lutful
Premium
join:2005-06-16
Ottawa, ON | reply to Airplane777
Re: Monowall WISP client's data gets past my captive portal ?
This is how TCP/IP works. I recall cmaenginsb provided good explanations in your early posts.  |
|
Airplane777
join:2004-06-20
1 edit | Hi Lutful:
Wow. I get so much info coming at me I can forget some of what I have read in the past.
So then this incrimenting of port numbers in my case probably is normal, as my computer tries to connect to a web site.
But...in the case of my neighbors computers that were trying to connect to Asia web sites, their computers also tried to incriment port numbers at times. But maybe they could have been p2p or spyware, etc? |
|
lutful
Premium
join:2005-06-16
Ottawa, ON | Rather than P2P, I suspect adware/trojan trying to send some info back to home server. Ask them to check/clean their PC using Spybot search and destroy. The log will show what was there. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to Airplane777
I'm just going to jump in real quick and say this:
If I were running a captive portal, I would likely have rules on the interface that the AP is attached to that would block everything but the most common ports (21, 25, 53, 80, 110, 143, 443, 993, 995). If you are giving gratis access, why even bother with anything beyond the "basics"? Ideally, 25 would redirect to an smtp proxy with some basic rate limiting as well.
I'd guess that your friend is likely infected with some type of nasty that is either trying to infect other machines or to "phone home". |
|
Airplane777
join:2004-06-20
2 edits | Hi sporkme:
Thanks for your thoughts here.
Opening up just the ports you mentioned seems reasonable since it is gratis. If I have an actual WISP customer, I will know which IP address goes to which customer, since I'll give them private static IP addresses.
For my DHCP IP range, I can have just those ports opened that you mentioned. But for any paying customers, I can allow more leeway for my paying customers. I'll probably turn off DHCP when I start putting paying customers on my AP. I'll try to probably allow p2p for my paying customers, but I will put a very low weight on it and have it in my "catch all" queue.
If I can find out the neighbor who seems to have the infected computer, I'll let him know. I know his MAC address. Too bad my Netstumbler doesn't pick up wireless laptops, like it picks up APs. I could use a directional antenna to find this neighbor. I understand there are applications that will let me pick up the signal from the laptop. I need to find out more about those.
Right now I don't know which neighbor was on, since it was opened up to all in the neighborhood. I think it probably wss a nearby neighbor, due to the high signal strength that I saw.
I'll ask my WISP customers to use Spybot, and AdAware, Zone Alarm, etc. to keep their computers clean. So that might be a good solution. |
|
Airplane777
join:2004-06-20
3 edits | reply to Airplane777
Something very interesting...
Starting sometime early yesterday, my neighbors computers no longer try to get on my system...even when I take off captive portal.
I did notice that two of these neighbors authenticated into my captive portal about 2 days ago. The captive portal page is set up so that after they click on the continue button, they will have a URL redirection to the Kim Komando security web page. On my captive portal I told them specifically to get AdAware, SpyBot, ZoneAlarm, and AVG Antivirus off of Kim Komando's web site.
Since my neighbors computers haven't been trying to get into my WISP interface for about the last day, I can only assume that they might have downloaded this software and used it.
Maybe they had some nasty application on their computer that automatically turned on their WiFi card and tried to associate with any AP it found...unknown to the owner. For many days it was associating to my AP. And after associating, if I didn't have captive portal turned on, it would pass data to the Internet. |
|
uscomputing
join:2005-01-26
Buffalo, NY | reply to Airplane777
Are you sure your neighbor who is using the connection isn't a teenage jr. hacker who is trying to run a port sniffer on his newly found free internet connection so he tell his friends how much of a hax0r he is? |
|
Airplane777
join:2004-06-20
| Hi uscomputing:
I'm not sure about that. Could be a teenager trying something...lol.
I came home today and noticed someone else authenticated past the captive portal page. They didn't seem to be using all that much data though. Not like several days earlier. They didn't stay on real long. |
|
John Galt
Forward, March
Premium
join:2004-09-30
Happy Camp
 ·CenturyLink
| said by Airplane777  :I came home today and noticed someone else authenticated past the captive portal page. Since the authentication has been raised, what method can be used here to restrict access by users (using any protocol)...in any regard?
In other words...no pay, no play?
--
A is A |
|
lutful
Premium
join:2005-06-16
Ottawa, ON
·TekSavvy Solutions..
| This is my suggestion for a very secure HotSpot solution:
1. One SSID runs captive portal but firewall rules provide access to only a https site where a valid IEEE 802.1x certificate can be downloaded.
2. Users install the certificate and use a second SSID with firewall rules that allow access to the internet. |
|
Airplane777
join:2004-06-20
4 edits | reply to John Galt
Hi John:
I wanted to let neighbors on, just to see how well my system worked. Especially since I'm homing in on getting my Monowall set up properly. At least I think I'm getting it pretty much set up...lol.
But I didn't like it when I saw the one or two neighbors that seemed to be using up tons of data recently. But now that has stopped...seems to be as of yesterday early.
When my new ISP finally gets my new dsl installed, thats when I'll hand out my door hangers. Then I'll turn off the Captive Portal and DHCP. Then I'll only let people on that pay and give them private static IP addresses.
It's been about 2 months since I started trying to get this new ISP to install my dsl. This co. has its own dslam. I had intermittancy problems with the Covad dslam...I still do. Basically Covad gave up on trying to fix the intermittancy problem. So I'm switching to another ISP.
EDIT: I should mention that SE was my ISP and Covad the CLEC. SE wanted to keep trying to fix it, but Covad told SE they would stop trying. They never would agree to a meeting with Verizon at my location to look at the problem together. They may have come to my place one time to check it out.
I don't think much of a company that just gives up like that. When I was in cellular, and we had a problem, we kept trying til we fixed it...no matter if it was a cell site problem or a microwave problem, etc...we kept at it til we fixed it. That doesn't seem to be the mentality of Covad. I realize Covad might do a good job for many customers...but it seems when there is an elusive intermittant problem...they give up way to quick. |
|
uscomputing
join:2005-01-26
Buffalo, NY
| reply to Airplane777
Unfortunatly they are all about their bottom line. The would rather lose one customer than spend lots of labor hours trying to resolve your issue. Most people don't even know what latency on their line is, and that's the kind of low maintenance customer they are looking for. The nice thing about being a WISP is that your customers do notice when you go the extra mile to solve a problem they are having and they won't hesitate to tell everyone they know about the good service they are getting from you. |
|
