My Wi-Fi got hacked.. How to improve Wi-Fi security?

[Lunatic Dreyfus]

The best defence is to have a local bozo using an unsecured network to draw their fire.

I have one within wireless range and it always makes me chuckle when I see it pop up in various programs.

 

[QwaF]

I would. It is silly to recommend against it because someone who knows what they are doing could find them, but who says the person who originally got onto their network was one of those people?

You see kids messing around with silly scripts all the times, doesn't mean they know what they're doing. It come be one of them. If you can make it harder for people to get on, do it. Besides, unless this person is stuck without internet - i doubt they would care that much about not being able to stick on someones wireless network enough for them to sit there spoofing mac addresses and finding SSIDs.

 

[Azuse05]

Or they could simply be using a certain gpu accelerated "password recovery" program (god old Russians )which takes zero effort and runs a lot of passwords 24/7.

Still, if you're using the full (64?) WPA2-AES character key the it'll take so long you'll never have to worry if you only changed it every 3-6 months.

Download this http://www.metageek.net/products/inssider , look at all the ones with worse security, smile

 

[Speed]

Everyone has pretty much covered everything.

I'd say it would also be a good idea to change the default username for the router CP as well as disable wireless access to the CP.

 

[SoundsGood]

Setup a trojan infested honeypot, hack your hacker

 

[bigredshark]

Network scanner will pick up the network SSID in seconds. Spoofing a MAC address takes about as long. Job done.

Both of those are just a huge inconvenience to the legitimate users, and no real defence. I wouldn't bother using either.

I completely agree with that actually, there's no point in causing the hassle for legitimate users for the (very) limited benefit it offers (anybody who's worked out how to run a WPA cracking script can work out how to spoof a mac address) and the 'cost' of it being hacked is pretty low.

If you're paranoid then take the business root and don't allow the wireless access to the internet, allow it access to a VPN endpoint only and force the user to connect a VPN to do anything (another, much more secure level of auth). It's a hassle but unlike turning off SSID broadcast and restricting mac addresses it offers actual security.

 

[markop2003]

WEP can be cracked easily so switch to WPA2 also filter mac addresses and cut down the DHCP to the number of devices you actually use. Also try positioning the router more central in your house and if possible turn down the signal power so it is only available inside your house (though i think this can only be done on open source routers).

 

[ncjok]

If you're paranoid then take the business root and don't allow the wireless access to the internet, allow it access to a VPN endpoint only and force the user to connect a VPN to do anything (another, much more secure level of auth). It's a hassle but unlike turning off SSID broadcast and restricting mac addresses it offers actual security.

This is the first technical suggestion to pique my interest. So here is the obligatory "can it be done on DGTeam firmware?"

I have the impression the OpenVPN implementation therein is intended to allow remote (internet) clients to VPN to the router and thus an internal (home) network. Can it be used the other way round, per your suggestion to enable, for example, a secure home-laptop to router tunnel.