New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I hope your passwords aren't chosen on the basis that Anime characters can't be part of a "dictionary" attack.
If I use a browser exploit to attack low-hanging fruit on your LAN, I can then turn around and attack your more important machines on your LAN from within the LAN, even without root permissions on the beachhead machine (with root permissions it would be easier to do packet sniffing to discover local addresses). Exporting any NFS or Samba shares to your LAN from your shiny otherwise-firewalled Linux box? Maybe not you, but many people do, and these softwares are far from perfect. Randomization is a good idea.
yup netgear has done this for ages
Certainly not, but as you probably realize passwords are several orders of magnitude more valuable data than a hostname (which might resolve to a private IP, and which is most likely firewalled even if not).
What about the people on my network? Obviously I don't want my neighbors or guests knowing what subnet camera1.my.domain is on or what subnet I have my important NAS on. I'm not worried about people on the internet, I'm worried about people who either know one of my WIFI passwords or people who want to break into my house.
I understand I'm a special case and I'm not saying what others are doing is a bad idea it's just a bad idea for me and I won't do it for security reasons.
Set up your network so that these are on separate VLANs/SSIDs, and that the guest ones don't have access to sensitive ones.
People knowing your wifi password can probably just scan your private subnet to find out all your devices if they want to. People breaking in your house.. they are not after your IPs
With WPS pin enabled its not difficult to get access with Kali Linux anyway, any kid can do it now days.. Make sure that shiz is turned off..
I can't find a way to setup VLANs on wireless interfaces especially when the guest interface is a slave to the primary interface. If I could VLAN my network off then things would be much easier although my biggest security issue is physical and not wireless though so VLANs won't protect me from people wanting access to my security system.
People breaking into my house would probably love to disable my security system though.
I'm not sure how we got so off topic since these security concerns don't affect 99% of people. I already said my case is extremely rare and people in my situation probably don't care as much about network security as I do.
For wireless you set up two different SSIDs, and then bridge those SSIDs with trusted/guest VLANs on the wired side (if that's even required; could just give the guest SSID access to WAN only). This all is easily done with e.g. OpenWRT.
When I was researching this Mikrotik only allowed one VLAN for all wireless interfaces (since they are all the same physical interface with just virtual interfaces). I'll look into it but as of a few months ago it either wasn't possible or nobody on their forum could figure out how.
Because Netgear own routerlogin.net
Hm, you're right. I didn't bother querying the domain externally.
There's actually a newer WPS exploit that isn't PIN bruteforcing, called pixiedust.
If the router's network chipset is vulnerable (I think Ralink, Realtek, and some Broadcom are.) it can calculate the WPS PIN after scripts like reaver sniff the hashes during a transaction.
Look it up. It's quite interesting.
Really, randomization for IPv4??
You didn't get the pun my friend.
Depends what kind of attack, against some it may help. If an attack is based on fooling the browser into making a connect() to a LAN address, but only once per page load, or you can only have one outstanding connection with a long timeout, you can see why it would be hard to scan an /8. If you also randomize the ports you put services on on your LAN, you require even more throughput for an attacker to find services.
Nat IPv4?
If you're connecting from browser attack, presumably browser would have access to the private DNS infrastructure (otherwise it could be firewalled from whatever sensitive services are running).
Anyway I suppose for some situations you might care, but in this case it sounds like the convenience outweighs the potential security risk.
Keep in mind that such things are called "DNS Rebinding" attacks. Many DNS servers filter this by default and you might run into issues if you for example use a laptop that needs to resolve a domain into an IP address inside a VPN when you're at some public WiFi.