LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-15-2006, 10:25 AM   #1
144419855310001
Member
 
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219

Rep: Reputation: 30
Securing *my end* of an open WLAN


I am using a public access wireless network in order to access the internet on my university campus. It is an open network / has no encryption.

Given that I have *no* control over the network itself, is there anything I can do (on my part) to make my connection to the internet safer?

Somebody mentioned "OpenSSH" (or whatever) to me. Would it be appropriate in this case? Can anybody suggest any measures to me / point me in the direction of a *good* howto?

(Plain English, please! I don't really know what I'm doing)
 
Old 08-15-2006, 11:23 PM   #2
bulliver
Senior Member
 
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,762
Blog Entries: 4

Rep: Reputation: 78
Define your needs better. What exactly are you wanting to do? What do you mean by 'safer'?
Encryption will only help if you are talking to a computer that understands it...

You really must resign yourself to having no privacy if you must use a public/unencrypted connection. Do not send any info over this link that you would not allow _anyone_ to access.

If doing a CC transaction or whatever make damn sure the other connection is secure and using SSL (almost any reasonable online retailer will have this...look for the 'lock' in your browser).
 
Old 08-16-2006, 08:43 AM   #3
144419855310001
Member
 
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219

Original Poster
Rep: Reputation: 30
Quote:
Define your needs better. What exactly are you wanting to do? What do you mean by 'safer'?
I don't really know. I was just fishing for ideas.
Quote:
Encryption will only help if you are talking to a computer that understands it...
I know: it is an open network, as I said. Nothing I can do about that. I was just wondering if any alternative measures could be taken.

However, the reason I started this thread was because somebody mentioned this to me (on this other thread: http://www.linuxquestions.org/questi...=470452&page=2)

Quote:
For working in a public hotspot, you can protect yourself by using a VPN or an SSH tunnel. For the VPN, you have a couple of choices. There are companies who will provide VPN services (I can't bring myself to trust someone else with that) or you can use a router with VPN endpoint. You'd connect to home via VPN and to the world from there. Similarly, if you have an SSH server at home, you can tunnel in and Internet out from there. I use the latter. There are many HOWTOs around for setting up VPN or SSH.
This guy recommended I look into SSH tunneling. Is this appropriate for the sort of open network I'm using? Or is this really only for home usrs who own their own router?

Thanks
 
Old 08-16-2006, 11:06 AM   #4
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
The trouble is that your connection to the net is insecure... that's quite unusual and you are usually quite confident that the ISP you use aren't going to be sniffing EVERYTHING that you do. Secure connections are the only guarantee that you won't be heard but having a "partially trusted" connection like a modem, cable etc. is useful to help the way along. With wireless, any idiot in a few hundred yards can read EVERYTHING you send/recieve the Internet and probe your machine.

However, the way around is, of course, encryption.

The problem comes when most packets on the internet are not encrypted (HTTP, FTP, POP3, STMP, etc.etc.etc.). Therefore you can't talk "encrypted" to them and so you have to talk plaintext.

This is where your problem lies... you can't just "encrypt" everything and still talk to remote HTTP sites (unless they are also HTTPS "secure" sites), but equally you need to encrypt SOMEHOW or anyone with a wireless card in a large range of you can read the websites you surf, the files you upload etc.

You can either: only ever talk encrypted (harder than it sounds as you won't be able to "hide" things like DNS lookups for the websites you visit) or implement a secure tunnel so that all the insecure stuff is encrypted and then decrypted "somewhere else" where it's not as easily sniffed (i.e. a landline connection of some sort, or a remote server etc.) from which it reaches the websites you want to look at etc.

This would require a PC under your control or with permission for you to use which will accept the other end of the VPN "tunnel" and access websites on your behalf - a proxy effectively.

If you have a server hosted elsewhere, you could use that (Look at OpenVPN etc.), otherwise you would have to set one up (e.g. by leaving a computer on somewhere that has a permanent Internet connection and running OpenVPN or similar), rent one, use a service that allows you to set up a tunnel to an external company (there are a few of these but they can be expensive), see if your univeristy has one you could use (quite probable but they would be the ones to ask) or let *all* your plaintext Internet communications be seen by any fool with a wireless card that can see the university network (including websites you visit, emails you send, etc.).

Personally, I'd ask the Uni if they are really serious about students using an open, unencrypted wireless network - if they say yes, then study elsewhere, especially if you are studying computing.

If they can't/won't help, then you will need to set up a tunnel, which involves renting/owning a PC somewhere in the world that has an Internet connection over a more secure medium (such as a modem, broadband, etc.) and connecting to it using VPN software.

I'm an ICT Technician and I use SSH and OpenVPN throughout the day to connect to various machines (not all of whom can be trusted to be secure, e.g. spyware, malicious users etc.). In these circumstances I ALWAYS use a tunnel back to my own private connection at home.

This is also my connection of choice when using wireless connections - no matter whether the access point I'm using at a customer's site is encrypted or not, I can connect (encrypted) back to my home PC and use my home broadband connection to browse the web without having to worry who's looking. And I didn't have to worry when WEP was broken or if/when WAP will be broken, the SSH is my ass-coverage and is religiously updated.

I have nothing to hide (I work for schools and my job requires me to download certain utilities when at a customer's site and that's the only time I need to use it), but I wouldn't use an unencrypted wireless channel for anything. A piece of advice - never EVER use an insecure wireless connection (that includes WEP encryption as well as unencrypted) in range of any students with a PC and never use one in any other circumstances anyway.

In summary, you need another endpoint to form an tunnel.
 
Old 08-16-2006, 12:39 PM   #5
bulliver
Senior Member
 
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,762
Blog Entries: 4

Rep: Reputation: 78
Quote:
This guy recommended I look into SSH tunneling. Is this appropriate for the sort of open network I'm using? Or is this really only for home usrs who own their own router?
Yeah,

as you may have gathered from ledow's response, a VPN or SSH tunnel is only good if you are trying to contact a particular remote host that is set up to recieve you. For instance, a fellow at home connecting to the servers at work. It is not useful for general internet browsing...
 
Old 08-17-2006, 09:57 AM   #6
144419855310001
Member
 
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219

Original Poster
Rep: Reputation: 30
Thanks for the response.

Quote:
Personally, I'd ask the Uni if they are really serious about students using an open, unencrypted wireless network - if they say yes, then study elsewhere, especially if you are studying computing.
Well, what they do have once you've connected to the network is a login screen before you can begin browsing. Once you open a web browser, you are prompted to log in as you would be on a normal library workstation before you can use the internet. That's all.

Quote:
as you may have gathered from ledow's response, a VPN or SSH tunnel is only good if you are trying to contact a particular remote host that is set up to recieve you. For instance, a fellow at home connecting to the servers at work. It is not useful for general internet browsing...
Quote:
If you have a server hosted elsewhere, you could use that (Look at OpenVPN etc.), otherwise you would have to set one up (e.g. by leaving a computer on somewhere that has a permanent Internet connection and running OpenVPN or similar), rent one, use a service that allows you to set up a tunnel to an external company (there are a few of these but they can be expensive), see if your univeristy has one you could use (quite probable but they would be the ones to ask)
Alas not. I'm a student and am cash strapped! I don't have a spare server lying anywhere unfortunately, and this is my only means of connecting to the internet on my computer.

Quote:
or let *all* your plaintext Internet communications be seen by any fool with a wireless card that can see the university network (including websites you visit, emails you send, etc.
I'll just have to risk that then, and make sure I never use anything sensitive over the wireless connection, e.g. credit card numbers. Any malicious network sniffer, though able to read my communications, wouldn't be able to hack into my laptop through this would they?
 
Old 08-17-2006, 11:39 AM   #7
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
Quote:
Originally Posted by 144419855310001
I'll just have to risk that then, and make sure I never use anything sensitive over the wireless connection, e.g. credit card numbers. Any malicious network sniffer, though able to read my communications, wouldn't be able to hack into my laptop through this would they?
Anything you do over a secure HTTPS connection (e.g. banking etc.) will be encrypted and therefore quite safe. Your email (depending on your setup), including your email password may not, your FTP passwords, Instant Messaging logins (some of them at least), knowledge of every site you visit (because your DNS lookups will be traceable even for HTTPS sites) and even your login password for this "gateway" website or other university services won't be safe either, unless it's encrypted in some way.

Hence why it's such a diabolical system for the uni to run. Someone, somewhere who works for the univeristy will know this... find them and ask them what you can do, what you are at risk of, etc. They will know better than anyone.

What you are doing by joining a open, unencrypted wireless network is "plugging" a network cable into your machine and not knowing who or what is on the other end (even in the Uni buildings you're *quite* safe because of the monitoring usually done on such networks). Because you're using that "cable" for Internet, someone from the Internet can see you and theoretically monitor every packet you send, but in a trivially easy way rather than having to work at it like they would have to to monitor an "ordinary" connection (e.g. home broadband etc.).

Re: Them attacking you - yes it's perfectly possible, in fact almost certain. Make sure you have a decent firewall *minimum*. Keep up to date with software. Disable files shares etc. Don't run vulnerable programs. All the usual stuff. If nothing else, you are on a shared network will all those other smelly students who will almost certainly have a copy of every virus/spyware etc. known to man accumulated on their un-kempt machines. And that's before you consider if one of them actually bothers to see what they can find by poking around the network (Trust me, every CS student will do this at one time or another).

Personally, put in such a situation, I would check facts with the IT department and if they are complacent about the security of your information, lodge an official complaint. Fortunately, my Uni was not only very well informed on all matters (with 3 officially supported OS including Linux and MacOS) and funded but were extremely keen to stay on top of things like this, so I never needed to.

Of course, it may well be that they have certain systems in place to combat the above but it doesn't sound at all likely - it sounds like anything that's not in HTTP will not get tunnelled at all - thus leaving the primary causes of virus infection and propogation (open network shares, non-firewalled computers) open to attack.

In your position... I wouldn't use it until I was certain. My data is just too important to expose to such an open network - if you are writing your Uni notes and coursework on your laptop, think what would happen if you lost it all because you connected to their network.
 
Old 08-18-2006, 07:44 AM   #8
144419855310001
Member
 
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219

Original Poster
Rep: Reputation: 30
Quote:
Don't run vulnerable programs.
Such as? (what do you mean exactly?)

Well, perhaps you could help me to come up with some work-arounds in the mean time.

[Even if I did convince them to make changes, the infrastructure is so big that it would certainly take a few weeks (plus the time for the beaucracy that would go with any administrative change: the IT technician would have a meeting with the university's senior administrator in order to schedule a meeting for the technology department, which would then contact the services department, who would contact their subcontractors, who would contact *their* subcontractors, who would have a conference to discuss what sort of biscuits should be provided for the meeting for the organization of a departmental meeting... it goes on). Would be at least a few weeks even if I suceeded. ]

Perhaps I could create a new user ultra-restricted user account to surf the internet with, who would only have permissions to use the web browser and port 80. (They would need sudo access to iwconfig, ifconfig and neat in order to activate the wireless card though).

What do you think? Any other suggestions?

Last edited by 144419855310001; 08-18-2006 at 07:48 AM.
 
Old 08-19-2006, 09:19 AM   #9
mrclisdue
Senior Member
 
Registered: Dec 2005
Distribution: Slackware
Posts: 1,135

Rep: Reputation: 277Reputation: 277Reputation: 277
I may be missing the boat as far as what you're attempting to accomplish on your end, but if privacy/anonymity is a concern, then TOR may be of use to you:

Code:
tor.eff.org
cheers,
 
Old 08-24-2006, 05:06 AM   #10
144419855310001
Member
 
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219

Original Poster
Rep: Reputation: 30
Quote:
tor.eff.org
It's not directly relevant, but still a very useful link
Thanks
 
Old 08-24-2006, 08:47 PM   #11
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
I use ssh tunneling all the time.

My workstation runs an ssh server and an HTTP proxy (privoxy) which is always open to my LAN, and when I connect my WinXP wireless laptop to my lan (like right now) I only talk on the internet via an ssh tunnel to the HTTP proxy that is run through my workstation. Thus, though I am sitting in the family room with my laptop in my lap, my only connection is with my workstation via ssh. The workstation has a wired connection to the internet through a router and this way I can browse wireless without my neighbors being able to monitor my connection.

When I am traveling with the laptop, I forward a port from my router to my workstation, thus enabling external (WAN) connections to my workstation. So, when I sit down in a coffeehouse someplace, I establish a tunnel to my workstation and do all my browsing that way.
 
Old 08-24-2006, 08:53 PM   #12
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Quote:
Alas not. I'm a student and am cash strapped! I don't have a spare server lying anywhere unfortunately,
You don't need much to function as the other end of the tunnel. Pick up some obsolete box with a 500 MHz processor for $25 and install Linux in it. Make it a fairly minimal system; just make sure it has network access and runs OpenSSH.
 
Old 08-25-2006, 08:33 AM   #13
144419855310001
Member
 
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219

Original Poster
Rep: Reputation: 30
good suggestion.
A cheap CPU I can manage (people give old ones away all the time), but I'll have to see if I can find a cheap router somewhere.

thanks.
 
Old 08-26-2006, 07:13 AM   #14
144419855310001
Member
 
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219

Original Poster
Rep: Reputation: 30
Or, plan B... make good friends with someone with a router running linux with an unnecessarily fast internet connection!

(...who won't mind me tunneling into his computer and borrowing some bandwidth).

I think this one might be cheaper
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
securing a wlan mane.x Linux - Security 17 08-14-2006 05:03 PM
LXer: Open source project may help end homelessness in Toronto LXer Syndicated Linux News 0 08-12-2006 06:33 AM
LXer: Lenovo embeds Linux in high-end and low-end notebooks LXer Syndicated Linux News 0 08-10-2006 11:21 AM
Newbie, no wlan, no chars in open office,no usb modem recognition..HELP pls blekman SUSE / openSUSE 1 09-19-2005 07:51 PM
need help with securing open ports forand Linux - Security 1 05-11-2002 04:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration