Advice needed about Wifi Security

Holdup....what????

You opened a bug report?

  • OP made a MAC filter
  • Others are connecting not on that MAC filter
  • The log tells you...

How is this s bug???

Albeit, it's not good it is a Security option...it is one. I doubt it will be taken as a bug.

Can't you lower the logging level?

How can I do it?

https://wiki.openwrt.org/doc/devel/debugging

See section on

Logging hostapd behaviour

1 Like

Finally I decided to disable MAC Filtering, and now the log has came to "normality".

Maybe technically is not bug, I can't discuss that, but in my opinion is not a correct behavior in hostapd logging.

Not true at all. It makes it more difficult and time consuming, and will protect you from people trying to guess the password that connect to your router manually brute forcing....

But it's easy to capture the EAPOL packets using tools such as aircrack-ng suite. At that point you just run aircrack-ng against that capture file with a wordlist. You don't even have to be near the router once the handshake is captured while it is cracking as it's all done at this point without having to attempt to authenticate with the router.

It's time consuming, and resource consuming, but is not out of the realm of possibility. If your password is n characters long, and the person has a wordlist of all combinations of characters up to your password length or greater, it can be cracked. It may take months or years, depending on the machine(s) used to crack it, but it still is possible. If you have access to a botnet and can distribute the work it makes it faster, as well as using GPUs.

So in conjunction with a complex WiFi password, changing it regularly also improves security. Changing your passwords regularly is just security basics 101.

1 Like

A password in line with the recommendations in the Wireless Overview wiki, would be impossible to crack in a human lifetime:

  • Since I'm not sure on the exact number of symbols that can be utilized, let's use 18. With case sensitive, alphanumeric, this would equate to 80 possible characters than can be utilized.

    • (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 = x

      • 17*10^-6 = 0.0017ms
        • Approximately how long it takes an 8C 2.8GHz CPU to process SHA512 hashes
          • I don't believe wifi passwords use SHA512 for hashing, but I do believe they use SHA256

      • 80^16 = 2.81474976710656e+30
        • 80: amount of alphanumeric characters
          • 26 lowercase
          • 26 uppercase
          • 10 numbers
          • 18 symbols
        • 16: Amount of characters in the password

    • (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 = 758,668,601,611,040,100 yrs per PC

      • Let's say a botnet has 100,000 devices:
        • (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / 10^4 = 7,586,686,016,110.401 yrs

        • Botnet completely comprised of GPUs for calculations (+100>)
          • (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / 10^6 = 75,866,860,161.10402 yrs

        • Largest botnet ever was 12M devices, and we'll give each a GPU for calculations (+1,200,000,000>)
          • (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / (12 * 10^8) = 632,223,834.6758667 yrs

      • 12M device botnet completely comprised of supercomputers using GPUs for calculations (+180,000,000,000,000>) [150,000 * 12,000,000 * 100]
        • (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / (18 * 10^13) = 4,214.82556450578 yrs

  • This assumes password will be cracked when half of the possible passwords are checked, hence division of two

    • Even with SHA256 hashing, it would still be fundamentally, literally, impossible to brute force a password in line with the recommendations, hence why I added the recommendations.

Can it still be cracked? Yes. Therefore your absolute that it can not is inaccurate.

It would take a botnet comprised of 12M supercomputers utilizing GPUs for calcualtion 4,214YEARS to crack SHA512.

I don't have the time at the moment to calculate SHA256 hashing times, but we'll provide an improbable speed up of 75%, of which it would still take 1,053 YEARS

  • I'm not sure what reality you live in...

Is it still crackable? Regardless of time?

NO!

  • To quote Bill Murray:
    • "It's hard to win an argument with an intelligent person, but it's damn near impossible to win an argument with an ignorant person"

This is what it means to use a complex password. A complex password looks like YugE6!00&d

And so no it's not possible to just run aircrack-ng against that sort of thing

Ok buddy...

In cryptography it's always accepted that brute force is an option theoretically therefore Literally ALL of security is built on making brute force take impossibly long, that's the modern definition of security. So if the largest concievable botnet would take 1000 years to crack a device with a 10 year lifetime it's by the modern definition secure.

Just for fun: https://securityonline.info/naive-hashcat-crack-password-hashes/

I'm not going to take the time to read every post, so some of this has probably already been covered.

The 'Bad guys' that know what they are doing are probably not going to 'bruit force' a wifi account, and what I mean by bruit force is password guessing. Unless they know the user uses weak passwords they won't waste time. Wifi's weakness is in the key and hash exchange during authentication. If the 'bad guy' can force a re-authentication of clients and steal the hash, then they will begin using rainbow tables to match 2 hashes. << Much faster than password guessing.

CCMP-AES Encryption < No publicly known weakness. Recommended.
WPA2 < There are weaknesses here and are commonly attacked. Recommended over WPA or earlier.
PSK < recommended password length is equal to or greater than 20. Recommended against APT's!
MAC Filtering < Recommended. Always take a layered approach to security. Though this hurdle can be passed, it does add difficulty. Recommended

About password length.. People have rainbow tables Terabytes in size of pre-compted password hashes of all possible combinations but limited length. Though shorter passwords are probably going to be safe, it isn't likely going to stop a APT. As state sponsored hacking continues to grow, many of these APT techniques are filtered down over time. I recommend staying ahead of the curve and just making it 20 characters or more. Make your password an "out of the blue" phrase you can remember, and then sprinkle in a Upper Case or special Character.

I'd still consider all 802.11 wireless as insecure. That doesn't mean not to ignore security, on the contrary, do all that you reasonably improve it by good choices and practices. It not only means that you may have someone on your wireless network that is "unexpected" and potentially hostile, but also that you should not trust 802.11 encryption for anything of value.

While CCMP / AES "forced" encryption is the recommended choice for most security-aware home use, it might be better to state

(Strike-out mine)

There are plenty of vulnerabilities and weaknesses that have been known for years or decades. Some have been patched, some not. Of some patched, who knows on a specific device, client or AP.

That way we aren't potentially suggesting to someone that wireless is "secure" , or even as secure as PCI-compliance requires, or TLS with forward-secrecy

I've been trying to disable hostapd log, but I can't find the way to do it.
I tried: https://stackoverflow.com/questions/32205140/hostapd-debug-level-configuration but it doesn't matter what I change, the result it's always the same.

Please, could somebody teach me how to do it?

Thanks,

I've got similar issue but it seems that this is because of my WiFi configuration. My both 802.11 AC and N wifi networks have a similar name, and MAC address filter is enabled for both networks, so AC clients can connect only to the AC wifi network and the same for the N clients. Though strangely I have had this configuration for years but never seen these messages before. I can see my clients trying to connect to the opposite network and also I can see a lot of unknown MAC addresses trying to connect to my networks.

Because of hostapd update.

Hi. Sorry for bringing up old topic, but did anyone found a solution to over-spaming log problem? I get these annoying messages even at log level 2. Log looks ugly and big. I'd like to never receive only those particular daemon.notice hostapd: Station xx:xx:xx:xx:xx:xx not allowed to authenticate messages.