(Solved) Wifi Protection

I want to build a guest network with password. I want to ask about are there any packages or setup to protect wifi againest brute force? I hope to block mac address when entering wrong password 10times. My idea is writing a shell script to watch the log when wrong password trials are found, shell script will renew the /etc/config/wireless file to block mac address and restart wifi. However, it seems to be inefficient. If there are any packages or setup to protect wifi, I hope to replace it.

I don't know if there is such a package or not because there's a lot of random packages floating around that aren't a part of the official repo.

I do know this, you're not likely to get hit with someone brute forcing wifi unless they think the PSK is really weak OR they don't know what they are doing. Usually wifi hackers are just going to deauthenticate one of the clients and attempt to gain the PSK hash. From there they will use a rainbow table which is tons faster than a wifi BFA.

Honestly, if someone wants on your wifi they are going to get in, and there's nothing you can do about it (Other than shutting it off :slight_smile: . I believe WPA2 came out 2006 or 2008 and is due to be replaced in the next year or so which "should" help with wifi security. Until then, just make sure you have WPA2 CCMP/AES selected, and if you can do mac filtering just to add another layer or barrier, someone would have to contend with if they broke in. Oh yeah, if you're really security sensitive also be sure to make that PSK long.

Best Regards,

Thank you for your advice. I want to set up a file server and share some data to guest network. However, there are some wifi hacking app in android and ios. I am worried about unauthorized access to server. Writing shell script and mail report log seems to be the best way I can do in this moment.

Also you can make your SSID not broacasting. It ads some security, but not for experienced hackers.
As mentioned before WPA2/AES is enough. You can change your wifi password from time to time to make sure.

Add another of layer of security on the fileserver such as requiring users to authenticate with the fileserver.

Blocking on mac address isn't that secure, most devices can spoof another mac address...

1 Like

Use a password manager (like LastPass or KeePass) to make a 63 character, randomly generated password with uppercase, lowercase, numbers, and special characters. Your password manager and your client devices will remember your password for you so you don't have to. 63 characters is the maximum allowed length. Set it to WPA2 (only WPA2, not WPA2/WPA mixed mode) and set it to force AES. Also, change your SSID to something custom (this breaks rainbow tables). Don't bother with MAC address filtering, because as juppin said those are trivially easy to spoof.

Then once WPA3 becomes supported by OpenWrt and your client machines, enable WPA3/WPA2 mixed mode. My guess is that open-source operating systems like OpenWrt, LineageOS, and desktop Linux will be ways for people to get WPA3 support in a timely manner and without having to buy new hardware. Some of the most important changes WPA3 will bring are (1) per-client encryption and (2) public WiFi that's encrypted without the need to enter a key. That said, for the next few years people will need to leave WPA2 enabled alongside WPA3, for purposes of backwards compatibility.

Edit: Since this is for a guest network, that kind of password would be to difficult for your guests to type. In that case, use diceware to generate your passwords. About five random words ought to do it, while still being practical for your guests to type. The 63 character random password would be for your non-guest network.

1 Like

It seems that WPA2 with AES and long password are enough for daily wifi protection in most cases. Also, hidden SSID and addition authentication in internal server should be set in private network. I mark the topic as solved. Thank you for all replies.

1 Like

Diceware is a cool idea but I personally find keepass2 the way to go. No one types a password more than once these days, an 80 bit entropy hex string is 20 characters and unambiguous (no is this a zero or a capital oh ell vs one etc issues). I'd suggest to check it out

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.