LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-30-2007, 05:34 PM   #1
John A. Scrotum
LQ Newbie
 
Registered: Oct 2007
Distribution: Debian 4.0
Posts: 13

Rep: Reputation: 0
Securing a LAN against wireless attacks


I have a small home based LAN that I recently enabled wireless access to. I have done all of the security procedures that my wireless router allows. i.e. Disabled ssid broadcast, enabled wep encryption, etcetera.

I have some concerns about the security of the two Debian boxes that are on my LAN. Chiefly, I am concerned that some hooligan (I like that word) will somehow manage to connect to my LAN via my wireless router. It's a long shot I expect, but I don't want to take chances.

On both Debian boxes I am using TCP Wrappers to control access to services like sshd and ftpd. My /etc/hosts.deny files on both machines are configured as follows:

ALL: ALL : deny

My /etc/hosts.allow files on both machines are configured to allow only the other Linux box to connect to services. So they're configured something like this:

ALL: 127.0.0.1
ALL: 192.168.3.37
ALL: 192.168.3.49
ALL EXCEPT in.ftpd: 192.168.3.137

As a little extra security with sshd, I have decided to use the AllowUsers keyword in my /etc/ssh/sshd_config file. It's configured like this:

AllowUsers user1@linuxbox1.mylan.net user2@linuxbox1.mylan.net

All services that are not needed have been shutdown in /etc/inetd.conf or just plain uninstalled.

I don't really want the bother of installing a firewall on each machine, especially since the entire LAN is already behind a firewall. So I'm not really interested in delving into iptables and NAT. I am wondering, however, if there are any further measures I should take on my two Debian boxes in order to preempt any potential attack which may come in the form of an unwanted wireless connection?

All thanks offered for any and all suggestions and/or ideas.

Last edited by John A. Scrotum; 10-30-2007 at 05:46 PM.
 
Old 10-30-2007, 06:01 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by John A. Scrotum View Post
I have a small home based LAN that I recently enabled wireless access to. I have done all of the security procedures that my wireless router allows. i.e. Disabled ssid broadcast, enabled wep encryption, etcetera.

I have some concerns about the security of the two Debian boxes that are on my LAN. Chiefly, I am concerned that some hooligan (I like that word) will somehow manage to connect to my LAN via my wireless router. It's a long shot I expect, but I don't want to take chances.
Well, you're off to a bad start. WEP is a hooligan's wet dream (it's extremely easy to crack). You really should upgrade to WPA/2 if possible. WEP is nothing but a tiny speedbump.

Quote:
I don't really want the bother of installing a firewall on each machine, especially since the entire LAN is already behind a firewall. So I'm not really interested in delving into iptables and NAT. I am wondering, however, if there are any further measures I should take on my two Debian boxes in order to preempt any potential attack which may come in the form of an unwanted wireless connection?
Well, the most essential preemptive measure in your case is precisely the one you aren't interested in: host-based firewalls. Installing a HIDS on each box is also recommended, but it's not a replacement for proper firewalling (the same goes for TCP wrappers). Your lack of decent wireless encryption and host-based firewalling seem to me like the two most important issues you are facing at the current time. IMHO, you should address those before doing anything else. Just my

Last edited by win32sux; 10-30-2007 at 06:06 PM.
 
Old 10-30-2007, 06:16 PM   #3
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
Yes WEP is like Microsoft top line of Security. WPA2 with EAP and CCMP is the better choice but still crackable these days. Best thing is run a firewall on each machine allowing only as needed. Best is just ssh only and then portforwarding additional services over ssh. Use passphrase for ssh connection and no passwords. Also set the sshd to not allow root login as well.

Only other help is radius attentication may help some but this would require a cisco unit or linux box with a wireless nic setup as an access point mode.

Brian
 
Old 10-30-2007, 06:21 PM   #4
John A. Scrotum
LQ Newbie
 
Registered: Oct 2007
Distribution: Debian 4.0
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
Well, you're off to a bad start. WEP is a hooligan's wet dream (it's extremely easy to crack). You really should upgrade to WPA/2 if possible. WEP is nothing but a tiny speedbump.
WEP is all that my old router will allow as far as encryption goes. So I'll have to get a new router in order to upgrade to WPA/2.
Quote:
Originally Posted by win32sux View Post
Well, the most essential preemptive measure in your case is precisely the one you aren't interested in: host-based firewalls. Installing a HIDS on each box is also recommended, but it's not a replacement for proper firewalling (the same goes for TCP wrappers). Your lack of decent wireless encryption and host-based firewalling seem to me like the two most important issues you are facing at the current time. IMHO, you should address those before doing anything else. Just my
I'll reconsider iptables. Can you recommend a decent intrusion detection system that is light on resources? I'll Google it in the meantime. Thanks.
 
Old 10-30-2007, 06:26 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by John A. Scrotum View Post
I'll reconsider iptables. Can you recommend a decent intrusion detection system that is light on resources? I'll Google it in the meantime. Thanks.
Code:
apt-get install tripwire
Debian's Tripwire is the one I use, but honestly I've never really looked into its resource usage. It runs dandily on my 1.2Ghz dinosaur, though. Some other HIDS you might wanna look at: AIDE, Samhain, Osiris, OSSEC, Tiger, Afick, Integrit, etc.

Last edited by win32sux; 10-30-2007 at 06:33 PM.
 
Old 10-30-2007, 08:33 PM   #6
John A. Scrotum
LQ Newbie
 
Registered: Oct 2007
Distribution: Debian 4.0
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
Debian's Tripwire is the one I use, but honestly I've never really looked into its resource usage. It runs dandily on my 1.2Ghz dinosaur, though. Some other HIDS you might wanna look at: AIDE, Samhain, Osiris, OSSEC, Tiger, Afick, Integrit, etc.
Thanks. I've taken a quick look at Tripwire, and AIDE looks interesting too. I'll do some more research on these two and choose one.
 
Old 10-31-2007, 04:42 AM   #7
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
I'm not familiar with your setup but I have just done this myself and, trust me, I'm a lot more paranoid about wireless than most people (and I do understand the technology - I'm a Maths & Computing graduate with more than a keen interest in cryptology). I bought my first WAP less than two months ago. What I did was not take any chances.

I have one Linux machine that has a network card for each interface (1 for LAN, 1 for wireless, 1 for Internet). You can do it one of three ways - you can have a wireless access point plugged into an Ethernet card in the gateway machine, or you can have a wireless card direct in the gateway and run hostapd (or master mode) on it so it becomes an AP in it's own right, or you can have a wireless card in the gateway which connects wirelessly to an AP which IS NOT connected to the LAN (and therefore just passes traffic between it's wireless clients).

I do the last way because as a nice bonus it extends my wireless range without me having to run any network cabling at all outside of my usual LAN. I don't believe in just plonking a wireless access point direct into a trusted LAN structure with an Ethernet cable, though. So I've got ONE gateway onto or out of the network - this PC. Otherwise, with multiple entry points, there's just too much to secure.

The gateway PC sees each network as a distinct network interface with it's own set of IP's. It runs an (heavily audited) iptables firewall to ensure that NOTHING comes in over the wireless or Internet LAN's that isn't allowed (in my case, that leaves just SSH). So connecting over wireless gets you no further than if you were connecting to me over the Internet - and because of the way it's set up you can't connect directly to the Internet from wireless or vice-versa (so I don't get used as an anonymous proxy by the neighbours).

Then, because I REALLY don't trust wireless networks, the only way "into" the actual real LAN is to use SSH (version 2, of course) into this gateway machine - which means you're running SSH layered over the default wireless encryption. Using that, you can set up port-forwards-over-SSH to allow just about anything you want securely (browsing, email etc.).

The only other technology that I'm trusting to run over wireless/Internet (which I ALWAYS treat identically as they are both, in my opinion, untrusted networks) is OpenVPN (an SSL-VPN). I only really use that when I need, e.g. Samba or something on my laptop. On remote PC's, I have one icon for SSH and one for OpenVPN (which are both set up to automatically hunt for and use my USB key for the private key, so I just click the icon, enter my passphrase and I'm in) - I use the SSH icon all the time and occasionally use the OpenVPN icon when it's necessary. Seeing as I connect from inside school networks of Windows machines over the Internet and from my own Linux laptop over wireless, it's remarkably simple to just carry the USB key with me which has versions for all machines (even Mac's) should I need them.

And for the ultra-paranoid, in my network not only is SSH set up be non-root only and large public-keys only, but when you come over wireless it's also layered over WPA2, which also includes MAC restrictions. OpenVPN is set up as large public-keys only - a different set of keys and different passphrases of course. And then we get into silly things like the SSH port is only open to the wireless/Internet from certain selected IP's/MAC's. So you have to basically BE me in order to get on my network. Or my wife. Who has a different set of keys and passphrases. And who took approximately two minutes to get the hang of the system and who uses it (lots) every single day.

I've had the system in place for years but only recently have I actually used it much - for a while I had an ad-hoc wireless network as a toy and did all this work then but only recently have I actually had a WAP and a reason to use wireless - and only recently has wireless brought itself up to a level where I can almost trust it as a fairly-secure entry point.

It took me a little while to get it all set up (most of which was generating and converting keys to different formats and playing with config files etc.) but now it's in place, I have two icons on my desktop (no matter what OS) that allow me to do absolutely anything over wireless or remotely without having any sort of security problems.

Considering that my laptop is an ancient 233MHz thing and I use the same system when I'm working too (from some of the slowest Windows machines you'll ever see over a massively-oversubscribed business broadband line), there is virtually no performance overhead. I happily tunnel into my network from work in order to browse websites that are otherwise unavailable and quite often I've left it connected for the rest of the day because the two-seconds it takes to change it back weren't worth the effort.

What this all means to me, though, is that say a WPA2 flaw is found tomorrow? So what. I've got all the time in the world to patch it. Say my SSH public key (and key passphrase, and probably sudo password too for anything "interesting") is leaked (god forbid)... you've still got to be able to connect to my WPA2 network in order to use it, or be able to connect (with that same information) from one of my whitelist IP addresses (which is much harder than it sounds - I have a crypted portknock for the really paranoid stuff!).

So you have:

Internet
|
Crypted portknock
|
SSH / OpenVPN only from whitelist of IP's (and other pitfalls)
|
Gateway Machine (and therefore LAN)
|
SSH / OpenVPN only from whitelist of IP's (and other pitfalls)
|
Crypted portknock
|
Wireless with WPA2, MAC filtering, etc.

Absolutely MASSIVE overkill, yes, but I don't want people wandering on my private network, even by accident or if they wanted to. Once inside, I don't encrypt my files, the internal LAN has pretty much unfettered access to any ports/files on any wired machine, I have nothing worth knowing but I don't want people in my private space.

So, anyway, my recommendation would be:

- If you haven't already, make sure that any external access comes through only one secure chokepoint (the gateway)
- Check that you have an entire interface for each network and route between them rather than just lumping everything together (by plugging a WAP into an Ethernet socket on your LAN)
- Check that all external access is authenticated and encrypted in AT LEAST one way (SSH, OpenVPN or WPA or preferably one over the other!)
- And check that stray packets from your computers aren't going ANYWHERE except over your secure channels (this took a while to ensure on my system because it's so complex but basically you have to make sure that computers are USING the secure channels/interface that you give them rather than just picking one - e.g. in tests I found that the default Windows firewall/routing had a habit of sometimes allowing traffic "openly" over the wireless interface that should have been routed over OpenVPN via wireless - a rejigging of IP address allocations and a better software firewall on the machine prevented that.). Windows really is terrible for this unless you have an outbound software firewall (i.e. anything but Windows firewall) - the stuff it leaks over a wireless connection is hideous.

I'm probably one of the few people in the world that runs a 10.0.0.0/8, a 172.16.0.0/12 and a 192.168.0.0/16 all in the same building. My DHCP and iptables configs are fantastic. :-) But the fact is that it all works, it's all fast, it's zero maintenance (unless SSH or WPA get cracked, but even then I have time and safety barriers), it's simple to use and it's very, very secure.
 
  


Reply

Tags
lan, security, wireless


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing Wireless LAN Notwerk Linux - Wireless Networking 2 07-19-2006 03:55 AM
Securing LAN from a Wireless Intruder jporpilla Linux - Wireless Networking 16 05-22-2006 08:22 AM


All times are GMT -5. The time now is 11:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration