All Forums
> WiFi Guard
> Current topic
Email alerts: when they are sent, and when repeated detections are silenced
Started by Rod
Rod
Email alerts: when they are sent, and when repeated detections are silenced 13 August 2021, 16:03 |
Re: Email alerts: when they are sent, and when repeated detections are silenced 13 August 2021, 16:09 |
Admin Registered: 10 years ago Posts: 886 |
It should not be sending identical alerts. In the current implementation it works like this, for example:
If I may ask, what exactly are you trying to achieve with WiFi Guard? There may be a better way to do it.
- WiFi Guard finds a new MAC address 00:11:22:33:44:55, it sends an e-mail.
- The next scanning round it finds the same address 00:11:22:33:44:55, it does NOT not send an e-mail.
- The next scanning round it finds the same address 00:11:22:33:44:55 and a new one AA:BB:CC:DD:EE:FF, it sends an e-mail.
- The next scanning round it finds only the first address 00:11:22:33:44:55, it sends an e-mail (because the total detection not identical to the last round where it found two MAC addresses)
If I may ask, what exactly are you trying to achieve with WiFi Guard? There may be a better way to do it.
Rod
Re: Email alerts: when they are sent, and when repeated detections are silenced 13 August 2021, 16:14 |
Thanks for the reply. In this particular case there was no second unidentified device. This should mean the email alert should not have been sent, which it was.
If one is watching emails and immediately connects to the WiFi Guard computer to mark the unknown device then yes duplicates are not a problem, but I have WiFi Guard set to 5 minutes between scans, so even if I see the first email it's possible to get a second before I've connected to the remote computer and told WiFi Guard to not alert for it. And I have to sleep occasionally, so I've woke to literally hundreds of duplicate alerts on many occasions. A greater interval between scans means a lower probability of capturing the rogue device, unless they're repeatedly attempting to connect.
Changing the WiFi password is far from my first option since many managers use it, and password crackers are readily available anyway. I also have MAC filtering enabled, and with the NetGEAR wireless routers configured as APs it forwards the DHCP request through before checking the MAC allowed list. This means the unknown device is blocked, but I get the notice so I know unauthorized devices are trying to connect. It's one of the ways I have been able to defend the security position that just a password isn't enough. For example, when someone claims that we're a small town so such security is not needed.
There are other ways to achieve 2-factor authentication (what you know, a password; and what you have, like an IP address or a MAC address) than MAC filtering, and we will be migrating to this sometime in the future. It's been in the works for about a year now. It will be username and password authentication (both unique to the user, but they don't change) plus a one-time (for the duration of their session) security code emailed or SMS'ed to the registered user. Much stronger than MAC filtering.
So really WiFi Guard is a temporary solution for us, but it is still worth eliminating the duplicate alerts.
If one is watching emails and immediately connects to the WiFi Guard computer to mark the unknown device then yes duplicates are not a problem, but I have WiFi Guard set to 5 minutes between scans, so even if I see the first email it's possible to get a second before I've connected to the remote computer and told WiFi Guard to not alert for it. And I have to sleep occasionally, so I've woke to literally hundreds of duplicate alerts on many occasions. A greater interval between scans means a lower probability of capturing the rogue device, unless they're repeatedly attempting to connect.
Changing the WiFi password is far from my first option since many managers use it, and password crackers are readily available anyway. I also have MAC filtering enabled, and with the NetGEAR wireless routers configured as APs it forwards the DHCP request through before checking the MAC allowed list. This means the unknown device is blocked, but I get the notice so I know unauthorized devices are trying to connect. It's one of the ways I have been able to defend the security position that just a password isn't enough. For example, when someone claims that we're a small town so such security is not needed.
There are other ways to achieve 2-factor authentication (what you know, a password; and what you have, like an IP address or a MAC address) than MAC filtering, and we will be migrating to this sometime in the future. It's been in the works for about a year now. It will be username and password authentication (both unique to the user, but they don't change) plus a one-time (for the duration of their session) security code emailed or SMS'ed to the registered user. Much stronger than MAC filtering.
So really WiFi Guard is a temporary solution for us, but it is still worth eliminating the duplicate alerts.
Re: Email alerts: when they are sent, and when repeated detections are silenced 13 August 2021, 16:18 |
Admin Registered: 10 years ago Posts: 886 |
I guess we could change the code, so that instead it would keep the status of each MAC address like this:
00:11:22:33:44:55 "EMAIL-SENT"
AA:BB:CC:DD:EE:FF "NOT-SENT"
So after sending an email with that MAC address it would be marked as "EMAIL-SENT", and this MAC address would never be emailed in the future even if detected again. This however can lead to a case where a user may not understand why their e-mail notifications are on, but e-mails are not sent when unknown addresses are found.
Or may be the best of both worlds, add an option at the E-mail tab in the Settings, something like "Only e-mail each unidentified MAC address once". So when it is enabled, after sending an email, WiFi Guard could set their status to "EMAIL-SENT" and not email alerts about them again.
What do you think?
00:11:22:33:44:55 "EMAIL-SENT"
AA:BB:CC:DD:EE:FF "NOT-SENT"
So after sending an email with that MAC address it would be marked as "EMAIL-SENT", and this MAC address would never be emailed in the future even if detected again. This however can lead to a case where a user may not understand why their e-mail notifications are on, but e-mails are not sent when unknown addresses are found.
Or may be the best of both worlds, add an option at the E-mail tab in the Settings, something like "Only e-mail each unidentified MAC address once". So when it is enabled, after sending an email, WiFi Guard could set their status to "EMAIL-SENT" and not email alerts about them again.
What do you think?
Rod
Re: Email alerts: when they are sent, and when repeated detections are silenced 13 August 2021, 16:21 |
Re: Email alerts: when they are sent, and when repeated detections are silenced 13 August 2021, 16:33 |
Admin Registered: 10 years ago Posts: 886 |
We have just added a new setting that may give you the behaviour you want. Please download the latest build, open Settings - E-mail tab, and enable Email unidentified MAC addresses only once.
WiFi Guard will email one alert about each unidentified MAC address. Once the e-mail has been sent successfully, all MAC addresses listed in it will be marked as 'emailed' and not affect the alerts after that.
WiFi Guard will email one alert about each unidentified MAC address. Once the e-mail has been sent successfully, all MAC addresses listed in it will be marked as 'emailed' and not affect the alerts after that.