What should I do about persistent unauthorized access attempts on my Wi-Fi?

Practically, there's almost nothing you can do to stop them.

Unless the user is exhibiting a pattern of abuse (and, let's be clear, you as a single user do not count), KDDI aren't going to do anything. With the terabits of traffic flying around the world, the occasional (even if repeated) pings to your system don't even count as noise. It's one grain of sand on a mile-long beach.

Maybe if the user was spewing gigabits of 'abuse' traffic scanning (and trying to infiltrate) multiple networks, their grain of sand would pile up to be a sandcastle, and KDDI might notice (and maybe even care), but it would have to be a big sandcastle.

For all you know at this point, it's not even a malicious user, but someone that typoed an address when setting up their system and they haven't noticed, but some software on their side is trying to connect.

Unless they're overwhelming your bandwidth, or you think this is truly a directed attack at you, I would just move on. Configure your router to silently block the address and sleep well at night.

Seriously, you're in for a long hard battle and years of high blood pressure medication if you try to trace every single bit of data that hits your network. Just let the software (router, firewall, etc.) do their thing.

Note that

• WEP encryption
• MAC address filtering
• Hiding your network's SSID

do very little to improve actual security.

I remember hearing some years back that it was possible for an attacker to break into a network that used static WEP keys in as little as 40 seconds. MAC addresses can be spoofed, so MAC address filtering might not offer as much protection as you like. Hiding SSIDs doesn't remove them from all packets; any attacker who has a network "sniffer" can still see what SSID your router is using so they can try to join your network.

With WPA, you want the highest version that all your equipment can support, and you want to be using AES keys. I don't know which AirPort Extreme you have, but it looks like

• All of them support WPA1
• All but the first support WPA2
• None support WPA3

https://theapplewiki.com/wiki/List_of_AirPort_Routers

If your AirPort Express is the original one that does not support WPA2, it might be time to consider a newer, more modern router that supports WPA2 and WPA3.

What can you do? Pretty much nothing. virtually every network out there is being attacked almost constantly.

Make sure you keep your router up to date and as locked down as you can.

Port stealth is a bad choice. Messes with network routing.

Same for hidden SSIDs. They only stick out more, to those that are interested enough care, and hide from those that are troubleshooting, and even better will cause all Wi-Fi clients to ping about the hidden SSIDs everybody everywhere.

If you want to restrict which clients can connect RADIUS is your path. MAC spoofing is a thing, too.

As for port scans and such, that’s the background hum of the Internet.

Remote folks poking at the firewall won’t also be poking at your Wi-Fi. Not unless you’re a very interesting target.

Whatever network links you’re using, they’re all going to get poked at.

Firewall gear with link failover capabilities is more expensive, and gear with simultaneous active links yet more so.

I’m often running Ubiquiti gear, which is quite capable. They have models with link failover capabilities, remote security features, and more.

noobDNA wrote:

Out of curiosity, I’m considering deploying Starlink at home to shake things up. Any thoughts on whether it improves or complicates network security?

I suppose some will say it's a political reaction rather than a technical one, but it will be a cold day in Hades before I use any service controlled by Elon Musk. It's bad enough he's already scraped every last bit of usable information out of every US government database he could lay his hands on, I won't willingly give him access to my day to day data stream too...