Blocking WiFi password hackers

I am configuring a Surf SOHO for a home user who thinks that the neighbor in their duplex is hacking their Comcast router. (They also suspected that the neighbor has installed a coax splitter in the cable.)

Is there a way to block a device that appears to be attempting to crack the WiFi password in the Surf SOHO?

Thanks!
TimC

Some suggestions for dealing with bad neighbors
https://routersecurity.org/bad.neighbors.php

There are firewall rules on an SSID basis, perhaps try that.

If the WiFi password is long enough (14 characters?) it can not be cracked by brute force guessing.

Not sure about the coax splitter. Perhaps the ISP can look into that?

Michael234: Thanks for those links. That gets me going in a useful direction.
Cheers!

Make the password easy so he can get in. Once he’s there you can see his MAC address on the client list page. Write a firewall rule to deny all access from that MAC. He’ll be connected but can’t do anything.

2 Likes

Nice idea. Thanks!

So the Comcast router is being shared between 2 tenants? And each tenant has their own SSID?

Yeah, I’d say treat this a zero trust network. Set up your own router and secure everything behind it.

Might want to consider setting up client VPN on the Peplink so traffic going out of the Peplink can’t be sniffed by the neighbor.

Update:
I have configured the Surf SOHO with the Untagged VLAN as the primary “secure” network for ethernet and the first AP. I also set up a second VLAN as a Guest network with a second AP using different IP addressing.

Then I configured the Access Control Settings on the primary network AP to “Deny all except listed” and I have entered the MAC addresses of the devices that they want to have access to that network.

Next, I told them to go get their own modem and return the Comcast modem/router.

So now they seeing only their own devices on their network and they are not seeing the neighbor’s devices any more.

Now the only problem they have is keeping their cell phones from being hacked. One Apple employee was very interested in helping solve the problem, but that employee is no longer with the company. That happened quickly. Hmm…

You could create a virtual honeypot. An SSID with a simple password or no password that is part of an isolated VLAN. Then create an outbound firewall rule that blocks everything from that VLAN going out the WAN port. This puts the neighbors in a virtual jail :slight_smile:

1 Like

Nice. I get the first part of that, but I’m not sure how to do the outbound firewall rule.

Here is a sample outbound firewall rule that blocks an entire subnet (192.168.99.x). Logging, of course, is optional, but I assume you want to see if you catch any fish :slight_smile:

Aha. Great. Thanks!