Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What is the best way to secure a 802.11b wireless access point??
My current setup involves an Internet connection (with a single static IP address), a linux box with three NIC's (eth0, eth1, and eth2) serving as a router/firewall running ipchains, a LAN segment off eth1 using the 10.0.0.x address space (HUB A), and an additional LAN segment off of eth2 using the 10.0.1.x address space (HUB B). eth0 is used for the Internet connection.
I hung the 802.11b wireless access point off of HUB B (see diagram below), and have the rest of my wired lan tied to HUB A.
Code:
wired lan
linux box |||||||
+---------+ 10.0.0.x +-------+
Internet | eth1|-----------| HUB A |
(single IP)| | +-------+
-----------|eht0 |
| | 10.0.1.x +-------+
| eht2|-----------| HUB B |
+---------+ +-------+
|
802.11b
access point
I then set up ipchains to masquerade from 10.0.0.x (eth1) to eth0, from 10.0.1.x (eth2) to eth0, but not from 10.0.0.x (eth0) to 10.0.1.x (eth1). This allows both LAN segments to use the Internet connection, and prohibts any of the wireless devices from seeing any of my wired PC's. I have WEP enabled on the access point and use a MAC address control list. I know both WEP and the MAC address control list can be easily circumvented so this is why I've physically seperated the wired lan from the wireless access point.
What I need now is some way to authenticate the wireless users to access the PC's on the wired network. Would RADIUS work for this (if so, how?), or is there something else I should use??
describing a method NASA uses to secure their wireless access points. This is exactly what I wanted, but unfortunately it doesn't go into much detail
The article mentions that NASA was using a firewall with three NIC's like I have set up, but here's the interesting part (of which I would like more in depth explenation on how to set this up)
Quote:
The need for web-based authentication is necessary so that any user running any platform can gain access to the wireless network. Apache (open-source) web server is designed to securely handle this task. The server implements Secure Socket Layer (SSL) for client/server public-and-private key RSA encryption. Connecting to the web server via HTTP automatically redirects the client browser to use HTTPS. This ensures that the username and password entered by a user will not be sent in clear text. To further increase security, the SSL certificate is signed by Verisign, a trusted Certificate Authority (CA), which assures that an attacker is not imitating the web server to retrieve a user's password information.
A website is setup where a user can go to type in their username and password information. This site displays the standard government system access warning and shows the IP address of the user's system (using PHP). Once a user has typed their username and password at the website where prompted, a Perl/CGI script then communicates with a Radius server with RSA's MD5 digest encryption to determine if the information submitted is correct. If the account information matches what is in the Radius database, then commands to allow their IP address, obtained through the Apache environment variables, are added to the IPF access rules. If the user is not found in the Radius database, or if the password entered is incorrect, a web page stating "Invalid Username and Password" is displayed to the user. If everything is successful, the user is notified of their privileged access.
Can anyone out there help me out with this, or at least direct me to some scripts that will perform these functions??
Ive been following the 802.11 insecurity / security discussion for more than half a year now. But w/o practical expertise (haven't got a WAP to play with, nor Netstumbler & a laptop w. antennae) Id rather quote from a few articles: NETS Wireless AQ at http://www.scd.ucar.edu/nets/projects/wireless/FAQ.html and 80211b.weblogger's "Wireless insecurity" at http://80211b.weblogger.com/weak.defense.html who both point to VPN solution as a feasable solution securing AP communications.
Then there's a few checklists out there, explaining what stuff you *really* need to customize working with WAP and clients. One of them is at http://www.extremetech.com/article/0...D13880,00.asp, go to "Tips for securing your Wireless Network." You will also want to look into "802.11 Security Vulnerabilities" at http://www.cs.umd.edu/~waa/wireless.html, glancing at your setup you covered the separation thingie already.
Anyway, HTH somehow.
NETS:
"Use Layer 3 security. The limitations of WEP security are most effectively overcome by using a IPSec or VPN gateway.
An easy way of setting up this type of environment is to turn off all 802.11 security. The wireless subnet is then configured without a normal router. Rather, all users are required to log in to the IPSec or VPN gateway to get access to the rest of the network. This provides all of the additional security features that WEP does not provide.
Individual accountability and severability.
Since each user logs into the gateway with their own username and password, it is possible to trace any malicious activity back to a specific login. In addition, individual logins can be disabled without affecting other users.
Protection from sniffing.
Since each user has their own encrypted session with the gateway, it is not possible for the users to sniff each others traffic.
No severe protocol holes.
Current VPN and IPSec protocols do not suffer from the large design flaws present in WEP."
80211b.Weblogger:
"Existing solutions: 1. Use secure protocols for all communication. SSH (secure shell) has been expanded for use beyond telnet-like terminal sessions; like SSL (secure sockets layer) isn't just for Web transactions. Eudora, Outlook, sendmail, Exchange, and other software support SSH or SSL for encrypted transactions. 2. Locate all access points outside firewalls and require VPN (virtual private networks). Virtually (no joke intended) all access points support passing the PPTP and IPSec secure protocols. By locating the access points outside a company or personal firewall, you ensure that a cracker will still have to pass that barrier, even if they access your hub. The VPN encrypts all traffic between the source and destination network, keeping any plain text traffic from ever leaving your machine."
I have a lan with 30+ users. It is currently on one end of a wireless network device.
The linux box on the other end is connected to an adsl line and is providing nat and firewall to the internet. as well as dhcp to the boxes on the lan.
I do not want to allow wireless hackers to access my lan, or snoop the traffic going to the internet or coming back.
I have the resources to add another linux box on the lan side of the wireless.
What do I need to use for the connection?
I am thinking ssh and only allow the linux box on the lan side to access the linux box on the internet side.
David, I have a pet project I'm going to run in the next few weeks, for the neighbours of my flat I've just bought, using 802.11b
These are my plans.
I'm installing a 2mbit ADSL line, then upgrading to SDSL in 2002
Buy a Nokia wireless route "The best at performance for wep"
To improve security I'm going to do the following.
Run my own POP, so it's on a LAN not over WEP.
Run my own DNS, " "
Then a Linux 7.1 box with Firewall and 3 NIC's
1 for my Home lan systems
1 for DSL link to router
1 for Lan and wireless NAT addresses.
Then I'll firewall off all the correct addresses.
All connections from my home Linux internal systems will have VPN link to my research labs at work using IPSEC with RH7.1
So the only traffic that can be sniffed "easily" is WEP 128bit encrypted packets between the NAT PC's and the Nokia Router.
There are security issues with WEP but 98% of hackers would not have the abilities to read anything from the encrypted stream.
All Cat5 based connection will have rules on the firewall to stop sniffing and switches with mac flood protection to make it harder for internal people to do it.
--------------
For what your looking to do I suggest using SSH to admin any Linux boxes, but all connections between trusted system, link together with a VPN using IPSEC on a 2.4 kernal.
We have vpn on our win2000 boxes to connect to a company network, I have setup the adsl to work with vpn I believe. To test it I have to get a digital certificate from the company, which I am waiting for it now. Then I will be trying to use vpn masq if I can get it working.
I am going to look into the vpn for linux now. I saw something on a server / client solution for linux but I did not figure out what I need just yet.
Right now I still have the DNS server on the adsl side, should I put it on the lan side?
I would put a cached DNS "Bind" server on the CAT5 LAN.
Then you'll get a small improvement in performance + a more secure network as only 1 system will be requesting it's UDP lookups to the named uncast root DNS internet addresses.
Just remember to allow incoming UDP source port 53 from SYN ACK flagged TCP/IP packets not SYN flag requests.
Not forgetting tcp_syncookies protection on the firewall for the server.
If your going to run a Primary authoritative DNS then there are lots of different security issues you'll have to beware of.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.