Differences between revisions 16 and 17
Revision 16 as of 2004-03-08 11:58:06
Size: 10286
Editor: 198
Comment:
Revision 17 as of 2004-03-08 13:58:33
Size: 17506
Editor: 198
Comment:
Deletions are marked like this. Additions are marked like this.
Line 35: Line 35:
 * '''Compaq Armada 1750''' laptop: P2/333 w/ 196MB RAM, 6.5GB HD, built-in CDROM and floppy. Two PCMCIA slots. No built-in ethernet port.
 * '''Senao SL-2511''' wireless NIC. Best wireless NIC, hands down.
 * '''Xircom Cardbus IIps''' wired NIC.
 * '''Compaq Armada 1750''' laptop: P2/333 w/ 196MB RAM, 6.5GB HD, built-in CDROM and floppy. Two PCMCIA slots. No built-in ethernet port. The specific type of laptop is not important. Any $100-150 laptop off've eBay should be fine. A built-in NIC is nice but is not required and is hard to find on an el cheapo laptop.
 * '''Senao SL-2511''' wireless NIC. I think it's a very good wireless NIC.
 * '''Xircom Cardbus IIps''' wired NIC. Any single-height PCMCIA NIC will work but save yourself a headache and get Xircom, Intel or 3Com. Maybe Linksys.
Line 39: Line 39:
 * '''Cisco Catalyst 1900''' programable switch.  * '''Cisco Catalyst 1900''' programable switch. A programable switch, in my setup, is '''KEY'''. You can find one for about $100-120 (or less) on eBay. You don't need a fancy one - mine's just 10Mbit.
 * Some Cat-5 ethernet cable. Free or up to $20, depending on where you get it.
 * You might need some LMR-400 and a pigtail, if you get a fancy (big) omni. Expect to pay about $25 for the LMR-400 and $20 for the pigtail (1-1.5 foot).

Your total cost shouldn't really exceed: $150 laptop, $90 Senao NIC, $20 Xircom NIC, $20 antenna[1], $100 Cisco switch + $20 ethernet[2] + $25 LMR-400[3] + $20 pigtail[3] = $380-500. Spending about $400 gets you a kickass setup. Spending $500 gets you covering many blocks of your neighborhood.

[1] $20-80, depending on what you get. Could be more or less. You can always make a Cantenna for less than $5.
[2] Ethernet cable can be had either cheaply or freely, if you ask on the list or maybe visit FreeGeek in SE Portland.
[3] These items aren't necessary, depending on what sort of antenna you get. These items ARE necessary for a fancy (powerful) setup, though.

I personally picked up the laptop for $50 through my place of work - they were selling off old equipment. The switch was in lieu of payment at a job a few years ago. I have an extra, if anyone is interested. I'll sell it for $80. Since I started out with the RE05U from Hyperlinktech, I didn't need extra cable, pigtail, etc. That little antenna is good enough to get into the houses that "touch" yours. I found the Ethernet cable for free. The Xircom NIC came with the laptop. So my total "cost" was about $250. I couldn't go out and buy a commercially-made AP that would be as configurable or as far-reaching as my setup for $250, so I count myself ahead of the game.
Line 47: Line 57:
 * Stuff via apt-get: '''screen, wget, netdiag, dhcp, xinetd, wireless-tools, libglib1.2-dev, libncurses5-dev''' and probably a few others that I'm forgetting.  * Stuff via apt-get: '''sudo, screen, wget, netdiag, dhcp, xinetd, wireless-tools, libglib1.2-dev, libncurses5-dev''' and probably a few others that I'm forgetting.
Line 56: Line 66:
My goal was, first and foremost, to provide wireless access to my house. Secondly, that it be secured (locked down) as much as possible without making it cumbersome to use or effectively useless. Lastly, that the world be able to use the wireless to surf and not completely root my boxes at the drop of a hat. My goal was, first and foremost, to provide wireless access to my house. Secondly, that it be secured (locked down) as much as possible without making it cumbersome to use or effectively useless. Lastly, that the world be able to use the wireless to surf and not completely root my boxes at the drop of a hat.  I'm altruistic but not naive.
Line 63: Line 73:
 * Get the setup of Debian Linux going. '''Be watchful:''' if you need to configure the "Device Driver Modules" the setup will '''NOT''' ask you to '''Configure PCMCIA Support'''.
 * If you get prompted to set a hostname and configure the Network ("The interface eth0 seems to be a PCMCIA card...") then cardmgr has detected your PCMCIA card and you have network support.
 * Debian will run through the base install now.
 * Once I have the Debian basic install on, I set a proxy at the command line (because I was doing the setup at work, behind a firewall/proxy) via: export http_proxy="http://theproxy:8080". We have DHCP at work, so it took care of giving me an IP address and stuffing some DNS info into /etc/resolv.conf. Note, I did the initial setup shiz at work, just to kill time during slow parts of the day and lunch. Once I got some of the takes-a-long-time-to-download stuff done and out of the way, I moved the setup to my house. So, if you're doing this all at home, you may not need to set a proxy and/or you may not get assigned an IP via DHCP.
 * After Debian has automagically done it's apt-get as part of the setup, and set your time info and email server info, it's done doing all of the automagic stuff.
 * Now I do my own apt-get update ; apt-get upgrade. Apt-get install all of this stuff: screen, wget, netdiag, dhcp, xinetd, libglib1.2-dev, libncurses5-dev. I might have forgot one or two items, I'm not sure.
 * Get the setup of Debian Linux going. '''Be watchful:''' if you need to configure the "Device Driver Modules" the setup will '''NOT''' ask you to '''Configure PCMCIA Support'''. You need to arrow down the list of "to do" stuff and manually select Configure PCMCIA Support. If you don't do it now, it ain't gonna get done.
 * If you get prompted to set a hostname and configure the Network ("The interface eth0 seems to be a PCMCIA card...") then cardmgr has detected your PCMCIA card and you have network support. If not, go back to the big "to do" list, find Configure PCMCIA Support and try again. Maybe eject/insert your card.
 * Debian will run through the '''base install''' now.
 * I '''don't''' bother making a boot floppy. Live on the edge. :P
 * After you reboot, Debian will do some post-setup questions. Other than the defaults ...'''Enable MD5 passwords'''.
 * At some point, you will need to do '''Apt Configuration'''. Are you at work or '''behind a proxy'''? If so, enter the proxy information. It's best to use the IP address, not the name of the proxy.
 * You probably do not need to configure another Apt source.
 * '''Run tasksel'''. I normally just select '''laptop system''' and then "Finish".
 * I don't run Dselect.
 * Debian will grab many MB of software now. This will take awhile, depending on your network connection.
 * I tell Debian to ask me before stopping cardmgr.
 * I add a mime handler for less.
 * I select "en_US ISO-8859-1" and "en_US.UTF-8 UTF-8" - looks good to me.
 * In Configuring Locales, I select "en_US".
 * I don't enable IrDA.
 * Debian will install many MB of software now. This will take awhile, depending on your machine's CPU/HD speed.
 * I '''stop PCMCIA support''' and let the software install continue.
 * When setting up netenv, I usually choose "1" since I'm at home w/ a static IP. 2, I think, is just if you need to modify some settings.
 * For email setup, I usually choose "5" and do it myself, however you may want to choose "1" and put in your domain name, then enter for the next question, then your domain or enter if you already have a dedicated email server, then your non routable local network IP block, then the name of the local user you set up. If you got this wrong, hit "N" to the last question and run through the setup again.
 * Login as root.
 * '''Cardmgr may still have your card stopped'''. If there's no blinky lights on your card, eject and re-insert or do: /etc/init.d/pcmcia stop (and then start).
 * If you're behind a proxy, type: '''export http_proxy="http://###.###.###.###:####" '''
 * Now I do my own apt-get update ; apt-get upgrade. It may complain about non-free software.
 * Now I do: apt-get install '''sudo screen wget netdiag dhcp xinetd libglib1.2-dev libncurses5-dev''' ...I might have forgot one or two items, I'm not sure. Note, no commas.


===== Setup of the laptop - Minor Security Stuff =====
 * '''Do: apt-get remove portmap lpr''' ...You should also do: /etc/init.d/portmap stop ; rm /etc/init.d/portmap
 * One of the first things I do after getting the netdiag package is to do: '''strobe localhost''' and find out what's listening on a port. '''At this point, only port 22/ssh needs to be enabled'''. Everything else can be turned off.
 * Turn off a bunch of stuff by deleting everything except for "service smtp" out of /etc/xinetd.conf. '''Comment out service smtp''' - re-enable it later.
 * Stop/Start the xinetd service (/etc/init.d/xinetd stop/start) and re-strobe your box. You should see many less ports open now.
 * If something is still running do: '''fuser -n tcp ###''' where ### is the port number. fuser will return a PID, so do: ps aux | grep PID ...Find out what process is running. It probably was started via /etc/init.d/naughty_script ...Find that script and move it or delete it.
 * Your machine is now much more secure - although we have quite a ways to go, later.
Line 71: Line 109:
 * Grab the kernel and openwall stuff. I do a make menuconfig and make sure the Xircom NIC gets the support it needs, along with support for the XFS file system. The biggest stuff is in the setup of the networking options part of the kernel. I use the setup run-through at http://tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.1 ...do a find on the page for "Code maturity level options". I usually do everything as compiled-in "*" rather than a module "M". Don't forget the extra security options, in the main menu. Only the last option should be un-used. Everything else makes your box that less susceptable to attack. I usually compile in wireless stuff related to my card, although I don't think it's really necessary.
 * I
compile the kernel: make dep ; make clean ; make bzImage ; make modules ; make modules_install ; make install ...You MAY need to run: lilo -v ...in order to get your new kernel to "take". I normally don't have to do this, though. Some people bitch about LILO being unsecure or whatever, but that's the least of my worries. If someone has physical access to your machine, the game is already over.
 * I reboot, test the new kernel. Make sure my wired NIC still works, make sure it shows that it's using the new kernel (via: uname -a), etc. I check and see if the kernel recognizes that I have a wireless NIC, although I don't expect it to work yet.

* Grab the kernel and openwall stuff.  Do: lynx http://www.kernel.org and get the latest 2.4.xx kernel. If you're reading this after, say, summer of 2004, consider getting a 2.6 kernel. I usually wait on a new kernel series until it hits 2.X.10 or better.
 * Grab the Openwall Linux kernel patch: lynx http://www.openwall.com ...Select the "Linux" link. Get the patch for your kernel. If a patch does not exist, get a different kernel. :)
 * Once you have the kernel and openwall stuff, move it into /usr/src and consider reading: http://www.digitalhermit.com/~kwan/kernel.html on how to compile your own kernel. My own basic notes follow.

 *
I do a make menuconfig and make sure the Xircom NIC gets the support it needs, along with support for the XFS file system.  I usually compile in wireless stuff related to my card, although I don't think it's really necessary. I suggest that you go through ALL the sections, just to see what's there and make sure you don't miss anything. You won't need any crap like USB or whatnot, though, because this is a basic machine and probably not your main Linux box.
 *
The biggest stuff is in the setup of the networking options part of the kernel. I use the setup run-through at http://tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.1 ...do a find on the page for "Code maturity level options". I usually do everything as compiled-in "*" rather than a module "M".  * Don't forget the extra '''Security Options''', in the main menu. Only the last option should be un-used. Everything else makes your box that much less susceptable to attack.
 *
I compile the kernel: '''make dep ; make clean ; make bzImage ; make modules ; make modules_install ; make install''' ...You '''MAY''' need to run: '''lilo -v''' ...in order to get your new kernel to "take". I normally don't have to do this, though. Some people bitch about LILO being unsecure or whatever, but that's the least of my worries. If someone has physical access to your machine, the game is already over.
 * I reboot, test the new kernel (next few steps).
 * First, assuming it booted up, make sure you're using the new kernel. Do: '''uname -a''' ...Do you see the version of kernel you just compiled listed in that little line? If not, the '''make install''' or '''lilo -v''' didn't work a few steps ago.
 *
Make sure my wired NIC still works. Do: ifconfig eth0. See stuff about your NIC? If so, good. If not, you get to add the correct NIC in the kernel menuconfig area and recompile! Yay!
 * If you compiled in some Prism2 wireless card support, the light on your wireless NIC may be on. On the Senao, it is a steady green light. So that tells me that the system "sees" the card but isn't yet properly configured to work with the card. That's ok. See the n
ext section!


===== Setup of the laptop - Installing HostAP drivers and using iwconfig =====
Line 76: Line 126:
 * After I reboot, I check to see if the wireless NIC seems to maybe be working: ifconfig wlan0. It should return some sort of not-evil-looking-response. If so, I manually configure the wlan0 interface at this point. Later, I will stuff the final info into /etc/network/interfaces. You can check out my example at http://exocet.ca/files/slartibartfast_interfaces
 * I test the wireless NIC at this point with a known-good wireless client setup (laptop w/ card). If it works, huzzah! I think you're over the hump now. If it doesn't work ...eh, that's what searching via google and asking via the PTP list is for.
 * I start setting up the firewall crap about now. I use the script provided at: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-2.4.X to get me started. You will need to tweak your setup a bit, but you are welcome to use my setup as a working example: http://exocet.ca/files/slartibartfast_firewall_rules ...Note, eth0 is my external (routable IP address) interface, wlan0 is the internal, wireless interface. As you can see, I have enabled the outside world to access, via eth0/69.30.71.214, port 22 (ssh), 25 (smtp) and 80. Everything else is blocked from outside access. From the internal point of view, NOTHING is blocked.  
 * Don't forget to do: echo "1" > /proc/sys/net/ipv4/ip_forward ...To enable the firewalling and all that. I often forget to do this and it's annoying.
 * I test the wireless setup again with a client. Make sure it all seems to work ok.
 * After I reboot, I check to see if the wireless NIC seems to maybe be working. Do: '''ifconfig wlan0'''. It should return some sort of not-evil-looking-response. If not, probably email the PTP list.
 *
I manually configure the wlan0 interface at this point. Later, I will stuff the final info into /etc/network/interfaces. You can check out my example at http://exocet.ca/files/slartibartfast_interfaces. A quick-n-dirty example setup: '''ifconfig wlan0 192.168.1.1 network 192.168.1.0 broadcast 192.168.1.255''' You shouldn't need to add a route (gateway info) for this new interface.
 * I set the wireless card-specific info now. Do: '''iwconfig wlan0 mode master channel X essid "www.personaltelco.net"'''

 * I test the wireless NIC at this point with a known-good wireless client setup (laptop w/ card). If it works, huzzah! I think you're over the hump now. If it doesn't work ...eh, that's what searching via google and asking via the PTP list is for.  Don't worry, it took me many times to get it right "the first time."
 * If you're testing your setup with a Win2K or WinXP setup, '''consider getting Netstumbler''' from http://www.netstumber.com ...Excellent site-survey and wardriving application.


===== Setup of the laptop - The Firewall =====

 * I start setting up the firewall crap about now. I use the script provided at: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-2.4.X to get me started. You will need to tweak your setup a bit, but you are welcome to use my setup as a working example: http://exocet.ca/files/slartibartfast_firewall_rules ...Note, eth0 is my external (routable IP address) interface, wlan0 is the internal, wireless interface. As you can see, I have enabled the outside world to access, via eth0/69.30.71.214, port 22 (ssh), 25 (smtp) and 80. Everything else is blocked from outside access. From the internal point of view, NOTHING is blocked.
 * If you grab my example and tweak it (recycling is good), you can enable your desired rules by doing: '''iptables-restore < the_name_of_your_firewall_rules_textfile'''. Do: '''iptables -L''' to see if it "took".
 * Don't forget to do: '''
echo "1" > /proc/sys/net/ipv4/ip_forward''' ...To enable the firewalling and all that. I often forget to do this and it's annoying.
 * I '''test the wireless setup again'''. Make sure it all seems to work ok.  If not, you get to tweak your firewall. Consider clearing all the rules via: '''iptables -F''' and testing your setup again. If it works NOW, then your firewall needs more tweaking.


===== Setup of the Cisco Catalyst 1900 =====

Node name: 69th and WoodstockBR Live Date: It's live! BR Sponsor: [http://www.exocet.ca Exocet Industries] BR Contact: Brad Zimmerman * node172@exocet.ca

Equipment Donated

  • Nothin'!

Software Installed

  • Debian Stable, 2.4.25-OW1 kernel.

Network Topology

  • Address: 69.30.71.214
  • Gateway: 69.30.71.1
  • Wireless Address: 192.168.30.1
  • Wireless Network: 192.168.30.0/25
  • DHCP Pool: 192.168.30.2-254.
  • Domain: www.personaltelco.net

Installers / Organizers

  • Brad Zimmerman

Maintenance and System Log

  • This node is UP! As of 2004-03-06, the node is fully functional. However, I am only broadcasting off've a 5.5 magnetic mount omni antenna, so I doubt the range is very significant. I haven't tested yet. The omni is broadcasting from, roughly, the middle of the house. The node is likely to go down for brief periods of time while I move it around and do testing.

Notes

  • Stuff yet to do:
  • Add NoCatAuth splash page and local content.

  • Mode the node-on-a-laptop into the garage, mount on a platform near the peak of the garage.
  • Get 10-12dBi omni and mount on top of the garage.

Notes on my setup, from Start to Finish

The Hardware

  • Compaq Armada 1750 laptop: P2/333 w/ 196MB RAM, 6.5GB HD, built-in CDROM and floppy. Two PCMCIA slots. No built-in ethernet port. The specific type of laptop is not important. Any $100-150 laptop off've eBay should be fine. A built-in NIC is nice but is not required and is hard to find on an el cheapo laptop.

  • Senao SL-2511 wireless NIC. I think it's a very good wireless NIC.

  • Xircom Cardbus IIps wired NIC. Any single-height PCMCIA NIC will work but save yourself a headache and get Xircom, Intel or 3Com. Maybe Linksys.

  • 5.5 dBi magnetic mount omni (initially), a $15 buy from http://www.hyperlinktech.com/web/re05u.php

  • Cisco Catalyst 1900 programable switch. A programable switch, in my setup, is KEY. You can find one for about $100-120 (or less) on eBay. You don't need a fancy one - mine's just 10Mbit.

  • Some Cat-5 ethernet cable. Free or up to $20, depending on where you get it.
  • You might need some LMR-400 and a pigtail, if you get a fancy (big) omni. Expect to pay about $25 for the LMR-400 and $20 for the pigtail (1-1.5 foot).

Your total cost shouldn't really exceed: $150 laptop, $90 Senao NIC, $20 Xircom NIC, $20 antenna[1], $100 Cisco switch + $20 ethernet[2] + $25 LMR-400[3] + $20 pigtail[3] = $380-500. Spending about $400 gets you a kickass setup. Spending $500 gets you covering many blocks of your neighborhood.

[1] $20-80, depending on what you get. Could be more or less. You can always make a Cantenna for less than $5. [2] Ethernet cable can be had either cheaply or freely, if you ask on the list or maybe visit FreeGeek in SE Portland. [3] These items aren't necessary, depending on what sort of antenna you get. These items ARE necessary for a fancy (powerful) setup, though.

I personally picked up the laptop for $50 through my place of work - they were selling off old equipment. The switch was in lieu of payment at a job a few years ago. I have an extra, if anyone is interested. I'll sell it for $80. Since I started out with the RE05U from Hyperlinktech, I didn't need extra cable, pigtail, etc. That little antenna is good enough to get into the houses that "touch" yours. I found the Ethernet cable for free. The Xircom NIC came with the laptop. So my total "cost" was about $250. I couldn't go out and buy a commercially-made AP that would be as configurable or as far-reaching as my setup for $250, so I count myself ahead of the game.

The Software

  • I tried many, many Linux Live CD's. While they are all good, in their own right, none met my specific needs. I finally ended up using the Forked Boot Floppies with XFS support from http://people.debian.org/~blade/ ...I burned a CD of bootbf2_4-xfs_iso.zip and used that to boot up and get the Xircom wired NIC working. This is basically a super-stripoed version of Debian Stable. The reason I didn't like the Linux Live (bootable Linux) CD's is because either their install scripts didn't exist or were broken or the CD simply had a bunch of crap that I didn't want. In the end, installing "by hand" and getting the rest via the network was easier.

  • HostAP drivers for the wireless NIC from http://hostap.epitest.fi/ ...All I needed was hostap-driver-0.1.3.tar.gz to get my Senao card to work correctly.

  • The latest Linux kernel. For me, on this setup, that was 2.4.25 from kernel.org. I prefer to grab the whole kernel, rather than patching.

  • I also grabbed openwall.org's awesome security patch for the .25 kernel from: http://www.openwall.com/linux/linux-2.4.25-ow1.tar.gz

  • Stuff via apt-get: sudo, screen, wget, netdiag, dhcp, xinetd, wireless-tools, libglib1.2-dev, libncurses5-dev and probably a few others that I'm forgetting.

  • NoCatSplash, from http://nocat.net/download/NoCatSplash/

The Misc But Important stuff

  • One external STATIC IP address. These notes won't work all the way for people that are doing this off've a DHCP-assigned external/routable IP. You'll need to modify the firewall rules or get some software that auto-modifies the firewall rules. I don't know about any of that, though, and my advice is to just spend the $5-10 and get a couple of static IP's.

The End Goal

My goal was, first and foremost, to provide wireless access to my house. Secondly, that it be secured (locked down) as much as possible without making it cumbersome to use or effectively useless. Lastly, that the world be able to use the wireless to surf and not completely root my boxes at the drop of a hat. I'm altruistic but not naive.

The Process

Setup of the laptop - Installing Debian Linux
  • Burn bootbf2_4-xfs_iso to CD.
  • Get the setup of Debian Linux going. Be watchful: if you need to configure the "Device Driver Modules" the setup will NOT ask you to Configure PCMCIA Support. You need to arrow down the list of "to do" stuff and manually select Configure PCMCIA Support. If you don't do it now, it ain't gonna get done.

  • If you get prompted to set a hostname and configure the Network ("The interface eth0 seems to be a PCMCIA card...") then cardmgr has detected your PCMCIA card and you have network support. If not, go back to the big "to do" list, find Configure PCMCIA Support and try again. Maybe eject/insert your card.
  • Debian will run through the base install now.

  • I don't bother making a boot floppy. Live on the edge. :P

  • After you reboot, Debian will do some post-setup questions. Other than the defaults ...Enable MD5 passwords.

  • At some point, you will need to do Apt Configuration. Are you at work or behind a proxy? If so, enter the proxy information. It's best to use the IP address, not the name of the proxy.

  • You probably do not need to configure another Apt source.
  • Run tasksel. I normally just select laptop system and then "Finish".

  • I don't run Dselect.
  • Debian will grab many MB of software now. This will take awhile, depending on your network connection.
  • I tell Debian to ask me before stopping cardmgr.
  • I add a mime handler for less.
  • I select "en_US ISO-8859-1" and "en_US.UTF-8 UTF-8" - looks good to me.
  • In Configuring Locales, I select "en_US".
  • I don't enable IrDA.
  • Debian will install many MB of software now. This will take awhile, depending on your machine's CPU/HD speed.
  • I stop PCMCIA support and let the software install continue.

  • When setting up netenv, I usually choose "1" since I'm at home w/ a static IP. 2, I think, is just if you need to modify some settings.
  • For email setup, I usually choose "5" and do it myself, however you may want to choose "1" and put in your domain name, then enter for the next question, then your domain or enter if you already have a dedicated email server, then your non routable local network IP block, then the name of the local user you set up. If you got this wrong, hit "N" to the last question and run through the setup again.
  • Login as root.
  • Cardmgr may still have your card stopped. If there's no blinky lights on your card, eject and re-insert or do: /etc/init.d/pcmcia stop (and then start).

  • If you're behind a proxy, type: export http_proxy="http://###.###.###.###:####"

  • Now I do my own apt-get update ; apt-get upgrade. It may complain about non-free software.
  • Now I do: apt-get install sudo screen wget netdiag dhcp xinetd libglib1.2-dev libncurses5-dev ...I might have forgot one or two items, I'm not sure. Note, no commas.

Setup of the laptop - Minor Security Stuff
  • Do: apt-get remove portmap lpr ...You should also do: /etc/init.d/portmap stop ; rm /etc/init.d/portmap

  • One of the first things I do after getting the netdiag package is to do: strobe localhost and find out what's listening on a port. At this point, only port 22/ssh needs to be enabled. Everything else can be turned off.

  • Turn off a bunch of stuff by deleting everything except for "service smtp" out of /etc/xinetd.conf. Comment out service smtp - re-enable it later.

  • Stop/Start the xinetd service (/etc/init.d/xinetd stop/start) and re-strobe your box. You should see many less ports open now.
  • If something is still running do: fuser -n tcp ### where ### is the port number. fuser will return a PID, so do: ps aux | grep PID ...Find out what process is running. It probably was started via /etc/init.d/naughty_script ...Find that script and move it or delete it.

  • Your machine is now much more secure - although we have quite a ways to go, later.

Setup of the laptop - Upgrading and Patching the Kernel
  • Grab the kernel and openwall stuff. Do: lynx http://www.kernel.org and get the latest 2.4.xx kernel. If you're reading this after, say, summer of 2004, consider getting a 2.6 kernel. I usually wait on a new kernel series until it hits 2.X.10 or better.

  • Grab the Openwall Linux kernel patch: lynx http://www.openwall.com ...Select the "Linux" link. Get the patch for your kernel. If a patch does not exist, get a different kernel. :)

  • Once you have the kernel and openwall stuff, move it into /usr/src and consider reading: http://www.digitalhermit.com/~kwan/kernel.html on how to compile your own kernel. My own basic notes follow.

  • I do a make menuconfig and make sure the Xircom NIC gets the support it needs, along with support for the XFS file system. I usually compile in wireless stuff related to my card, although I don't think it's really necessary. I suggest that you go through ALL the sections, just to see what's there and make sure you don't miss anything. You won't need any crap like USB or whatnot, though, because this is a basic machine and probably not your main Linux box.
  • The biggest stuff is in the setup of the networking options part of the kernel. I use the setup run-through at http://tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.1 ...do a find on the page for "Code maturity level options". I usually do everything as compiled-in "*" rather than a module "M". * Don't forget the extra Security Options, in the main menu. Only the last option should be un-used. Everything else makes your box that much less susceptable to attack.

  • I compile the kernel: make dep ; make clean ; make bzImage ; make modules ; make modules_install ; make install ...You MAY need to run: lilo -v ...in order to get your new kernel to "take". I normally don't have to do this, though. Some people bitch about LILO being unsecure or whatever, but that's the least of my worries. If someone has physical access to your machine, the game is already over.

  • I reboot, test the new kernel (next few steps).
  • First, assuming it booted up, make sure you're using the new kernel. Do: uname -a ...Do you see the version of kernel you just compiled listed in that little line? If not, the make install or lilo -v didn't work a few steps ago.

  • Make sure my wired NIC still works. Do: ifconfig eth0. See stuff about your NIC? If so, good. If not, you get to add the correct NIC in the kernel menuconfig area and recompile! Yay!
  • If you compiled in some Prism2 wireless card support, the light on your wireless NIC may be on. On the Senao, it is a steady green light. So that tells me that the system "sees" the card but isn't yet properly configured to work with the card. That's ok. See the next section!

Setup of the laptop - Installing HostAP drivers and using iwconfig
  • I install the hostap drivers now. I followed the instructions at http://hostap.epitest.fi/ "README" ...which is basically, extract the drivers and do "make" and "make install". I got a few errors during the make process, but no show-stoppers.

  • I usually have to reboot in order for the HostAP stuff to start working correctly, although it's theoretically possible to do a "kill -HUP [cardmgr PID]" or /etc/init.d/pcmcia stop (and start). That never really works for me though. Reboots won't kill you. :P
  • After I reboot, I check to see if the wireless NIC seems to maybe be working. Do: ifconfig wlan0. It should return some sort of not-evil-looking-response. If not, probably email the PTP list.

  • I manually configure the wlan0 interface at this point. Later, I will stuff the final info into /etc/network/interfaces. You can check out my example at http://exocet.ca/files/slartibartfast_interfaces. A quick-n-dirty example setup: ifconfig wlan0 192.168.1.1 network 192.168.1.0 broadcast 192.168.1.255 You shouldn't need to add a route (gateway info) for this new interface.

  • I set the wireless card-specific info now. Do: iwconfig wlan0 mode master channel X essid "www.personaltelco.net"

  • I test the wireless NIC at this point with a known-good wireless client setup (laptop w/ card). If it works, huzzah! I think you're over the hump now. If it doesn't work ...eh, that's what searching via google and asking via the PTP list is for. Don't worry, it took me many times to get it right "the first time."
  • If you're testing your setup with a Win2K or WinXP setup, consider getting Netstumbler from http://www.netstumber.com ...Excellent site-survey and wardriving application.

Setup of the laptop - The Firewall
  • I start setting up the firewall crap about now. I use the script provided at: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-2.4.X to get me started. You will need to tweak your setup a bit, but you are welcome to use my setup as a working example: http://exocet.ca/files/slartibartfast_firewall_rules ...Note, eth0 is my external (routable IP address) interface, wlan0 is the internal, wireless interface. As you can see, I have enabled the outside world to access, via eth0/69.30.71.214, port 22 (ssh), 25 (smtp) and 80. Everything else is blocked from outside access. From the internal point of view, NOTHING is blocked.

  • If you grab my example and tweak it (recycling is good), you can enable your desired rules by doing: iptables-restore < the_name_of_your_firewall_rules_textfile. Do: iptables -L to see if it "took".

  • Don't forget to do: echo "1" > /proc/sys/net/ipv4/ip_forward ...To enable the firewalling and all that. I often forget to do this and it's annoying.

  • I test the wireless setup again. Make sure it all seems to work ok. If not, you get to tweak your firewall. Consider clearing all the rules via: iptables -F and testing your setup again. If it works NOW, then your firewall needs more tweaking.

Setup of the Cisco Catalyst 1900
  • I setup the Cisco VLAN stuff now. It's actually quite easy, although I don't recall exactly how to do it. I think I selected "[B]ridge Setup or Something or Other" from the main Cisco Catalyst 1900 setup menu. The setup of the VLAN is really a rather important part of the setup here. More next.
  • My main linux box, deepthought, runs my mail, web, ssh, everything. It has two NICs. One, eth0, has the routable (69.30.71.212) IP address. eth1 has the internal IP address (not the same class C as what the wireless uses). The eth1 cable goes into what will be VLAN1. The rest of the computers in the house, on the internal network (192.168.15.0) also get plugged into what will be VLAN1. In VLAN2 goes the DSL router's ethernet cable, my main Linux box's eth0 ethernet cable, and the ethernet cable from Slartibartfast aka the node-on-a-laptop. The outcome of all this: anything plugged into VLAN2 can NOT talk to anything plugged into VLAN1 ...Except via my main linux box, because it's plugged in to both VLAN1 and VLAN2. Security, baby.
  • The wireless setup is basically complete at this point. Some people don't bother with the NoCatSplash stuff, or so they say. I however, wanted the whole deal. However, I haven't completed the NoCatSplash setup, so I can't write about that yet!


[CategoryDocumentation]

Node172 (last edited 2007-11-23 18:02:56 by localhost)