Tips To Stop Someone From Hacking Your Wifi (and Eventually, Your Computer)  

Recently someone from the outside tried to access our wifi using something that my wife downloaded.  At least, that's how it appeared.  My wife's computer began running really slow and funny things began happening to her desktop, (mouse began moving on it's own, icons flickered).  It appeared to be that someone was trying to remotely control her computer.  I quickly checked our wifi log and found this information repeated several times.

[DoS attack: STORM] attack packets in last 20 sec from ip [199.79.170.214], Saturday, Nov 12,2011 13:11:47

[LAN access from remote] from 71.93.84.50:65342 Saturday, Nov 12,2011 08:10:41

[LAN access from remote] from 71.93.84.50:65336 Saturday, Nov 12,2011 08:10:41

While I had set up some security using "WPA2," I had not set up all of it, (not understanding what I was doing).  I instantly shut down the sending portion, (ie. the radio transmitter), and began working on the rest of the security.  Granted, nothing will prevent the hardest wifi stealer from accessing your network if he/she really wants to, but seeing what can be done by those who try made me realize I needed to know more about how to prevent it.  Below is a list of things I found and I hope will help you too.  Note, none of the below steps is guaranteed to prevent someone from breaking into your network, but combined they will make it difficult and will cause most network stealers to give up.  While this is not an exhaustive list or a "how-to," I hope it will give you some guidance as to what steps you can take.

1.  HIDE THE NETWORK NAME- routers display the network name to others called "SIS Broadcasting."  Routers usually allow you to turn it off.

2.  CHOOSE WPA2 ENCRYPTION (128bit)- if at all possible instead of WEP.  Most newer computers can connect using WPA2.  For now, this is the most secure encryption possible.

3.  CHOOSE AES TYPE OF ENCRYPTION-  TKIP is more easily cracked.  In most cases, WPA2 is set to AES 128 bit Encryption.

4.  USE IP RANGES-  Computers connect using IP addresses.  In most routers you can choose specific ranges for the IP addresses.  An example would be a range of 1.92.168.1.25 to 192.168.30.  In this example using this range, your router will only accept a range of 5 different IP addresses between the ranges shown above.  That way someone outside of that range cannot connect.  If nothing else, this will kick anyone off your wifi if the computers on your network are using all of the addresses at any given time.  The downside of this is someone can scan your wifi until it finds an opening and change their IP to match.

5.  USE IP ADDRESS RESERVATION-  Most newer routers will allow you to assign a specific address to a specific computer's "MAC" address.  This is a complementary step to the above advice.  If you assign a specific IP address to a specific MAC, then someone cannot connect to the router even if they have the same IP as one of your own computers because they don't also have the same MAC address as yours.  The downside is someone can scan for MAC addresses, (technically speaking, that is) however difficult this may be and rare.  Nevertheless, this step will add another layer of defense.

6.  CHOOSE THE LONGEST PASSWORD POSSIBLE- with characters made up of letters, numbers and symbols (if the router will accept symbols), and use random characters, not words.

7.  DON'T TURN ON REMOTE ACCESS IF YOU DON'T NEED IT- Remote access allows you to access your internet from another source like a coffee shop or a friends wifi.  If you can do without it, don't turn on remote access, (that is, don't allow your router to be accessed by you from a remote location).  Downside, someone who actually hacks your router can turn this on making it accessable from another network outside your own if you don't catch it.

8.  DON'T ALLOW PORT FORWARDING IF YOU DON'T NEED IT-  Again, there is a very remote chance someone can access your router through an open port, but why allow it if you don't need it?  Port forwarding allows someone, either you or another, a direct route to your router through that port through the use of port scanning capabilities.  In otherwords, access through that port is less protected because it is like a open door through your firewall.

9.  USE PORT SCAN, DoS, AND NAT FILTERING PROTECTION-  Make sure Port Scan, DoS Protection, and Nat Filtering are all turned on.  These are firewall type protections built into the router and generally don't need any kind of configuration other than check box in your configuration window.

10.  TURN ON LOGGING-  You won't know if something is going on unless you view logs.  Also, it may be helpful as proof, howbeit small, should someone tap into you wifi and do illegal activity through it and it become a legal issue, (if you find a problem you can copy and backup the log contents).

11.  GIVE UNIQUE NAMES TO ALL THE COMPUTERS ON YOUR NETWORK-  Your wifi will read the name given to your computers.  Most people never change their computer name.  Most the time it is set to some factory name like "HP Computer," or similar.  I gave all of my computers on my network names like "NCP-LTP," (combination of my son's initials and abbreviation of the word "laptop").  When I look at who is connected to my network I can instantly see if he is connected by the use of that name and he is using his laptop, not a PC.  You can change the computer name in windows by going to "control panel," then "system," and clicking on the "advanced" tab.  If this does not work a quick search on the internet for "change computer name in windows" will help.

12.  BE CAREFUL WHAT YOU DOWNLOAD-  With all of this security in place, nothing will stop someone from hacking if you click on a site or download a program that allows them to hack your computer from the inside for all the info they need to bypass all of it and punching through your router's firewall.

13. BACKUP UP ROUTER SETTINGS FREQUENTLY- Backup your settings to a place safe.  This will make it easy if you have to reset your router settings to factory default. Along with this, make sure you save both the original password and the passwords you create so you can easily access them again.


Though not directly related to your router's secuity, these added secure measures for your computer will help protect you if someone does break into your system and try to attack your computer.


MAKE SURE ALL OF YOUR VIRUS & SPYWARE PROTECTION IS IN PLACE-  If you use Windows, (as opposed to linux or BSD), then make sure your own computer's firewall and spyware, adware, and virus protection are all in place.

LEARN HOW TO USE A DIFFERENT OPERATING SYSTEM, (LINUX OR BSD).  These are far more secure than windows

LEARN HOW TO USE OTHER SECURITY MEASURES-  These are other security measures I would recommend and they are free.

• Keepass and KeepassX-  These are two secure password storage programs that are somehow related and almost identical in looks and function.  You can store all of your passwords in either program using AES 256 bit encryption.  I store all of my router information including MAC addresses, IP configurations, router passwords, and internet provider info in keepassX because it is easier to install on Linux.  Keepass and KeepassX are available in Windows, MAC, and Linux versions.  If you are simply installing on Windows use the Keepass.exe file available here.  KeepassX is a little more complicated to install on Windows but if you prefer it then you can be find it here.

• Truecrypt- Another free utility which creates secure containers, (similar to folders), for securely storing documents or files of any type. Truecrypt can be found here.

• Add An "S" at the end of the "http-" Add an "s" to the end of http when going to a bank or other secure site.  This will encrypt your personal information sent from the very beginning of your session with that site.  Not all sites will allow this but almost all banks, credit cards, and other sites do.  Better yet, if you use "Firefox" browser, there is a extension called "HTTPS-everywhere.  It automatically checks to see which sites use secure and which don't and sets it for "https" for those that do.

• Copy And Paste Your Passwords- A final measure I would recommend is to not type your passwords when going to bank accounts or other sites over the internet.  Instead, copy and paste them to prevent little programs someone else can embed onto your computer called keyloggers from storing the typed password and transmitting it back to a hacker.

Given enough time and having the right tools anyone can break into a network.  The best option is to make it as difficult as possible and to look out for "funny" things going on.  In my case, I hope whoever it was trying to break into my internet gave up because it was too difficult.  Most will give up if they are just trying to play around or just looking for a free network to use.  There is always the chance someone is trying to break in because of the challenge of doing so or hoping to get some serious information.  For this reason, it pays to make it as difficult as possible.