUD, by making their customers *feel* secure, which is a great thing, and it's a service to their customers, but, in the end, nothing is even close to secure from a state-sponsored adversary.

Plus, I'm wary of backdoors purposefully left open by the manufacturers of all routers.

Reply to
D. F. Manno

anything accessible from the outside is vulnerable.

note that apple isn't listed:

apple does not work off fud.

while nothing is impossible, it's a *lot* harder to compromise an apple router than a generic off the shelf router, particularly when the user doesn't update anything, which they don't normally do because they more than likely have no idea there even is an update for their router.

many people don't know what the admin password for their router is because it was set up by the cable/dsl installer, which means they can't update anything even if they wanted to.

then you ought to not buy a generic router.

Reply to
nospam

It's perfect.

  1. Costco for the modem.
  2. The best router I can find (with high speed ethernet & n/ab/), 5/2.4MHz
  3. I'll try to talk Comcast out of the service call also (as advised here).
Reply to
D. F. Manno

I don't know how an apple router is any more or less secure than any other router.

True, I don't know anything about how they "make" routers.

I just set them up at home so my experience is limited to about four routers in my entire life, but the setup nowadays is pretty simple.

Change admin password and login name (if possible) WPA2/PSK on all 4 frequencies (guest + main 2.4GHz & 5GHz) Broadcast SSID (it's actually counterproductive not to) SSID doesn't name me or my family or pets or address, etc. SSID isn't on a typical million-SSID-long butterfly hash lookup I generally leave it at the firewall defaults (don't know better) Static IP address (I have no choice) Web login I change the port from 80 to something else (or disable) SSH login I change the port from 443 (IIRC) to something else Disable remote login Allow factory reset switch to work (I have used it a few times)

That's all I can remember from memory.

Reply to
D. F. Manno

Wireless is a great idea, until everyone else also does it. I haven't done the Netstumbler thing for about a year, but the last time I checked, my 12 mile mostly residential commute shows about 200+ wireless routers/access points. In about 2003, it was maybe 30. The surest sign of success is pollution.

In offices full of desktops and security consultants, wired ethernet is a requirement. It's also far more reliable than wireless. At home it is mostly wireless. I can see using wireless for laptops, Chromebooks, tablets, and smartphones. Maybe printers. However, I get rather irritated at customers complaining that the wi-fi bands are crowded, when they have their Roku or Apple TV box sitting 1 meter away from their router, but are using wi-fi for the streaming video. Same with customers that buy high power wireless routers, so they can burn their way through several walls and floors, when a 2nd access point at the other side of the house will do a much better job. Lots of other ways to do it wrong.

Then there's backing up the laptop over the network. I use Acronis True Image 2014/2015 over the LAN to an NAS box. It does a block by block image backup and therefore gets literally everything. It's also quite fast, but requires gigabit ethernet to get any kind of real speed over the network. (USB 3.0 for local connections is also quite fast). On a commodity dual core PC, I get at least 2 Gbytes/minute. However, there's always someone who wants to run their backups over the wi-fi, which takes somewhat less than forever, and sometimes brings everyone else's speed to a crawl. When both wi-fi and ethernet are connected, Windoze and OS/X are suppose to use the "cheapest" route, which usually means the fastest. That actually works about 9 out of 10 times, but to be sure, I ask users to turn off their wi-fi client radio before running a backup.

Oh yeah, add some intrusion detection to keep the neighbors and nosey hackers like me out of your network:

Reply to
Jeff Liebermann

Remain ignorant, my friend!!

Reply to
Jolly Roger

because apple writes their own firmware which requires apple's own configuration app (available on multiple platforms) rather than use generic firmware that is branded with a logo and uses a web browser to configure.

if you look at different brands of consumer routers, you'll notice that the firmware is often rather similar.

that raises the bar by a *lot*.

that depends on the router.

apparently you've never had the thrill of a verizon fios actiontec router. configuring that is amazingly convoluted, and for no good reason (verizon intentionally making it hard is not a 'good reason').

both a good idea, although it's rare that each frequency has its own password.

nope.

it won't stop a dedicated hacker who is intent on gaining access (and if that's the case you have bigger problems), however, it will stop random users who are looking for free wifi. they probably won't even know there's a hidden network there.

since there's no downside to hiding it, you might as well do it.

it's wise not to put identifying information in the ssid, but why would being on a list matter?

sometimes that's ok and sometimes not.

i disable ping replies, which is usually enabled. offhand, i don't know what else i change.

that doesn't matter. even if you had dhcp, it doesn't change that often anymore, even across a power outage (unless it's fairly widespread and for a while).

always disable remote login, but why do you need ssh access?

i've never seen a setting to enable or disable a hardware reset.

ok

Reply to
nospam

Ah, but there *is* a (rather real) downside, at least on Windows laptops. I do NOT know if that downside applies to iOS, Android, or Mac though.

On Windows laptops, if you've had to *tell* the OS what the name of the SSID is (which you have to do if it's not broadcasting), then Windows will *always* first search for that SSID forever (unless you reset it) at every connection.

formatting link

SITUATION 1: So, for example, if your home router SSID is "John Doe", then

*everywhere* you go, will *first* see your laptop scan for "John Doe", and only when that fails, will it try to connect to "Starbucks" or to "McDonalds" or "Library".

SITUATION 2: Of course, you wouldn't put *identifying* information in your home SSID, so, more than likely you'll use something like NETGEAR as your home router name, but, if you do *that*, and use any of a

*million* common router SSIDs, you're in the butterfly tables already hashed!

SITUATION 3: Given what is said above, your only real choice is a *unique* but non-identifying SSID, right? Nope. If you give it a unique SSID, such as "spam123nospam", then *everywhere* you go can target you (because they always *see* what you connect to at home first.

Of course, this is only if the tin-foil hat is on tightly, but, you should at the very least be *aware* of this issue.

Reply to
D. F. Manno

I understand that, if hidden, a nonchalant passwerby won't casually "see" your SSID, but, are you really worried about such a passive non-chalant user, especially if you're using WPA2-PSK encryption?

Since there decidedly *is* a security downside (at least for Windows PCs), I pretty much wouldn't recommend hiding it, unless you don't encrypt it, but who would do go to the trouble of hiding it but then not encrypting it?

Reply to
D. F. Manno

You need to adjust your tinfoil hat a little tighter to understand why you need to be unique and to broadcast your SSID at home at the same time.

I think the keyword is butterfly, or is it rainbow hash tables? I forget which, but anyone can download the hash for any of a million common passwords (this was years ago, so it's probably ten or twenty million by now) for all the common SSIDs.

Reply to
D. F. Manno

that's an issue with windows, not with hiding an ssid.

Reply to
nospam

it's another layer to get past.

while it might not be a big obstacle, it's yet another step someone needs to do, which makes the other networks an easier target.

on the other hand, if someone is specifically targeting your network in particular, then you have far bigger problems than using wpa or ssid hiding.

again, that's an issue with windows, not with hiding an ssid.

Reply to
nospam

I generally change the web port from 80, and I change the SSH port from, I think, 443, to something else, to make robo logins a bit more difficult (it won't help against a determined hacker, of course, nor a determined robot, but, it's easy enough to do, and, for me, it stopped a million login attempts that were hammering my router's cpu rejecting them).

Reply to
D. F. Manno

I login all the time to my rooftop router, and to my neighbor's rooftop routers (since we're all on the same subnet), just to see what's going on.

It's how I found out that robots were hammering my system, and, how they stopped while still hammering my neighbor's systems, when I switched the ports.

$ ssh -p 4545 -l adm1n 192.168.2.1

BusyBox v1.11.2 (2014-10-01 16:45:24 EEST) built-in shell (ash) Enter 'help' for a list of built-in commands.

XM.v5.5.10# tail /var/log/messages

In fact, you can see good stuff for debugging, for example, you can see what DHCP is used and what IP range is on the LAN, etc. $ cat /etc/dnsmasq.conf

You can even log into your neighbor's rooftop router and see what domains they visit. $ cat /proc/net/nf_conntrack

It's not wireshark nor netstumbler, but, it's a decent log of everywhere the router has been (less cryptic than wireshark output for example).

Reply to
D. F. Manno

Beautiful :-) ! I love it! Thanks! Cheers, -- tlvp

Reply to
tlvp

There's a setting to enable or disable hardware reset on *every* rooftop radio that I have seen.

Here's a picture of one screen of my rooftop router's configuration:

formatting link

Of course, these WiFi radios also have sliders for signal strength, distance, channel width, dynamic dns, telnet servers, web servers, ping watchdog, snmp agent, ssh server, ntp client, system log, etc.

Point is that these routers have more features than your average mom-and- pop router, as Jeff well knows.

Reply to
D. F. Manno

It *might* be an issue with the other operating systems (I don't know).

I guess I should ask if anyone here, on the iOS or Android newsgroups knows if this known-Windows problem also affects us?

formatting link

Reply to
D. F. Manno

Ubiquiti wireless bridge (or router). Nice hardware.

Yep. Features and functions get added faster than bugs get fixed.

I really hate security discussions. They never end, never reach a consensus, there's always one more security hole, and even those routers that are certified and blessed by an expensive certification organization, are problematic.

Anyway, permit me to point out the giant gaping monstrous security hole, that most users can't see or just ignore. It's the WPA-PSK shared key. Every computah, tabloid, smartphone, xbox, etc that connects to a single secured router uses the same pass phrase. Considerable effort has gone into making this pass phrase difficult to sniff and recover. Yet, all it takes is one insecure client radio, and the pass phrase or usable hash code can be recovered. Here's a good example: If you have an Android tablet that's been rooted, there are several utilities that will display the saved pass phrases. I use this one: Steal my ancient Droid X2 and you can see *ALL* my wireless pass phrases. Note that it doesn't matter if you're using WEP, WPA-TKIP, or WPA2-AES encryption. The password is there in plain sight. I assume there's something similar for jail broken Apple products.

So whatcha gonna do? Well, big business uses a WPA2-Enterprise-AES with 802.1x and EAP authentication. You could too, except that there is only one commodity grade wireless router that includes the necessary features (ZyXEL G-2000 Plus) and it's rather limited with only 5 logins. You'll either need to subscribe to a service, or build your own RADIUS server:

So, how duz it work? Very roughly, each user gets a login and password from the RADIUS server when connecting. If they successfully login, the RADIUS server delivered a one time WPA2-AES key to the clients wireless device, which is only good the current session. Disconnect, and you get a new key. I won't go into the EAP authentication part (mostly because I barely understand how it works). There are also lots of variations, such as no user/password on login, which is the easy way to do encrypted coffee shop systems.

The RADIUS server does not need to be inside or next to your wireless router. It can be anywhere on the internet. For example, the University of Calif runs one that covers all their facilities. A user can login literally anywhere on the UC system and get authenticated for the entire system. I run my RADIUS server in my office and in a server farm for several of my customers systems. There are also services that will do it for you. Here's an example of an online service that puts the RADIUS server in the "cloud":

Before the inevitable demise of wireless as we know it, perhaps the router manufacturers will cease advertising astronomical wireless speeds and do something about the pre-shared key security problem? Naw, it will never happen. Security doesn't sell routers, while big number do.

Reply to
Jeff Liebermann

Apparently the problem is with iOS, Mac, and L> Does Linux suffer from the SSID unmasking at public hotspots?

Yes. It's part of the wifi protocol, so it doesn't matter what os is being used. Don't ever use a hidden ssid.

Regards, Dave Hodgins

Reply to
D. F. Manno

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.