So, you have a new ADSL line and it's up and running...

Network problem solving and tweaks
Rayne
Registered User
Posts: 7868
Joined: 11 Oct 2004, 02:00

Post by Rayne »

Ja I misunderstood you a bit there.

Like I said I'm a noob to ADSL.

Anyways, I upgraded from 384 - 512 and then again from 512 - 1024.

Telkom changed the ports both times and SAOL disconnected me both times.

When I phoned they told me this is normally what happens when you upgrade, after I had to verify my details confirming it was indeed my account, obviously.

I have my router still on default password so I'll change that all the same.

/ Good advice btw.
Sojourn
Registered User
Posts: 5649
Joined: 02 Sep 2004, 02:00
Location: Still looking...

Re: So, you have a new ADSL line and it's up and running...

Post by Sojourn »

Cool
SBSP
Registered User
Posts: 3124
Joined: 09 May 2006, 02:00
Location: Centurion

Post by SBSP »

Automatic Windows Update must know No 9.
Why
Hackers constantly find weak points (Exploits) in you OS. And those weak points constantly gets patched with better security by the OS developers
and prevent a hacker to exploit the weak points, and possibly either gain access to your computer, or do malicious things to it.


How
1.Click Start then Control Panel.
2.Click the "Switch to Classic View" link, if it says "Switch to Category View" Skip this Step.
3.Double Click Security Center.
4.Click Automatic Updates.
5.Click the option box "Automatic Recommended" click OK to Save.
Sojourn
Registered User
Posts: 5649
Joined: 02 Sep 2004, 02:00
Location: Still looking...

Post by Sojourn »

SBSP wrote:Automatic Windows Update must know No 9.
Why
Hackers constantly find weak points (Exploits) in you OS. And those weak points constantly gets patched with better security by the OS developers
and prevent a hacker to exploit the weak points, and possibly either gain access to your computer, or do malicious things to it.


How
1.Click Start then Control Panel.
2.Click the "Switch to Classic View" link, if it says "Switch to Category View" Skip this Step.
3.Double Click Security Center.
4.Click Automatic Updates.
5.Click the option box "Automatic Recommended" click OK to Save.
Tnx SBSP, I will update no.9 soon with your input.

s
SBSP
Registered User
Posts: 3124
Joined: 09 May 2006, 02:00
Location: Centurion

Post by SBSP »

CTRL-ALT-DEL Step 6. sorry i don't mean to take over but this is
interesting for the ones who don't know.
Not sure if the below is n00b friendly though

Why
Malicious programs can emulate looping brute forced or dictionary passwords as a login via API and eventually authenticate.
and gain access
Where as The CTRL-ALT-DEL (secure attention key) screen only responds to the keyboard, because the kernel only allows
the winlogon.exe process id to handle the CTRL-ALT-DEL request, ignores system requests, and keyboard hooks (Key logging) are also disabled.

So that means only physical keyboard entries are accepted (Almost like firewall, you can call it a process id firewall if you want :wink: )

How.
Sorry i'm on a domain, cant check the exact steps.
viceroy
Registered User
Posts: 3565
Joined: 27 Mar 2006, 02:00
Location: I forget

Post by viceroy »

So that means only physical keyboard entries are accepted
Not totally true since you can remotely log into a PC with something like PC Anywhere.
Image
SBSP
Registered User
Posts: 3124
Joined: 09 May 2006, 02:00
Location: Centurion

Post by SBSP »

viceroy wrote:
So that means only physical keyboard entries are accepted
Not totally true since you can remotely log into a PC with something like PC Anywhere.
Its not that its not true.

I'm talking locally


thats just another thing to take into account Remote Desktop sharing needs to be disabled, its designed to accept request from a remote connection.

also then a malicious program can be made to send brute forced or dictionary passwords to the target machine via the network, thats where account lock out comes into play.
viceroy
Registered User
Posts: 3565
Joined: 27 Mar 2006, 02:00
Location: I forget

Post by viceroy »

Well yes.

And we honestly expect n00bs to actually get all of this? eish!
Image
Y0da
Moderator Emeritus
Posts: 5865
Joined: 19 Mar 2004, 02:00
Location: In a cave, In a galaxy far far away.

Post by Y0da »

viceroy wrote:Well yes.

And we honestly expect n00bs to actually get all of this? eish!
Which is why people like me make a living. :twisted:
Just when I got the hang of life they changed the rules.
viceroy
Registered User
Posts: 3565
Joined: 27 Mar 2006, 02:00
Location: I forget

Post by viceroy »

Which is why people like me make a living.
A statement which hold true for most of us here I think :)
Image
SBSP
Registered User
Posts: 3124
Joined: 09 May 2006, 02:00
Location: Centurion

Post by SBSP »

viceroy wrote:
Which is why people like me make a living.
A statement which hold true for most of us here I think :)
True Dhat!
Sojourn
Registered User
Posts: 5649
Joined: 02 Sep 2004, 02:00
Location: Still looking...

Post by Sojourn »

viceroy wrote:Well yes.

And we honestly expect n00bs to actually get all of this? eish!


The focus is more on HOW to make the changes to your config to be more secure, than WHY you are doing it, I added the why just to explain it as simple as possible.

s
SBSP
Registered User
Posts: 3124
Joined: 09 May 2006, 02:00
Location: Centurion

Post by SBSP »

Sojourn wrote:
viceroy wrote:Well yes.

And we honestly expect n00bs to actually get all of this? eish!


The focus is more on HOW to make the changes to your config to be more secure, than WHY you are doing it, I added the why just to explain it as simple as possible.

s
Well i still think this is a great idea though.
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

Post by Ron2K »

SBSP wrote:How.
Sorry i'm on a domain, cant check the exact steps.
  1. Go to the Control Panel, click on User Accounts and turn off the Welcome screen.
  2. Click on Start, then Run. Type in "control userpasswords2" and press OK. In the applet that should appear, click on the Advanced tab and make sure that the checkbox titled "Require users to press Ctrl+Alt+Delete" is selected.
Kia kaha, Kia māia, Kia manawanui.
SBSP
Registered User
Posts: 3124
Joined: 09 May 2006, 02:00
Location: Centurion

Post by SBSP »

Ron2K wrote:
SBSP wrote:How.
Sorry i'm on a domain, cant check the exact steps.
  1. Go to the Control Panel, click on User Accounts and turn off the Welcome screen.
  2. Click on Start, then Run. Type in "control userpasswords2" and press OK. In the applet that should appear, click on the Advanced tab and make sure that the checkbox titled "Require users to press Ctrl+Alt+Delete" is selected.
There we go
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

Re: So, you have a new ADSL line and it's up and running...

Post by Ron2K »

While I'm at it...
Sojourn wrote:2. If you are not using the wireless feature of the router, disable it. If you ARE using it, make it secure.

(Why? - pending)

(How-to pending.)
I'll just write the "Why" for now.

As is obviously implied, anyone and everyone can connect to an unsecured network. It's the same as someone bringing a computer to your house, plugging in a network cable and using your Internet connection - only it's easier for a hacker to use wireless as they don't need physical access to your property. All he needs do is sit in the street with a WiFi enabled laptop and blow your cap.

For this reason, wireless should be turned OFF if you're not planning on using it. In fact, rather don't get a modem or router with wireless capability if you won't use it. Besides the increased security that this gives you, it also saves you a few hundred bucks. :P

If you're like me (the layout of my place makes it impossible for me to run cables) and you have to go wireless, then you simply MUST secure it. Most decent routers offer you the choice of WPA or WEP. Never choose WEP; it has cryptographic weaknesses and can be cracked in a few minutes. If your router only offers WEP, get a new router. If you can't manage this, then start laying cables instead.

There are two flavours of WPA: standard WPA and WPA-PSK. Standard WPA uses a RADIUS server to authenticate users. This is quite fiddly to set up and it of course requires a dedicated server for that. It's fine for a company, but not for home use, so there's WPA-PSK which uses a private shared key between the client and the router to authenticate clients - which will do just fine for home use.

I can't stress this enough: make your private shared key as difficult to guess as possible. If it's something easy to guess, you're just providing yourself a false sense of security, and having a false sense of security is worse than having no security at all. Here's an example. When I was working as an instructor at CTI Durban, a company in the same building as us set up a wireless network. They used WEP (which, as I said earlier, is insecure), and used "12345" as their network key. Guess how long it took the students to crack that. On my wireless network, I use a 45 character long key, consisting of letters (mixed-case), numbers, and symbols. You should do the same.

There's two encryption algorithms that you can use with WPA: TKIP or AES. AES is the stronger algorithm but requires more processing power and network overhead; however with todays processors as powerful as they are, there's no excuse not to use AES.

There's other measures that you can take. One of them is to disable the broadcast of your wireless network's name (SSID). A person needs to know what the SSID is in order to connect to the network. Another one is to enable MAC address filtering, where you only allow certain network cards to connect to the network. None of these two methods are foolproof - tools exist to determine hidden SSIDs, and MAC addresses can be spoofed. It does give you a little extra protection, however.

One last point - if you can afford to, don't run DHCP over a wireless network. DHCP automatically provides critical network information like IP addresses over a network. If an attacker connects to your network, he can immediately start stealing bandwidth with this information. Rather disable DHCP and manually configure each workstation, preferably using an uncommon private IP address range (not many people would expect you to use 172.16.0.0/12).

A wireless network can never be 100% secure, but hopefully you can make it secure enough so that J. Random Hacker gives up and moves on to an easier target. (Unless he really doesn't like you.)

Meh, I've said enough. Someone else can write the "How-To". And please correct any obvious errors.
Kia kaha, Kia māia, Kia manawanui.
Sojourn
Registered User
Posts: 5649
Joined: 02 Sep 2004, 02:00
Location: Still looking...

Post by Sojourn »

Tyvm Ron :-)

Updates will be made to the 1st post in the thread as soon as I have the time available for it.

s
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

Post by Ron2K »

Since no-one else seems to want to do it, I'll write the wireless how-to as well. I'll do it as soon as my new router arrives, as then I'll be able to make comparisons between various user interfaces (which should help people out if I can do it properly).
Kia kaha, Kia māia, Kia manawanui.
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

Post by Ron2K »

Wireless How-To

Login to your router with your new username and password (you did read step 1 and change that, didn't you?). Then, look for the wireless configuration page - it's typically called "Wireless Settings", "Wireless" or "802.11g".

Most of the time, the options you need to change will all be on the same page. There may be a few routers however that put core wireless network settings (such as the SSID) on one page and wireless network security on another. Use your head when figuring out where everything is.

The page, when found and loaded, will look similar to the images below (the router in question is the über-expensive and rare as hen's teeth D-Link DGL-4300):

Image

Image

The first thing you need to do is give your network a name, by changing the SSID value. Once that's done, it's a good idea to hide SSID broadcasting. On the DGL-4300, this is set by making the network "invisible", but this is typically called "disable SSID broadcast" or something to that effect.

Next, enable encryption. Find the drop-down list that specifies these options and select WPA-PSK from the list. (The DGL-4300 calls it "WPA-Personal".)

If you have one of the newer routers (or one with new firmware), you may be asked to select between WPA and WPA2. There's not much difference, only that WPA2 supports stronger AES (according to an article that I was reading on SmallNetBuilder this morning). The problem with WPA2 is that not all clients support it, so you may have to leave it on WPA. (A driver update for your wireless network card may help). As you can see, on my network I support both, so that the WPA2 client (my computer) can use WPA2 and the client that doesn't support WPA2 (my sister's laptop) can use WPA.

Next, choose between TKIP and AES. As already mentioned, you should choose AES in almost all cases. The DGL-4300 doesn't have this option; it automatically chooses for you based on your choice of WPA or WPA2.

Finally, put in your network key. The longer, more complex and more difficult to guess it is, the better.

Save your new settings and reboot the router.

Now, you need to put these settings into your client. You'll have to go to your client's advanced options and enter the SSID manually, since you hid it. You also need to specify in your client's options that you're using WPA/WPA2, the encryption cipher (TKIP/AES), and of course the pre-shared key. You'll need to do this for all clients.

If you configure your clients correctly, they should successfully reconnect to the network. Well done, you're among the 1% of users that has a wireless network with decent security. (According to a statistic that I found this morning, 70% of wireless networks are unsecured, 29% use WEP - which can be cracked within minutes these days - and the remaining 1% use WPA.)

If you find that your clients aren't connecting anymore, then double-check the settings in the client - most of the time you would have made a typo with the pre-shared key. If you're still not having much luck, start a new thread and ask for assistance.

That's pretty much it as far as securing your wireless network goes.

<pokes Sojourn to update the first page>
Kia kaha, Kia māia, Kia manawanui.
Sojourn
Registered User
Posts: 5649
Joined: 02 Sep 2004, 02:00
Location: Still looking...

Post by Sojourn »

:-D

I will do so Ron. Just swamped at work at the mo. Going away this w-end.
Will defnitely pump time into getting the 1st page updated in next week.

s
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

Post by Ron2K »

3. Use the firewall if it is a feature on your Router. Install a firewall on your OS. Maintain latest versions / patches of the installed firewall.

Why?

A firewall acts as a kind of filter for TCP/IP traffic. The Wikipedia definition is that it is an "information technology security device which is configured to permit, deny or proxy data connections set and configured by the organization's security policy." Basically, what they're saying is that a firewall controls what comes in to your network, and what goes out.

Obviously, this is incredibly useful from a security point of view, as I'm sure that you don't want J. Random Hacker accessing your shared files and applications on your computer. If J. Random Hacker is really good, he can connect to your computer and take advantage of operating system vulnerabilities, as well as installing all sorts of malware on your computer. A firewall is the first line of defence against this happening.

There are two types of firewall: hardware and software. A software firewall is an application installed on a target computer (like yours), a good example being ZoneAlarm. A hardware firewall is a dedicated piece of hardware that does the same job - typically, your router will be able to do this if you went out and bought a decent one.

In addition, firewalls are also classified by how they operate. Network layer firewalls operate at a relatively low level of the OSI network model, and are IP packet filters. They filter traffic on attibutes such as source IP address, source port, destination IP address, destination port, and that sort of thing. An application layer firewall operates at a higher level and intercepts packets travelling to or from a certain application. ZoneAlarm is, once again, a good example of this, with its feature of controlling access on a per-program basis, while hardware firewalls typically operate at the network layer.

Network layer firewalls typically don't need updating (although it's always a good idea to periodically check for updated firmware for your router); application layer firewalls on the other hand should be updated regularly so that it's database of applications and known application-layer threats are as up to date as possible.

How To

I'll write this sometime this weekend, when I've got access to my router.

I don't claim to be an expert on firewalls, so please point out to me any errors and I'll correct them.
Kia kaha, Kia māia, Kia manawanui.
ADV4NCED
Registered User
Posts: 2164
Joined: 07 Nov 2004, 02:00
Location: KZN
Contact:

Post by ADV4NCED »

Anthropoid wrote:Mr noob, state your router Brand and model please ?
:?
Im on a wireless connection with Zululand Wireless Network.

My router is Mikrotik and there seems to be no model. Asking ZWN for this information resulted in "its a Mikrotik router".

Can you help me?

I guess I can keep on rashing them until they tell me what model it is.

Bear in mind I got no cd with it & theres no installing of it to be done. Its a small black box, a little bigger than a matchbox that says absolutely NOTHING on it.

To make matters worse, ZWN dont even let their customers know what their username/password is for their router :(
Image
I am 63% addicted to Counterstrike. What about you?
Nuke
Registered User
Posts: 3515
Joined: 28 Feb 2004, 02:00
Processor: Xeon E5620
Motherboard: Asus P6T6 Workstation
Graphics card: MSI GTX770
Memory: 24GB Hynix
Location: ::1

Post by Nuke »

Mikrotik is Mikrotik, But its probably loaded on a RB133C, it has almost limitless options if you know how to use it.(I love it..most of the time. lol) The reason the dont give it you you is because you can acually damage the radiocard by increasing the output power. But if you know what you are doing they should really give it to you, I have a few clients that I have shown how the RB works, it makes my life much easier, and if he breaks it he pays for the callout. :lol:

http://www.mikrotik.com/

If you can get the user/pass out of them, feel free to ask me questions, I have more than 100 of those under my controle, so I will be able to answer most questions.
Image
M1K3
Registered User
Posts: 809
Joined: 13 Sep 2005, 02:00

Post by M1K3 »

I have recently signed up with Cybersmart and received their own branded router, however for some reason it disconnects every 14 minutes and I have to reboot the router to get connected again. There is no option to reconnect from the router's menu itself. The DSL light is still active but the PPP is not. Does anyone know what I can do? I have e-mailed their support centre but still awaiting a reply.
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

Post by Ron2K »

My first reaction would be "firmware upgrade", but if it's their own branded router, they may not be too happy about that.
Kia kaha, Kia māia, Kia manawanui.
Post Reply