As stated in the header, but to expand, i have been having connectivity issues and as paranoid as I can get i wanted to see if there was any foulplay as I was finding alot of strange, sporadic appearances of Wifi networks in my vicinity.
Prior to these networks appearing I had no connectivity issues. Regardless, to simplify and get to the point, I went to take a look at the attached devices on my router administration page to sus out any potential intruders.
I've just come up to see two mac address appearing on the list, however I am the only connected device. To Clarify I am connecting to a Wireless Extender:
This is where the issue is: The two Mac Addresses are ALMOST ALIKE save for a 1 digit variation. However what is interesting is that the Mac address that is not my NIC's original physical address is assigned to my IP and Vendor {MSI} while my original Mac address is listed as an unknown.
(I have attached the image of my devices page below to show this.)
Is there a possibility that I may be Mac Spoofed or am i being too worried. I am not familiar with protocols or measures used by routers as I am a home user. Perhaps the router needs to duplicate my mac address and amend it for internet connectivity?
I may have not explained my setup properly and will do so if requested.
I appreciate your help Stackoverflow and apologies for my newbie inquisitions.
Regards
Attached devices list
This question should be better to Security Stackexchange.
EDITED
It seems maybe is not a spoofed mac. Sometimes some devices have two mac addresses. Usually because of the dual 2GHz and 5GHz bands.
I got an email from my ISP that i have been victim of the mirai botnet as it decided to take over my security cameras. I thought i was safe from this since none of my devices use default passwords but it appears there was also a telnet vulnerability the bastards were using and were able to create an admin user on the camera server and hijack it. (I've since updated the firmware and wiped out the users and turned off UPNP)
With that said, i would like to get a much better handle on my network after this incident.
I have an ASUS RT-AC66R Router running Merlins firmware instead of stock ASUS.
I have scoured every settings page of the router and cannot find what i am trying to do. How can i setup a white list of MAC addresses to prevent unauthorized access to the camera server on my network? The only devices that should have access are my local machines and my phone which i can all get the MAC's for. I saw some options for IP address white/black listing but that will only do my good on the local network since my IP could be anything on my phone when connecting remotely.
So my next guess is that i need to setup a linux box to act as a firewall before my router?
Can someone point me in the right direction here? Newbie to networking but i know linux basics and and do software development in vb.net/js.
Also, how can i get some logging going so i can start looking at who is hitting my IP on a daily basis and start locking down my network better.
Thanks!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I have a BeagleBone Black that is running Debian Wheezy. I want to be able to SSH into it over the internet as long as it is connected to the Internet. I want to be able to type in an URL and be able to access it or deploy software on it.
Many other posts showed how one has to configure the router to forward the port and such. However, I want to be able to take this Beaglebone anywhere, maybe even at a coffee shop with Wifi, and I can quickly access it from another computer through the Internet.
I am wondering what is the best approach to do this. I have my own domain name (provider is Namecheap.com), and I won't mind actually paying for some web hosting services if the solution requires that.
To sum it up, I want to be able to SSH into a Debian Linux system via a domain name without any configuration with the network hardware. I want to be able to quickly set it up and access it as long as the system has internet access. How can this be done?
You need to use a "dynamic dns service", since (most likely) your home ip address is not static. it changes with time, which is why it makes sense to use a domain name. However you can not use a normal dns service, since that updates far too slowly.
You need to configure that dynamic dns service such that it points to the current public ip address of your home router. Typically that is done by a trigger that submits the new ip address as soon as the internet connection has been established. So this has to be done from within your home network, typically by a feature of your router (if offered). Alternatively you can use some utility installed on your boards system that is able to detect its public ip address and when that changes. There are some such utilities in the standard repositories. You can not simply publish your ip every minute or so. It has to be event driven (on connect), or you will probably be blocked by the dynamic dns service.
Then indeed you have to configure port forwarding on your home router. The rule has to forward all incoming requests to a specific port to your boards port 22. Note: do not use port 22 on the outside, so do not forward port 22 to port 22. This works, but you will see constant brute force hacking attacks against your system. Just use something like 50022 or whatever (on the outside!).
That should be all.
I take from your comment that you also want to be able to take that board wherever you go and just use any connection wherever. Such thing is possible, but much more complex. For certain you do need some additional server you have control over. That server has to play relay and forward your requests to your board which establishes an ssh tunnel between that server and itself as soon as it goes online. So you definitely do need some fixed point somewhere. Such a server is no rocket science. You can rent a virtual one for 3-5 Euros a month these days and do with it whatever you want.
The idea here is that your board contacts that server and establishes an ssh tunnel pointing back to its own port 22. Now you can contact the tunnel which is open at the server and your packages will be forwarded through the tunnel to your board. That works, it is a bit slower than otherwise.
In that case you do not need a dynamic dns service, since such a virtual server typically comes with a fixed ip address. So you can simply resolve your domain to that server of yours.
Question in this case is why to do that. Since you already have a comfortable server at your hand, so what is the board for? The only motivation I can think of is to be able to do illegal downloads or hacking attempts in the foreign environment... Which is not an issue in general. Networks are there to be explored. But you clearly should think thrice when you leave the legal ground. Especially about whom you might cause massive troubles :-)
Oh, you could also combine this approach with using your home router instead of a separate server in the internet. Your board can access your home network using the dynamic dns service, contact some system inside your home network which acts just like the rented server described above.
Taking the additional information from that next comment you gave also this might be worth a try, though I am not sure if that will work. You will have to give it a try:
If everyone meant to access the board is within the same local network, then you might get along without the need for port forwarding. You could try to use one of the mentioned dynamic dns utilities to publish your network internal ip address to the dns service. If they accept and publish that address, then everyone should be able to directly access your board inside the local network (so no via the internet), but by using your domain name. I never tried such thing. I could imagine that dns service providers block such thing. But then again, they might not. So it might be worth a try, since it would be a very simple and elegant solution. Also I am not that sure if all systems will accept such an internal address from a dns authority. As said: you will have to try this.
There certainly are more theoretical possibilities, but those certainly are much more complex. If you stay near your board you certainly can also use things like bluetooth or similar. You could bundle a cheap and broken smartphone and use it as a modem, that way the board can act just like the home router above. Certainly you have the option of a wifi ad-hock network connection, but I doubt that is what you are looking for.
One thing I would definitely not do is use a third party service provider specialized in such things. Something like TeamViewer or similar. I consider these a serious and obvious security thread, despite what they claim themselves. You definitely can never trust a closed source or internet only service, since there is simply no way for you do really check what they do. So do not fall for that apparently simple and comfortable solution!
I develop software running laptops from various companies. The employees are allowed to bring these laptops home or on holidays. I want to be able to reliably detect whether the laptops are in the office or not. The laptops are connected to the company network via some kind of VPN (though various solutions are used), so I cannot say that if they can access internet, they are in the office. To make this question even more interesting, please notice that a company might have multiple locations.
Edit: I need to detect this on the laptop.
Speculation: One thing you could look at are the IP addresses allocated to the machine. If you run a VPN then at home then there is probably one IP for the Internet connection and one for the VPN.
I think the answer from Rob is close but maybe you should take into account the gateway used by the NIC.
And if you have time enough a tracert to a known server in your office.
That will give you the route and the intermediate NIC's between the laptop and the known server.
You only have to make sure in that case that on the office location the route to the VPN concentrator is different but that should be possible with a clever dns/dhcp setup.
You might try a more specific question on serverfault.com
This cannot be done reliably, because branch offices can be setup up the same as a home network. And from experience, I'm not saying "almost the same as a home network". I mean literally the same, with non-clued managers buying network equipment from the cheapest local shop, and running copies of Windows XP HOME.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Obviously there are security reasons to close a wireless network and it's not fun if someone is stealing your bandwidth. That would be a serious problem?
To address the first concern: Does a device on the same wireless network have any special privileges or access that an other device on the internet has?
Assumptions : Wireless network is connected to the internet
The second seems like a community issue. If your neighbor is stealing bandwidth, you'd act just as if he were "borrowing" water or electricity.
First, Talk to him about the problem and if that doesn't work, go to the authorities or lock stuff up. Am I missing something?
Bruce Schneier is famous for running an open wireless network at home (see here). He does it for two reasons:
To be neighborly (you'd let your neighbor borrow a cup of sugar, wouldn't you? Why not a few megabits?)
To keep away from the false sense of security that a firewall gives you. In other words, it forces him to make sure his hosts are secure.
Personally, I would never run an open wireless network for one reason: accountability. If someone does something illegal on my network, I don't want to be held accountable.
I don't think the biggest problem is just someone stealing your bandwidth, but what they do with it. It's one thing if someone uses my wireless network to browse the Internet. It's another thing if they use it for torrenting (I find that slows down the network) or any illegal activities (kiddy porn? not on my network you don't).
Yes you are, your wireless router also doubles as a firewall preventing harmful data from the Internet, by letting one of your virus-infected neighbors in on your wlan you're essentially letting him bypass that.
Now, this shouldn't be a problem in an ideal world since you'd have a well-configured system with a firewall but that's certainly not always the case. What about when you have your less security minded friends over?
Not to mention the legal hassle you could get yourself into if one of your neighbors or someone sitting with a laptop in a car close enough starts browsing kiddieporn.
I feel it all has to due with population density. My parents own a big plot of land nearest neighbor is .5 mile away. To me it doesn't make sense to lock a wireless router down. But if I lived in a apartment complex that thing will be locked down and not broadcasting it's ID.
Now at my house I just don't broadcast my ID and keep it open. The signal doesn't travel further then my property line so I am not to worried about people hijacking it.
I would actually disagree with Thomas in the sense that I think bandwidth is the biggest problem, as it's unlikely there are many dodgy people in your area who just so happen to connect to your network to misbehave. It's more likely I think that you'll have chancers, or even users who don't fully understand wireless, connecting and slowing down your connection.
I've experienced horribly laggy connections due to bandwidth stealing, a lot of the problem is with ADSL - it just can't handle big upstream traffic; if a user is using torrents and not restricting the upstream bandwidth it can basically stall everything.
For most people, the wireless access point is a router that is acting as a hardware firewall to external traffic. If someone's not on your wireless network, the only way they'll get to a service running on your machine is if the router is configured to forward requests. Once a device is behind the router, you're relying on your computer's firewall for security. From a "paranoid" layered security standpoint, I'd consider an open wireless network in this scenario to be a reduction in security.
I've met a lot of people that leave their networks open on purpose, because they feel it's a kind of community service. I don't subscribe to that theory, but I can understand the logic. They don't see it as their neighbor stealing bandwidth because they feel like they aren't using that bandwidth anyway.
Following joshhinman comment, this is a link to an article where he explains why he has chosen to leave his wireless network setup open.Schneier on Open Wireless
This guy is probably the most famous security expert at the moment, so it worths having a look at what he has to say.
As far as the security aspect goes it is a non issue. An open network can allow a determined person to 'listen' to all your unencrypted communication. This will include emails - probably forum posts - things like this. These things should never EVER be considered secure in the first place unless you are applying your own encryption. Passwords / Secure log in to servers will be encrypted already so there is no benefit to the encryption while the packets are in the air. The advantage comes when, as others have mentioned, users perform illegal actions on your access point. IANAL but it seems some corrolations can be drawn to having your car stolen and someone commits a crime with it. You will be investigated and can be determined innocent if you have some alibi or logs showing your machines were not responsible for that traffic.
The best solution to the hassle of using a key for the home user is to restrict the MAC addresses of the computers that can connect. This solves the problem of having un-authorized users (for all but the most advanced at which point your PW likely won't help you either) and it keeps you from having to input a long key every time you need to access something.
Personally, I would never run an open wireless network for one reason: accountability. If someone does something illegal on my network, I don't want to be held accountable.
The flip side of this is deniability. If the government or RIAA come knocking on your door about something done from your IP address you can always point to your insecure wireless connection and blame someone else.
I wish people would stop referring to an open network as 'insecure'. A network is only insecure if it doesn't meet your security requirements - people need to understand that not everyone has the same security requirements. Some people actually want to share their network.
An open network is open. As long as you meant that to be the case, that's all it is. If your security policy doesn't include preventing your neighbors from sharing your bandwidth, then it's not a security fault if it allows them to do that, it's faulty if it doesn't.
Are you liable for other's use of your 'insecure' network? No. No more so than your ISP is liable for your use of the Internet. Why would you want it to be otherwise? Note, by the way, that pretty much every commercial WiFi hotspot in the world is set up in exactly such an open mode. So, why should a private individual be held liable for doing exactly the same thing, merely because they don't charge for it?
Having said that, you do have to lock down your hosts, or firewall off an 'internal' portion of your network, if you want to run fileshares etc internally with such a setup.
Also, another way to deal with 'bandwidth stealing' is to run a proxy that intercepts others traffic and replaces all images with upside down images or pictures of the Hof. :-)
#kronoz: I guess it depends on where you live. Only two houses are within reach of my wireless network, excluding my own. So I doubt that small number of people can affect my bandwidth. But if you live in a major metro area, and many people are able to see and get on the network, yeah, it might become a problem.
It is so easy to lock a wireless router down now, that I think a better question is why not lock it down?
The only reason I can think of is if you had a yard large enough so that your neighbors can't get a signal and you frequently have visitors bringing devices into your home (since setting them up can be a chore).
Note that I'm saying both of those things would need to be true for me to leave one open.
Personally, I would never run an open wireless network for one reason: accountability. If someone does something illegal on my network, I don't want to be held accountable.
The flip side of this is deniability. If the government or RIAA come knocking on your door about something done from your IP address you can always point to your insecure wireless connection and blame someone else.
I would argue that anyone who is running a network is responsible for the actions of all people who use it. If you aren't controlling use, then you are failing as a network administrator. But then again, I'm not a lawyer, so...
As it turns out, when I switched DSL service, the wireless router the company provided is secured out of the box. So unless I add the old router to my network, it will be secured.
On the other hand, it was very convenient to "borrow" a few hours of network time from neighbors while I was waiting for the technician to stop by and install the service. Looks like this might not be an option soon, however.
My biggest concern is there there is never too much bandwidth so a decision to share it is only acceptable if I can somehow guarantee that other people do not use more than, say, 5% of my total bandwidth. Which may or may not render my connection useless to other people, depending on what they mean to do with it.
As most wireless standards are very hackable I can understand the logic behind not securing it, as it removes the false sense of security that wireless security provides.
However, in NZ bandwidth is expensive; I cannot afford for randoms to leech that off me. As the vast majority of people don't have a clue regarding hacking wireless connections having this admitedly pitiful defense wards of most of the lazy.
If anyone cares enough they can hack my crappy WEP encryption and get themselves some free Internet and free leech until I care enough to stop them. Then I'll upgrade to something better (white-listed MAC addresses, say) which will be harder for them to hack, and the cycle will begin anew.