



Insecure Wi-Fi is the easiest way for people to access your home network, leech your internet, and cause you serious headaches with more malicious behavior. Read on as we show you how to secure your home Wi-Fi network.

不安全的Wi-Fi是人们访问您的家庭网络,窃取您的Internet并通过更多恶意行为使您严重头痛的最简单方法。 请继续阅读,我们会向您展示如何保护家庭Wi-Fi网络。

为什么要保护您的网络? (Why Secure Your Network?)

In a perfect world you could leave your Wi-Fi networks wide open to share with any passing Wi-Fi starved travelers who desperately needed to check their email or lightly use your network. In reality leaving your Wi-Fi network open create unnecessary vulnerability wherein non-malicious users can sponge up lots of our bandwidth inadvertently and malicious users can pirate using our IP as cover, probe your network and potentially get access to your personal files, or even worse. What does even worse look like?  In the case of Matt Kostolnik it looks like a year of hell as your crazy neighbor, via your hacked Wi-Fi network, uploads child pornography in your name using your IP address and sends death threats to the Vice President of the United States. Mr. Kolstolnik was using crappy and outdated encryption with no other defensive measures in place; we can only imagine that a better understanding of Wi-Fi security and a little network monitoring would have saved him a huge headache.

在理想的环境中,您可以将Wi-Fi网络保持开放状态,以便与任何急需查看电子邮件或轻度使用您的网络的过往Wi-Fi饥饿的旅行者共享。 实际上,让您的Wi-Fi网络保持开放状态会造成不必要的漏洞,其中非恶意用户可能会无意间吞噬我们的大量带宽,恶意用户可能会使用我们的IP进行盗版,探测您的网络并有可能访问您的个人文件,甚至更差。 更糟的是什么样? 对于马特·科斯托尼克(Matt Kostolnik)来说,当您疯狂的邻居通过被入侵的Wi-Fi网络,使用您的IP地址以您的名义上传儿童色情内容并将其发送给美国副总统的威胁时,看起来就像是一个地狱的一年。 Kolstolnik先生使用的是笨拙且过时的加密,没有其他防御措施。 我们只能想象,对Wi-Fi安全性的更好了解以及对网络的一点监控将使他免于头痛。

保护您的Wi-Fi网络 (Securing Your Wi-Fi Network)


Securing your Wi-Fi network is a multi-step affair. You need to weigh each step and decide if the increased security is worth the sometimes increased hassle accompanying the change. To help you weigh the benefits and drawbacks of each step we’ve divided them up into relative order of importance as well as highlighted the benefits, the drawbacks, and the tools or resources you can use to stress test your own security. Don’t rely on our word that something is useful; grab the available tools and try to kick down your own virtual door.

保护Wi-Fi网络安全是一个多步骤的过程。 您需要权衡每一步,并确定增加安全性是否值得(有时伴随变更而增加的麻烦)值得。 为了帮助您权衡每个步骤的利弊,我们将它们分为重要性的相对顺序,并重点介绍了利弊,以及可用于压力测试自己的安全性的工具或资源。 不要依靠我们的话说有用的东西; 抓住可用工具,然后尝试打开自己的虚拟门。

Note: It would be impossible for us to include step-by-step instructions for every brand/model combination of routers out there. Check the brand and model number on your router and download the manual from the manufacturer’s website in order to most effectively follow our tips. If you have never accessed your router’s control panel or have forgotten how, now is the time to download the manual and give yourself a refresher.

注意:我们不可能为每个品牌/型号的路由器组合都提供分步说明。 检查路由器上的品牌和型号,然后从制造商的网站下载手册,以最有效地遵循我们的提示。 如果您从未访问过路由器的控制面板,或者忘记了操作方法,那么现在该下载手册并重温一下自己了。

Update Your Router and Upgrade to Third Party Firmware If Possible: At minimum you need to visit the web site for the manufacture of your router and make sure there are no updates. Router software tends to be pretty stable and releases are usually few and far between. If your manufacturer has released an update (or several) since you purchased your router it’s definitely time to upgrade.

更新路由器并升级到第三方固件(如果可能) :至少您需要访问制造路由器的网站,并确保没有更新。 路由器软件往往非常稳定,发布的版本通常很少。 如果您的制造商自购买路由器以来发布了一个(或多个)更新,那么绝对是时候进行升级了。

Even better, if you’re going to go through the hassle of updating, is to update to one of the awesome third-party router firmwares out there like DD-WRT or Tomato. You can check out our guides to installing DD-WRT here and Tomato here.  The third party firmwares unlock all sorts of great options including an easier and finer grain control over security features.

更好的是,如果您要经历更新的麻烦,那就可以更新到其中一种出色的第三方路由器固件,例如DD-WRTTomato 。 您可以在此处查看有关安装DD-WRT的指南,在此处查阅番茄的指南。 第三方固件可解锁各种出色的选择,包括对安全功能进行更轻松,更精细的控制。

The hassle factor for this modification is moderate. Anytime you flash the ROM on your router you risk bricking it. The risk is really small with third-party firmware and even smaller when using official firmware from your manufacturer. Once you’ve flashed everything the hassle factor is zero and you get to enjoy a new better, faster, and more customizable router.

此修改的麻烦因素是中等的。 每当您刷新路由器上的ROM时,您都有可能对其进行砌块。 使用第三方固件的风险确实很小,而使用制造商提供的官方固件的风险则更小。 刷新所有内容后,麻烦因素为零,您将可以享用新的更好,更快,更可定制的路由器。

Change Your Router’s Password: Every router ships with a default login/password combination. The exact combination varies from model to model but it’s easy enough to look up the default that leaving it unchanged is just asking for trouble. Open Wi-Fi combined with the default password is essentially leaving your entire network wide open. You can check out default password lists here, here, and here.

更改路由器的密码:每台路由器都附带默认的登录名/密码组合。 确切的组合因模型而异,但是可以很容易地查找默认值,即保持不变只是自找麻烦。 与默认密码结合使用的开放式Wi-Fi本质上使整个网络保持开放状态。 您可以在此处此处此处签出默认密码列表。

The hassle factor for this modification is extremely low and it’s foolish not to do it.



Turn On and/or Upgrade Your Network Encryption: In the above example we gave, Mr. Kolstolnik had turned on the encryption for his router. He made the mistake of selecting WEP encryption, however, which is the lowest encryption on the Wi-Fi encryption totem pole. WEP is easy to crack using freely available tools such as WEPCrack and BackTrack. If you happened to read the entire article about Mr. Kolstolnik’s problems with his neighbors you’ll note that it took his neighbor two weeks, according to the authorities, to break the WEP encryption. That’s such a long span of time for such a simple task we have to assume that he also had to teach himself how to read and operate a computer too.

打开和/或升级您的网络加密:在上面给出的示例中,Kolstolnik先生为其路由器打开了加密。 他选择了WEP加密时犯了一个错误,这是Wi-Fi加密图腾柱上最低的加密。 使用WEPCrackBackTrack等免费工具可以轻松破解WEP。 如果您偶然阅读了整篇有关Kolstolnik先生与邻居的问题的文章,您会注意到,根据当局的说法,他的邻居花了两个星期才破解WEP加密。 对于这样一个简单的任务来说,这是很长的时间,我们必须假设他也必须自学如何阅读和操作计算机。

Wi-Fi encryption comes in several flavors for home use such as WEP, WPA, and WPA2. In addition WPA/WPA2 can be further subdivided as WPA/WPA2 with TKIP (a 128-bit key is generated per packet) and AES (a different 128-bit encryption). If possible you want to use WP2 TKIP/AES as AES is not as widely adopted as TKIP. Allowing your router to use both will enable to use the superior encryption when available.

Wi-Fi加密具有多种家用用途,例如WEPWPAWPA2 。 此外,WPA / WPA2可以进一步细分为具有TKIP (每个数据包生成128位密钥)和AES (不同的128位加密)的WPA / WPA2。 如果可能的话,您想使用WP2 TKIP / AES,因为AES没有像TKIP那样被广泛采用。 如果允许路由器同时使用这两种功能,则可以使用高级加密(如果可用)。

The only situation where upgrading the encryption of your Wi-Fi network may pose a problem is with legacy devices. If you have devices manufactured before 2006 it’s possible that, without firmware upgrades or perhaps not at all, they will be unable to access any network but an open or WEP encrypted network. We’ve phased out such electronics or hooked them up to the hard LAN via Ethernet (we’re looking at you original Xbox).

升级Wi-Fi网络的加密可能会造成问题的唯一情况是旧设备。 如果您的设备在2006年之前制造,则可能没有固件升级,或者根本没有升级,则它们将无法访问任何网络,但不能访问开放或WEP加密的网络。 我们已经淘汰了此类电子设备,或者通过以太网将它们连接到了硬LAN(我们正在寻找原始的Xbox)。

The hassle factor for this modification is low and–unless you have a legacy Wi-Fi device you can’t live without–you won’t even notice the change.


Changing/Hiding Your SSID: Your router shipped with a default SSID; usually something simple like “Wireless” or the brand name like “Netgear”. There’s nothing wrong with leaving it set as the default. If you live in a densely populated area, however, it would make sense to change it to something different in order to distinguished it from the 8 “Linksys” SSIDs you see from your apartment. Don’t change it to anything that identifies you. Quite a few of our neighbors have unwisely changed their SSIDs to things like APT3A or 700ElmSt . A new SSID should make it easier for you to identify your router from the list and not easier for everyone in the neighborhood to do so.

更改/隐藏您的SSID :您的路由器附带默认的SSID; 通常是简单的“无线”或品牌名称“ Netgear”。 将其设置为默认值没有错。 但是,如果您居住在人口稠密的地区,则可以将其更改为其他名称,以区别于您在公寓中看到的8个“ Linksys” SSID。 请勿将其更改为可以识别您身份的任何内容。 我们的一些邻居不明智地将其SSID更改为APT3A或700ElmSt之类的东西。 新的SSID应该更容易让从列表中找到您的路由器,而不是更容易为大家在附近这样做。

Don’t bother hiding your SSID. Not only does it provide no boost in security but it makes your devices work harder and burn more battery life. We debunked the hidden SSID myth here if you’re interested in doing more detailed reading. The short version is this: even if you “hide” your SSID it is still being broadcast and anyone using apps like inSSIDer or Kismet can see it.

不要麻烦隐藏您的SSID。 它不仅不能提高安全性,而且可以使您的设备更努力地工作,并消耗更长的电池寿命。 如果您有兴趣进行更详细的阅读,我们在这里揭穿了隐藏的SSID神话。 简短的版本是这样的:即使您“隐藏” SSID,它仍在广播,并且使用inSSIDerKismet之类的应用程序的任何人都可以看到它。

The hassle factor for this modification is low. All you’ll need to do is change your SSID once (if at all) to increase recognition in a router-dense environment.

此修改的麻烦因素很低。 您需要做的就是一次更改SSID(如果有的话),以在路由器密集的环境中提高识别度。


Filter Network Access by MAC Address:


Media Access Control addresses, or MAC address for short, is a unique ID assigned to every network interface you’ll encounter. Everything you can hook up to your network has one: your XBOX 360, laptop, smartphone, iPad, printers, even the Ethernet cards in your desktop computers. The MAC address for devices is printed on a label affixed to it and/or on the box and documentation that came with the device. For mobile devices you can usually find the MAC address within the menu system (on the iPad, for example, it’s under the Settings –> General –> About menu and on Android phones you’ll find it Settings –> About Phone –> Status menu).

媒体访问控制地址(简称MAC地址)是分配给您将遇到的每个网络接口的唯一ID。 您可以连接到网络的所有内容都有一个:XBOX 360,笔记本电脑,智能手机,iPad,打印机,甚至台式计算机中的以太网卡。 设备的MAC地址印在其粘贴的标签上和/或设备随附的包装盒和说明文件上。 对于移动设备,通常可以在菜单系统内找到MAC地址(例如,在iPad上,位于“设置”->“常规”->“关于”菜单下,而在Android手机上,则可以找到“设置”->“关于手机”->“状态”菜单)。

One of the easiest ways to check the MAC addresses of your devices, besides simply reading the label on them, is to check out the MAC list on your router after you’ve upgraded your encryption and logged all your devices back in. If you’ve just changed your password you can be nearly certain the iPad you see attached to the Wi-Fi node is yours.


Once you have all the MAC addresses you can set up your router to filter based on them. Then it won’t be enough for a computer to be in range of the Wi-Fi node and have the password/break the encryption, the device intruding on the network will also need to have the MAC address of a device on your router’s whitelist.

拥有所有MAC地址后,您可以设置路由器以基于它们进行过滤。 这样一来,只要计算机位于Wi-Fi节点的范围内并拥有密码/破坏加密是不够的,侵入网络的设备还需要将设备的MAC地址列入路由器的白名单中。

Although MAC filtering is a solid way to increase your security it is possible for somebody to sniff your Wi-Fi traffic and then spoof the MAC address of their device to match one on your network. Using tools like Wireshark, Ettercap, and Nmap as well as the aforementioned BackTrack. Changing the MAC address on a computer is simple. In Linux it’s two commands at the command prompt, with a Mac it’s just about as easy, and under Windows you can use a simple app to swap it like Etherchange or MAC Shift.

虽然MAC过滤是增加你的安全可能有人嗅您的Wi-Fi流量,然后欺骗他们的设备的MAC地址匹配一个网络上的可靠的方法。 使用WiresharkEttercapNmap等工具以及上述BackTrack 。 在计算机上更改MAC地址很简单。 在Linux中,命令提示符下有两个命令,在Mac上则非常简单,而在Windows下,您可以使用简单的应用程序来交换它,例如EtherchangeMAC Shift

The hassle factor for this modification is moderate-to-high. If you use the same devices on your network over and over with little change up then it’s a small hassle to set up the initial filter. If you frequently have guests coming and going that want to hop on your network it’s a huge hassle to always be logging into your router and adding their MAC addresses or temporarily turning off the MAC filtering.

此修改的麻烦因素是中等到很高。 如果您一遍又一遍地在网络上使用相同的设备而几乎没有变化,那么设置初始过滤器将很麻烦。 如果您经常有来来去去的来宾希望跳入网络,那么总是登录到路由器并添加其MAC地址或暂时关闭MAC过滤非常麻烦。

One last note before we leave MAC addresses: if you’re particularly paranoid or you suspect someone is messing around with your network you can run applications like AirSnare and Kismet to set up alerts for MACs outside your white list.


Adjust the Output Power of Your Router: This trick is usually only available if you’ve upgraded the firmware to a third party version. Custom firmware allows you to dial up or down the output of your router. If you’re using your router in a one bedroom apartment you can easily dial the power way down and still get a signal everywhere in the apartment. Conversely if the nearest house is 1000 feet away, you can crank the power up to enjoy Wi-Fi out in your hammock.

调整路由器的输出功率:仅当将固件升级到第三方版本时,此技巧通常才可用。 自定义固件允许您向上或向下拨打路由器的输出。 如果您在一间卧室的公寓中使用路由器,则可以轻松拨掉电源,仍然可以在公寓中的任何地方获得信号。 相反,如果最近的房子在1000英尺外,您可以启动电源以在吊床上享受Wi-Fi的服务。

The hassle factor for this modification is low; it’s a one time modification. If your router doesn’t support this kind of adjustment, don’t sweat it. Lowering the output power of your router is just a small step that makes it necessary for someone to be physically closer to your router to mess with it. With good encryption and the other tips we’ve shared, such a small tweak has a relatively small benefit.

此修改的麻烦因素很低; 这是一次修改。 如果您的路由器不支持这种调整,请不要费力。 降低路由器的输出功率只是一小步,这使得必须有人在物理上更接近路由器才能将其弄乱。 通过良好的加密和我们分享的其他技巧,进行这样的小调整将带来相对较小的收益。

Once you’ve upgraded your router password and upgraded your encryption (let alone done anything else on this list) you’ve done 90% more than nearly every Wi-Fi network owner out there.


Congratulations, you’ve hardened your network enough to make almost everyone else look like a better target! Have a tip, trick, or technique to share? Let’s hear about your Wi-Fi security methods in the comments.

恭喜,您已经加强了网络,可以使几乎所有其他人看起来像是更好的目标! 有技巧,窍门或技巧可以分享吗? 让我们在评论中了解您的Wi-Fi安全方法。

翻译自: https://www.howtogeek.com/68403/how-to-secure-your-wi-fi-network-against-intrusion/


