hacking SSID

Aledio

Good morning group. I have a serious problem and it is difficult for me to solve it. I'm a PFsense apprentice and I need your technical support.

I have my Pfsense and it is configured as a Firewall router, connected to an interface I have a TPLink PCI card.

And I have a tp link TL-WA801ND device that acts as a repeater to expand the WIFI in other areas of the house.

It turns out that the neighbor has been hacking my SSID, which is WPA2, what can I do to prevent this from happening?

The questions are:

What are the best practices regarding WIFI settings from Pfsense?
What rules can I apply to mitigate hacking?

Your support friends on this issue. Thank you

Cool_Corona

You cant besides blocking his IP.

Did he succeed?

bingo600

@aledio said in hacking SSID:

TL-WA801ND

There was a "Serious WPA2 Bug" around 2016/2017.
Have been fixed by some manufactors , but TP-Link might not be one of them .....

Seems like that model is eglible for a replacement
Even OpenWRT says it's "out"
https://openwrt.org/toh/hwdata/tp-link/tp-link_tl-wa801nd_v3

You should get a "Current" AP - ie. Ubiquiti or the like
https://store.ui.com/collections/unifi-network-wireless

At work I have some AP AC Pro , but i would prob look at their new WIFI-6 Series today

Edit: Seems like a V5 of your AP might be able to run OpenWRT
https://openwrt.org/toh/hwdata/tp-link/tp-link_tl-wa801nd_v5
https://openwrt.org/toh/tp-link/tl-wa801nd

That would be my first recommendation ..

OpenWRT is usually quite ok wrt. security patches , as long as you run their latest fw.

@aledio said in hacking SSID:

to an interface I have a TPLink PCI card.

aledio - Do you have an active TPLink wireless PCI card in the pfSense Box, or what does the above statement mean ?

/Bingo

AndyRH

Actions for now while you sort out the hackable AP.

Learn his MAC, set it with a static IP through DHCP. From there rules will stop the outbound. Or limit the speed so it is crazy slow but works so your defense will not be noticed right away. I would assume he will learn to change the MAC, so be prepared.

If you know who it is, check local laws, but by breaking into your network an actual crime has been committed. Ask the police to visit him.

johnpoz

@bingo600 said in hacking SSID:

i would prob look at their new WIFI-6 Series today

Really disappointed in their current lineup of wifi6 AP to be honest.. 1 gig interfaces - come on.. Should be a 2.5 interface..

But the 149 for the wifi6 pro is not a bad price point.. But prob just go with their wifi 6 lite at 99$ to be honest.. wifi 6 by no means is not any sort of must have currently.. Other than maybe your phone - or a laptop what support wifi 6.. Sure not any of your iot devices or tv sticks, etc.

If one of my AP died currently - not really sure what I would replace with... Not a fan of any of their current wifi 6 devices... Might have to look elsewhere if had to replace mine currently..

johnpoz

@aledio said in hacking SSID:

It turns out that the neighbor has been hacking my SSID

And how do you know this exactly?? No offense but have seen users saying their neighbor is hacking them because they see the SSID in their phone list.. Or listed as a neighboring AP, etc.

Also just because your set as WPA2, what is the psk? It should be strong... Ie some 12+ or even say 20ish what amounts to random characters P@55word is not a good psk for example.

This would be a good psk ;)

5pp6ZH@DSccetrWvbhj#

Your ssid should also be unique, and not just the default linksys for example..

NogBadTheBad

@johnpoz

If one of my AP died currently - not really sure what I would replace with... Not a fan of any of their current wifi 6 devices... Might have to look elsewhere if had to replace mine currently..

I had a play with a couple of Aruba Instant APs 345 ( not the InstantOn one I run at home ) was very impressed with the abillity to use one of the APs as the controller as well as an AP.

johnpoz

@nogbadthebad shoot just looking and the 340 series supports 2.5 and they are only wifi 5 AP...

Not sure WTF unifi thinking about sticking with gig on their latest wifi 6 models..

bingo600

@johnpoz
I don't have a single WiFi-6 device at home.
Unless my new ATV4 4K (Gen-6) can do it (got it today) it's PDS linked by the way.

I'm still using the C2702i's i got for $42 a piece, they're still doing fine here. Most of my "static stuff" is on PDS-Cable anyway.

I didn't even look at the Ubi WiFi-6 specs , just expected them to do as good as with the AC-PRO's ...

But i agree strange with claiming multi Gbit WiFi and not being able to link it downwards.

Even the C2702i's have an additional Gbit port for matching the WiFi capacity , if you "really want to" ...

Edit : Seems like i just got a WiFi-6 device
https://www.apple.com/apple-tv-4k/specs/

802.11ax Wi‑Fi 6 with MIMO;

And my only WiFi-6 deivce is on cable

stephenw10

I've yet to see a good use case for .11ax personally. Maybe if you really need much shorter range (at 6GHz), for.... reasons

But not much you can do with that AP security wise if you can't even flash it OpenWRT.

You can isolate it from your network in pfSense. Just assume it's compromised.

Steve

bingo600

This post is deleted!

johnpoz

@stephenw10 said in hacking SSID:

I've yet to see a good use case for .11ax personally

I would concur with the "personally" aspect.. AX does allow for more density of clients while providing higher bandwidth to the clients overall.

I think where you would see most bang for the buck is in environment where you have a bunch of clients that all support ax.. Say for example work setup where all the wifi devices (phones, tablets, laptops) all can do AX.. The QAM moves to 1024, or can - etc. and OFDMA all huge benefits for network with more clients per AP, etc. And MU-MIMO, etc. etc.. Lets not forget HEW as well..

There are for sure many new advantages with wifi 6 to be sure..

But in a home setup or a smb - prob not going to get you much. But users can be obsessed with a benchmark that quite often is meaningless - for example My phone now can see 600mbps per sec vs 400mbps when doing a benchmark on my home wifi, when they are checking email and watching some tiktok video's on it - and 50mbps would more than they would ever need, etc. ;)

I would love to have a good AX AP to play with for sure - but can not justify it as a "play" thing when I have 1 AX capable devices on my network currently ;) My work iphone 13 heheh.. Hey when I get my new work laptop here shortly - I will have 2 ;)

but my work laptop will sit on my desk with a wire - so still really only 1 ax device, hahah

stephenw10

Exactly! Not even close to the device density where the advantages come into play. The number of times I have to transfer a lot of data locally is just insignificant. I can't justify spending the money. Much as I'd like to.

JKnott

@aledio said in hacking SSID:

tp link TL-WA801ND

I have one of those and it has problems because TP-Link doesn't understand VLANs. If you suspect someone has broken WPA2 (do you have proof?), then replace your password with a strong one. I get mine from www.grc.com and use a 63 character random string.
I replaced the TP-Link with a Unifi AC-Lite AP, which not only works properly with VLANs, but also supports 5 GHz.

JKnott

@johnpoz said in hacking SSID:

This would be a good psk ;)
5pp6ZH@DSccetrWvbhj#

I uses ones like this:
BTTD7f21Zu1hLx0LwYwthJLUfJFj9rtKX696npf0jHlak8JryFpzGYqFRaLBghC

JKnott

@nogbadthebad said in hacking SSID:

I had a play with a couple of Aruba Instant APs 345 ( not the InstantOn one I run at home ) was very impressed with the abillity to use one of the APs as the controller as well as an AP.

With Cisco, dumb APs connect to a controller running on a switch.

johnpoz

@stephenw10 said in hacking SSID:

The number of times I have to transfer a lot of data locally is just insignificant

If I was moving significant data locally - I would use a wire ;) heheh even if my laptop supported AX... Sorry while AX is cool and all, and hey speeds are getting pretty impressive to be sure.

Not going to beat a wire, my wire can do 2.5.. If my wifi could do 2.5, then my wire would be able to do 10, etc..

Wire is always going to trump wireless.. It will always be the right bower, if any Euchre players about ;)

akuma1x

@jknott said in hacking SSID:

I uses ones like this:
BTTD7f21Zu1hLx0LwYwthJLUfJFj9rtKX696npf0jHlak8JryFpzGYqFRaLBghC

Oops, not good enough, no symbols...

JKnott

@akuma1x said in hacking SSID:

Oops, not good enough, no symbols...

TfffXxEe;BJ0+Tu'k^(T}/U:s2er5WhC!MC@GHC]Hc(yC}oa<p1mqz5OmCo&z_

bingo600

@jknott said in hacking SSID:

With Cisco, dumb APs connect to a controller running on a switch.

I didn't want Cisco to decide when my 2702i's should be obsoleted, so i am on Autonomous not Lite/CapWAP.

No biggie for me .... I was using them before "Lite".
And i just have 5 active AP's @home / summerhouse.

I even have an old C1242 doing 54Mb coverage in the garden via an ext antenna (have no C2702E's) , works fine for light browsing & a web-radio.

MoonKnight

@jknott

I think you are safe for some time

bingo600

@ciscox
And 10min with (when) enough QBIT's

SteveITS

@akuma1x said in hacking SSID:

no symbols

Character 47 is nonprintable? Maybe? While more secure those are definitely harder to manually put into a TV or something without a keyboard or copy/paste. I have a bit of ASCII art as my SSID and found once it's rather annoying to enter manually.

@Aledio per https://www.tp-link.com/us/user-guides/tl-wa801n_v6/chapter-3-customize-your-network#ug-sub-title-5 that model has Wireless MAC Filtering so you can block the MAC address, or as noted if they start changing MACs you can allow just your devices' MACs.

@CiscoX said:

I think you are safe for some time

yes well now he's posted it for us. :)

JKnott

@bingo600 said in hacking SSID:

I didn't want Cisco to decide when my 2702i's should be obsoleted, so i am on Autonomous not Lite/CapWAP

It would be nice if more APs went with a central controller. With 802.11r you still have to disconnect and reconnect as you move between APs. With the Cisco central controller, you connect to it, instead of the APs, which become little more than bridges.

JKnott

@steveits said in hacking SSID:

While more secure those are definitely harder to manually put into a TV or something without a keyboard or copy/paste.

My Sharp/Roku TV won't accept 63 characters. It chokes somewhere after 40 or so. So, it's on my guest WiFi, which has a much shorter password than my main SSID.

JKnott

@steveits said in hacking SSID:

yes well now he's posted it for us. :)

I don't use that one. I just got it from www.grc.com.

JKnott

@ciscox

I guess it will keep someone busy for a while.

BTW, it should have had 63 characters, but I guess I missed one when copying it.

MoonKnight

@jknott
hehe, that would be one more century for your extra character

JKnott

@ciscox

Actually, a bit longer I think. Another character means 96 times what's listed. I'd better grab a beer first.

@aledio

try to set up wifi aps instead of repeaters.
use the maximum of 63 chars long password (not supported at all vendors)

small raspberry pi with linux and install

OpenLDAP for wired devices
FreeRadius for wireless devices.

put all wifi clients into vlans, e.g.
vlan10 for family = radius certificate - internet & LAN
vlan20 for guests = vouchers - internet only

Alternatively:
Install a small wifi card into your pfsense and turn on
hotspot with voucher system for guests, can also be a
solution

give all clients a static IP address in the entire network
and then narrow down the DHCP address space to them,
that means no other free dchp addresses will be able to given out.

Setting up snort and/or suricata on pfsense and OSSec
on any other devices, you may need another small server
but also another security line.

Turning on wireshark and sniff on your wifi for a while
perhaps on an rapi or notebook or your laptop at the weekend. Watch out any other IPs then your own ones.

try narrow down the entire signal strength of your wifi
so it is enough for you but only in the near area of you
house or apartment. Try to implement WPA3 where ever
you can do it.

Alternatively you may be also able to get hands on
UBNT wifi aps and then you may get also a small
edge router from them and install there the radius
server.