Question Help to verify my network is secure ?

[kdj]

I have been trying to secure my network. I have had to disconnect the wifi entirely and use an Ethernet cable, and now use a wired mouse. An unauthorized person was "borrowing" the wifi and hacking into my network, in order to use his six devices that were shown on a couple of network scanners I downloaded. I was trying to safeguard the network because of online banking etc. I changed the wifi password but he kept connecting. I saw that he tried to set up a network and bridge/piggyback my network. That was when I made the changes mentioned.

He also had some kind of remote setup he attempted to use, although I was told remote access was not possible. If that is so, how do people work remotely using their network? I have done everything I can do via looking up articles pertaining to this kind of issue, talking to the internet provider, getting advice from tech people - and through Advanced ip Scanner, I "shut down" the unauthorized devices. yet I am wondering if there is anything else to do. With the wifi disconnected (I'm fine with the cable connection) has he been cut off completely? Or, is there still a way he can utilize the network? His determination could be put to better use. Thank you in advance for advice.

 

[Ralston18]

Make and model modem, router, or modem/router if combined?

The applicable User Guides should provide details on security related options and configurations available to you.

Be sure to change the default login names and passwords for the modem, router or modem/router if combined.

Do not use a login name that identifies you in any way and be sure to use a strong password. And do not share the password.

Use a network name that does not identify you in any way. And agaIn a strong network password.

Limit the number of devices (wired and wireless) that can be connected at one time. Just what you need and maybe a couple of extras for trusted guests.

Reduce the range of available DHCP IP addresses to just what you need.

And if you can do without wireless simply disable that function on the modem, router, or modem/router.

Keep monitoring and watching.

 

[bill001g]

A large number of routers come with a huge security hole enabled because of all the stupid people in the world. They want to setup all their "smart" toys like say lightbulbs and a lot of those can only be connected to the network via WPS.
WPS can be fairly easily cracked and you can't change the code. It will then give them your wifi passwords.

You always want WPS off, if you really have to you enable it link the device you want and then disable it. Some people think that you have to press the button to enable WPS but if they follow the actual standard they must implement the key which is always active.

It is not really possible to hack the encryption keys themselves unless you make them too simple. Still if you do not need wifi I would leave it disabled. I tend to have mine turned off except when I have a need.

The way the is most secure is to use enterprise mode. Then every person has a unique ID and password and all the authentication is done on a server behind the router. Not generally worth the effort for a home user unless you want to play around with things.

It would be unlikely he has some kind of remote access to your equipment. Why would he hack into your wifi if he has his own internet. This tends to be kids who are trying to get around parental restrictions on internet use.
Now this would be different if say you were letting your friend from overseas get remote access to your network so they could then use your internet to get past say netflix restrictions.

In any case it is easy to prevent remote access. You just make sure there are no port forwarding or DMZ rules set in the router. This will then protect you just because NAT is stupid. It does not know which internal machine to set traffic to so it just drops it instead.

I suspect you have solved your problem. If I had someone trying this I would be setting up a bait router and then hack them as their traffic passed through MY router. Would not take much to scare most people.

 

[gggplaya]

They clearly set up their own wifi repeater/bridge to get free internet from you.

How far away are you from your neighbors? Are you in a condo or apartment?

1. On my network, I only use 5ghz for my main devices. The range is inherently very limited on 5ghz, it may not even cover your entire house or apartment. So in theory, a neighbor would have trouble connecting to it, let alone hack your wifi password.

2. You may want to considering a newer router and limit yourself to WPA3 password authentication. Your client devices would also have to be capable of WPA3, which would limit alot of older devices and IOT devices like smart themostats, smart bathroom scales etc..... WPA3 is harder to crack, but is still crackable.

3. Use WIFI CLIENT ISOLATION, or set up a GUEST network only. If you don't need your computers to talk to each other on the network, and you only need them to connect to the internet. Then enable wifi client isolation on your router. Not all routers have this feature. This feature will make it so that no device on the wifi can connect to any other device on the network. They can only talk to the main gateway and the internet. So even if someone breaks into the network, they can't hack into your computer, they just get free internet. Not all guest networks work properly as I've found out. You need to double check that you can't ping other devices on your network once this is set up.

4. You can set up MAC address filtering. So that only the MAC addresses you assign will be allowed on the wifi. You'll need to copy the MAC address from your devices and copy them manually. This is fine if you're a single person, or always home. But kind of a pain if you have a larger family. But even if they do manage to crack the wifi password, it won't let them connect due to them having a different MAC address. It's possible to change the MAC address, but they would have to know what it is in the first place which is unlikely unless they've been in your house and looked at your devices directly.

 

[kdj]

I thank each person for their response. Much of what I need to do are things I don't know how to do, and I will need to research and find "how to ..." to resolve as they are new to me:

change default log in names (where are they) (I did change the network name and now that shows as "NETWORK" on the network list. The new name is not on the network list.
I'll need to find :
MAC filtering
limit number of devices allowed (through Firewall?)
reduce range of DHCP
WPS off
strengthen encryption keys
WIFI HAS ALREADY BEEN DISABLED. I AM HARDWIRED and use a wired mouse.
use enterprise mode
disable port forwarding
DMZ rules (if for router, router is completely disconnected)
wifi repeater ??
To answer about why someone who has internet on his phone but still will "hack" into my account, it is so that he can enable another besides himself to access the internet.
Tonight after a network scan I note several routers ONLINE while my own is disconnected.
I called the service provider and all they could recommend is rebooting the modem. (?) They weren't getting it that the router is and has been disconnected.

The above list of things to figure out are collected fronm the responses I received (thank you) .
Security code for provider is changed monthly. Password is changed frequently.
Equipment is in a single family home. neighbors in close proximity. Thanks in advance for any additional advice.
Modem is new. Guest network feels like risk and the individual is unwelcome.
Everything in the "to do list" that is router related won't be necessary since router is disconnected. That leaves the modem (new) to be secured. (?) Spectrum modem. No name on the modem.
Many thanks for advice.