What is a decent DOCSIS3.0 modem with WiFi?

I understand that, if hidden, a nonchalant passwerby won't casually "see"
your SSID, but, are you really worried about such a passive non-chalant
user, especially if you're using WPA2-PSK encryption?

Since there decidedly *is* a security downside (at least for Windows
PCs), I pretty much wouldn't recommend hiding it, unless you don't
encrypt it, but who would do go to the trouble of hiding it but then not
encrypting it?

 

You need to adjust your tinfoil hat a little tighter to understand why
you need to be unique and to broadcast your SSID at home at the same time.

I think the keyword is butterfly, or is it rainbow hash tables?
I forget which, but anyone can download the hash for any of a million
common passwords (this was years ago, so it's probably ten or twenty
million by now) for all the common SSIDs.

 

that's an issue with windows, not with hiding an ssid.

 

it's another layer to get past.

while it might not be a big obstacle, it's yet another step someone
needs to do, which makes the other networks an easier target.

on the other hand, if someone is specifically targeting your network in
particular, then you have far bigger problems than using wpa or ssid
hiding.

again, that's an issue with windows, not with hiding an ssid.

 

I generally change the web port from 80, and I change the SSH port from,
I think, 443, to something else, to make robo logins a bit more difficult
(it won't help against a determined hacker, of course, nor a determined
robot, but, it's easy enough to do, and, for me, it stopped a million
login attempts that were hammering my router's cpu rejecting them).

 

I login all the time to my rooftop router, and to my neighbor's rooftop
routers (since we're all on the same subnet), just to see what's going
on.

It's how I found out that robots were hammering my system, and, how they
stopped while still hammering my neighbor's systems, when I switched the
ports.

$ ssh -p 4545 -l adm1n 192.168.2.1

BusyBox v1.11.2 (2014-10-01 16:45:24 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

XM.v5.5.10# tail /var/log/messages

In fact, you can see good stuff for debugging, for example, you can see
what DHCP is used and what IP range is on the LAN, etc.
$ cat /etc/dnsmasq.conf

You can even log into your neighbor's rooftop router and see what domains
they visit.
$ cat /proc/net/nf_conntrack

It's not wireshark nor netstumbler, but, it's a decent log of everywhere
the router has been (less cryptic than wireshark output for example).

 

Beautiful ! I love it! Thanks! Cheers, -- tlvp

 

There's a setting to enable or disable hardware reset on *every* rooftop
radio that I have seen.

Here's a picture of one screen of my rooftop router's configuration:
http://i.imgur.com/ow0WyR8.jpg

Of course, these WiFi radios also have sliders for signal strength,
distance, channel width, dynamic dns, telnet servers, web servers, ping
watchdog, snmp agent, ssh server, ntp client, system log, etc.

Point is that these routers have more features than your average mom-and-
pop router, as Jeff well knows.

 

It *might* be an issue with the other operating systems (I don't know).

I guess I should ask if anyone here, on the iOS or Android newsgroups
knows if this known-Windows problem also affects us?

http://lifehacker.com/5636856/is-hiding-your-wireless-ssid-really-more-secure

 

Ubiquiti wireless bridge (or router). Nice hardware.

Yep. Features and functions get added faster than bugs get fixed.

I really hate security discussions. They never end, never reach a
consensus, there's always one more security hole, and even those
routers that are certified and blessed by an expensive certification
organization, are problematic.

Anyway, permit me to point out the giant gaping monstrous security
hole, that most users can't see or just ignore. It's the WPA-PSK
shared key. Every computah, tabloid, smartphone, xbox, etc that
connects to a single secured router uses the same pass phrase.
Considerable effort has gone into making this pass phrase difficult to
sniff and recover. Yet, all it takes is one insecure client radio,
and the pass phrase or usable hash code can be recovered. Here's a
good example:
<http://www.nirsoft.net/utils/wireless_key.html>
If you have an Android tablet that's been rooted, there are several
utilities that will display the saved pass phrases. I use this one:
<https://play.google.com/store/apps/details?id=com.wifipass.recovery>
Steal my ancient Droid X2 and you can see *ALL* my wireless pass
phrases. Note that it doesn't matter if you're using WEP, WPA-TKIP,
or WPA2-AES encryption. The password is there in plain sight. I
assume there's something similar for jail broken Apple products.

So whatcha gonna do? Well, big business uses a WPA2-Enterprise-AES
with 802.1x and EAP authentication. You could too, except that there
is only one commodity grade wireless router that includes the
necessary features (ZyXEL G-2000 Plus) and it's rather limited with
only 5 logins. You'll either need to subscribe to a service, or build
your own RADIUS server:
<http://freeradius.org>
<http://wiki.freeradius.org/guide/WPA-HOWTO>
<http://wiki.freeradius.org/protocol/EAP>
<https://play.google.com/store/apps/details?id=com.larscom.freeradiusandroid>

So, how duz it work? Very roughly, each user gets a login and
password from the RADIUS server when connecting. If they
successfully login, the RADIUS server delivered a one time WPA2-AES
key to the clients wireless device, which is only good the current
session. Disconnect, and you get a new key. I won't go into the EAP
authentication part (mostly because I barely understand how it works).
There are also lots of variations, such as no user/password on login,
which is the easy way to do encrypted coffee shop systems.

The RADIUS server does not need to be inside or next to your wireless
router. It can be anywhere on the internet. For example, the
University of Calif runs one that covers all their facilities. A user
can login literally anywhere on the UC system and get authenticated
for the entire system. I run my RADIUS server in my office and in a
server farm for several of my customers systems. There are also
services that will do it for you. Here's an example of an online
service that puts the RADIUS server in the "cloud":
<http://cloudessa.com>

Before the inevitable demise of wireless as we know it, perhaps the
router manufacturers will cease advertising astronomical wireless
speeds and do something about the pre-shared key security problem?
Naw, it will never happen. Security doesn't sell routers, while big
number do.

 

Apparently the problem is with iOS, Mac, and Linux also, according to
this answer I received today on the linux newsgroup:

Yes. It's part of the wifi protocol, so it doesn't matter what os is
being used. Don't ever use a hidden ssid.

Regards,
Dave Hodgins

 

[]

Not if you have to get it from Download.com with its download wrapper prog.

 

I like http://camelcamelcamel.com to check [Amazon] pricing on things. Just
enter one or more keywords, search, select the item from the list, and you
get a price history that goes back at least several months so that you can
see if the current price is a good deal or not.

 

There are certain areas of Kansas City that have multiple (two) cable
providers. As you mentioned, Google fiber is available in some areas as an
overbuild, and in other areas there's a smaller ISP called Evergreen or
Wintergreen, something like that, as an overbuild. The two big guys, though,
Comcast and TWC, don't overlap each other. In general, Comcast has the
Kansas side of the city and TWC has the Missouri side.

 

Same experience here. I always hear the stories about them blaming a
customer-owned modem, but I've never experienced it.

 

I haven't checked in a long while, but I thought dd-wrt included the
capability to do RADIUS, and thus WPA2-Enterprise.

 

Comcast is apparently doing away with personal web pages, so I assume that
link will die at some point in the not too distant future.

 

All of my laptops are technically 'desktop replacements' and have always
been wired. If I want wireless, I pick up a tablet. IMHO, wireless is too
slow and unpredictable for everyday use.

 

Yep. I forgot about that.
<https://www.dd-wrt.com/demo/FreeRadius.asp>
(click "enable").

The RADIUS and MySQL servers are usually external, but there are those
hardy souls that have gotten it to work in firmware.
<http://www.matrix44.net/blog/wp-content/uploads/2014/05/DD-WRT-WPA2-Enterprise.pdf>
Unfortunately, I gave up trying to make it work, and went to an
external RADIUS server. I guess I should try again with some of the
later builds (e.g. Kong).

 

Then, use the wayback machine.
<https://web.archive.org/web/20150511155230/http://home.comcast.net/~jay.deboer/airsnare/>
It's also on download.com but be careful of the evil wrapper:
<http://download.cnet.com/AirSnare/3000-2092_4-10255195.html>