[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
howtos:network_services:running_an_access_point_from_a_slackware_box [2016/10/23 08:40 (UTC)] – [6.2 Avoid Running Remote Administration 24x7] louigi600howtos:network_services:running_an_access_point_from_a_slackware_box [2022/05/02 11:56 (UTC)] – [10 Conclusions] louigi600
Line 18: Line 18:
                  * AP/VLAN                  * AP/VLAN
                  * monitor                  * monitor
-AP need to be amongst the software interface modes.+AP needs to be among the software interface modes
 + 
 +Ok there is still some Wireless NICs that support hardware master mode but that's 3 against all the rest I'm not going to bother going into any detail with those 3 exceptions, google is your friend if you want to insist in the hardware master mode way
  
 ====== 3 Software Requirements ====== ====== 3 Software Requirements ======
Line 80: Line 82:
 To obtain hostapd you could either download a binary version from some reliable source or compile it from sources. You might be slightly better off compiling from sources, so that you get e fairly recent version, but it's up to you. Just don't try using really old hostapd versions like 0.6.7 on 2.6+ kernels: hostapd has followed the kernel wireless stack drivers and transitioned from only supporting FullMAC devices to supporting SoftMAC on almost all devices trough nl80211. Nowadays the combination of both hardware and driver supporting FullMAC is hard to come by (Prism2/2.5/3, and Atheros ar521x) all the others need to go the SoftMAC way so I suggest ignoring the 2 that could still go the FullMAC way and just go for SoftMAC for all, allowing you to use almost any WiFi card for creating an AP. If you like you can read more about [[http://wireless.kernel.org/en/developers/Documentation/mac80211 |  mac80211 here]]. To obtain hostapd you could either download a binary version from some reliable source or compile it from sources. You might be slightly better off compiling from sources, so that you get e fairly recent version, but it's up to you. Just don't try using really old hostapd versions like 0.6.7 on 2.6+ kernels: hostapd has followed the kernel wireless stack drivers and transitioned from only supporting FullMAC devices to supporting SoftMAC on almost all devices trough nl80211. Nowadays the combination of both hardware and driver supporting FullMAC is hard to come by (Prism2/2.5/3, and Atheros ar521x) all the others need to go the SoftMAC way so I suggest ignoring the 2 that could still go the FullMAC way and just go for SoftMAC for all, allowing you to use almost any WiFi card for creating an AP. If you like you can read more about [[http://wireless.kernel.org/en/developers/Documentation/mac80211 |  mac80211 here]].
  
-Hostapd sources can be downloaded from [[http://w1.fi/hostapd/ | here]], you should be looking at recent stable version (2.last time this article was edited) and avoid the development/old branches.+Hostapd sources can be downloaded from [[http://w1.fi/hostapd/ | here]], you should be looking at the most recent stable version (2.last time this article was edited) and avoid the development/old branches.
 Compiling hostapd is really simple: Compiling hostapd is really simple:
   - extract the sources   - extract the sources
Line 87: Line 89:
   - edit the defconfig file and enable any optional features you need (default is fine for a simple setup)   - edit the defconfig file and enable any optional features you need (default is fine for a simple setup)
   - copy the defconfig file to .config   - copy the defconfig file to .config
 +  - make a softlink for netlink includes (cd /usr/include; ln -s libnl3/netlink .)
   - make   - make
   - make install (or optionally just put in /usr/local/bin just the hostapd binary)   - make install (or optionally just put in /usr/local/bin just the hostapd binary)
Line 396: Line 399:
  
 It should then be possible to restart rc.inet1 (or just rc.inet1 wlan0_down and rc.inet1 wlan0_up) and the client should associate. It should then be possible to restart rc.inet1 (or just rc.inet1 wlan0_down and rc.inet1 wlan0_up) and the client should associate.
 +
 +There's also the command line alternative with wpa_cli in this example we'll assume that your client is totally unconfigured and wpa_supplicant is not running. We're going to do everything on the command line:
 +
 +  # wpa_supplicant -B -W -Dwext -i wlan0 -c /etc/wpa_supplicant.conf
 +  # wpa_cli
 +  wpa_cli v2.4
 +  Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> and contributors
 +  
 +  This software may be distributed under the terms of the BSD license.
 +  See README for more details.
 +  
 +  Selected interface 'wlan0'
 +  
 +  Interactive mode
 +  
 +  > scan
 +  OK
 +  <3>WPS-AP-AVAILABLE 
 +  > scan_results
 +  bssid / frequency / signal level / flags / ssid
 +  02:0c:42:f9:73:23       2412    -58     [WPA-PSK-CCMP][WPA2-PSK-CCMP][ESS]
 +  a4:51:6f:95:37:b6       2462    -58     [WPA2-PSK-CCMP][WPS][ESS]       Windows Phone0377
 +  00:0c:42:f9:73:23       2412    -62     [ESS]   Insecure-WiFi  
 +  >  add_network
 +  0
 +  > set_network 0 ssid "Windows Phone0377"
 +  OK
 +  > set_network 0 psk "passwordforcrappywindowsphone"
 +  OK
 +  > enable_network 0OK
 +  OK 
 +  <2>Trying to authenticate with a4:51:6f:95:37:b6 (SSID='Windows Phone0377' freq=2437 MHz)
 +  <2>Trying to associate with a4:51:6f:95:37:b6 (SSID='Windows Phone0377' freq=2437 MHz)
 +  <2>Associated with a4:51:6f:95:37:b6
 +  <2>WPA: Key negotiation completed with a4:51:6f:95:37:b6 [PTK=CCMP GTK=CCMP]
 +  <2>CTRL-EVENT-CONNECTED - Connection to a4:51:6f:95:37:b6 completed (reauth) [id=0 id_str=]
 +  > save_config
 +  OK
 +  > quit
 +  #
 +  
 +If all went right and your wpa_supplicant.conf file had 
 +  update_config=1
 +in it the above snippet would have saved the new network to wpa_supplicant.conf and associated you with it.
 +
 +Remember that if you're associating with an non secured AP you need to use this:
 +  > set_network 0 ssid "Insecure-WiFi"
 +  OK
 +  > set_network 0 key_mgmt NONE
 +  OK
 +  >
 +
  
 ==== 4.7.3 Other Linux Distributions Wireless Clients ==== ==== 4.7.3 Other Linux Distributions Wireless Clients ====
-I've tried various other flavor distributions ... most don't use wpa_gui for associating to AP but  some sort of other tool that generally pops up when you click on the icon that notifies the presence of an Access Point. After a few headaches I found that best association success is achieved by forcing setup for hidden AP even if the AP I'm configuring has not the hidden essid.+I've tried various other flavor distributions ... most don't use wpa_gui for associating to AP but  some sort of other tool that generally pops up when you click on the icon that notifies the presence of an Access Point. After a few headaches I found that best association success is achieved by forcing setup for hidden AP even if the AP I'm configuring has not the hidden essid. You can always use wpa_cli on the command line if it's shipped with whatever distro you prefer.
  
  
Line 453: Line 508:
 You can dump dnsmasq's lease file to see the dhcp leases You can dump dnsmasq's lease file to see the dhcp leases
  
-  root@router:~# cat /run/dnsmasq/dnsmasq.leases +  root@router:~# cat /run/dnsmasq/br0.leases 
   1411875361 00:01:02:03:04:05 192.168.0.3 b3bo *   1411875361 00:01:02:03:04:05 192.168.0.3 b3bo *
   1411874427 0a:0b:0c:0d:0e:0f 192.168.0.4 printsrv *   1411874427 0a:0b:0c:0d:0e:0f 192.168.0.4 printsrv *
Line 509: Line 564:
 ====== 6 Remote Administration ====== ====== 6 Remote Administration ======
 I'm not advocating that allowing remote administration from your WAN connection is a good thing but there are times where it may be necessary so here are some tips for minimizing the risk of having your router suffering brute force attacks or other bad things happen to it. I'm not advocating that allowing remote administration from your WAN connection is a good thing but there are times where it may be necessary so here are some tips for minimizing the risk of having your router suffering brute force attacks or other bad things happen to it.
 +
 +I'm an old fashioned system administrator so for me remote administration is done via ssh, if you've added a nice web administration tool to your AP/Router keep in mind that running apache just for the sake of having remote web administration will expose you to a whole lot of security issues that need to be addressed and maintained over time. 
 +
 +  - use non standard ports
 +  - disallow password authentication
 +  - minimize your attack surfaces
 +Let me give you a little reasoning for the list.
  
 ===== 6.1 Use Non Standard Ports ===== ===== 6.1 Use Non Standard Ports =====
-If you've been doing stuff as described here you're going to need to have ssh access to your router, if not whatever you're going to use to do your remote administration make sure it's not going to run on the standard port for it. This at least makes it less obvious that you allow remote administration on your router.+Whatever is your remote administration tool of choice it'a good idea not to leave access to it from WAN on it's well known port, making it less obvious that you run such a service. If you do this there's a good chance that your AP/Router will never get unwanted attention
  
 ===== 6.2 Disallow Password Authentication ===== ===== 6.2 Disallow Password Authentication =====
-Allowing password authentication is a welcome for brute force attacks so avoid it wherever possible (ie for ssh administrations only allow authentication with keys).+Allowing password authentication is a welcome for brute force attacks so avoid it wherever possible (ie for ssh administrations only allow authentication with keys). If you're doing web based remote administration you could send in a key via get and then set a cookie or something like that along with password protected htaccess.
  
-===== 6.Avoid Running Remote Administration 24x7 =====+===== 6.3 Minimize Your Attack Surfaces ===== 
 +Your AP/Router should expose to the WAN connection nothing more then what is really needed. Scanning your own AP/Router and closing or disabling unnecessary services to WAN is something you should allays do so that you minimize the attack surfaces should you ever get unwanted attention. 
 + 
 +==== 6.3.1 Avoid Running Remote Administration 24x7 ====
 If you can have remote administration active only when you need it you're not leaving the attack surface available all the time but then you need an easy way to turn it on when you're away from home. If you can have remote administration active only when you need it you're not leaving the attack surface available all the time but then you need an easy way to turn it on when you're away from home.
-I've means of doing so:+I've two means of doing so:
   * If any family member is home it can be temporarily activated by pressing a specific button on the router itself (it's the second button under the blue led in the images below).   * If any family member is home it can be temporarily activated by pressing a specific button on the router itself (it's the second button under the blue led in the images below).
   * If nobody is home I've modified a 200 line minimal web server (nweb) to listen to requests on a non standard port and temporarily allow remote administration if a specific url is requested.   * If nobody is home I've modified a 200 line minimal web server (nweb) to listen to requests on a non standard port and temporarily allow remote administration if a specific url is requested.
  
-Whichever way the temporary remote admin is enabled it also get's automatically turned off after some time (and the blue led turns off indicating that it's no longer enabled).+Whichever way the temporary remote admin is enabled it also get's automatically turned off after some time (should you ever forget to turn it off once you're done). 
 Nweb is a really basic webserver that only servers static html images and a few archive formats, it does not even allow directory listing. Besides that I have it parse and enable before serving the page ... so if you don't physically have the page that enables the remote administration a 403 is returned anyway leaving no clue as to waht was done in response to that request. Nweb is a really basic webserver that only servers static html images and a few archive formats, it does not even allow directory listing. Besides that I have it parse and enable before serving the page ... so if you don't physically have the page that enables the remote administration a 403 is returned anyway leaving no clue as to waht was done in response to that request.
  
-If you're interested in nweb you can get it by googling "nweb minimal web server". You should hit github with something like nweb23.c with some 204 lines of C code. It should be easy for you to modify the source to match your needs.+If you're interested in nweb you can get it by googling "nweb tiny web server". You should hit github with something like nweb23.c with some 204 lines of C code. It should be easy for you to modify the source to match your needs.
    
  
Line 908: Line 974:
 Over the years I've done several remakes adding some new features. The last upgrade was 8 programmable buttons with indicator leds to carry out arbitrary functions. Over the years I've done several remakes adding some new features. The last upgrade was 8 programmable buttons with indicator leds to carry out arbitrary functions.
  
 +Gen 4
 +{{https://drive.google.com/file/d/1eUGQHDgh0MrcW3Wsph5xU-9kO6KcAOYm/view?usp=sharing}}
 +Gen 3
 {{http://i246.photobucket.com/albums/gg113/louigi600/ARM/piwrap_zpshjjyflm8.jpg}} {{http://i246.photobucket.com/albums/gg113/louigi600/ARM/piwrap_zpshjjyflm8.jpg}}
 +Gen 2
 {{http://i246.photobucket.com/albums/gg113/louigi600/ARM/RPi2_2_zpsytug1dvq.jpg}} {{http://i246.photobucket.com/albums/gg113/louigi600/ARM/RPi2_2_zpsytug1dvq.jpg}}
 +Gen 1
 {{http://i246.photobucket.com/albums/gg113/louigi600/ARM/Seagate_wrapStar_zpsf6047f16.jpg}} {{http://i246.photobucket.com/albums/gg113/louigi600/ARM/Seagate_wrapStar_zpsf6047f16.jpg}}
  
 howtos:network_services:running_an_access_point_from_a_slackware_box ()