My new wireless security setup October 20, 2003 at 12:11 am
So I spent some time this weekend and setup my new wireless security system.
I rid my setup of WEP.. everyone knows that WEP is basically a joke, it’s trivial to crack into a system that only uses WEP. My WAP is now setup with a crossover cable to it’s own NIC in my server/gateway and is on it’s own secured subnet. Plus, 802.11b/g are faster when WEP is disabled too.
First off, I setup default IPtables rules that only allow ssh, web (for authentication.. otherwise you’re screwed) and dns lookups (otherwise browser hangs). There’s also a rule that rewrites any attempts from wireless hosts (on 10.0.1.0/24 net for me) to port 8888 on my webserver on 10.0.1.1. The basic rules that block all the forwarded traffic as well as traffic to the gateway itself are here.
Then, using a simple rewrite rule in apache, we send requests to port 8888 to the auth form:
RewriteCond %{SERVER_PORT} ^8888$
RewriteRule ^/(.*) https://10.0.1.1/wireless_auth [L,R]
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} ^/wireless_auth
RewriteRule ^/(.*) https://www.miguelito.org/wireless_auth
This rule also makes sure the SSL is used (we’re going to be using usernames/passwords over unencrypted wireless afterall).
Next we have the simple form that asks for username/password, and the script that does the webserver side of the auth and lets the user know if the authentication was ok or not. I also wrote a daemon in perl that looks for expected files, verifies that hosts are still online, and either starts or revokes the network access by calling this script.
I use authentication against an exising imap server running on localhost as I didn’t feel like setting up database stuff, or more intense scripting. I also use files in /tmp which aren’t the most secure of things to do, but I do a few checks on uid/gid of files to make sure users can’t drop files in to spoof the system, plus this is written for my setup… where I’m the only one that actually shells into the system. Most of my family have email on my host, but they all use the Horde’s IMP system to read email. Feel free to play with my stuff to make it more secure (no /tmp stuff) or authenticate against sql/pam/ldap/whatever.
I also put in some syslog bits so that stuff is logged to syslog for admin troubleshooting, and/or also to know when ip/mac pairs are given access or when the access is revoked:
wireless_auth_daemon.pl[26673]: [info] Granted internet access to 10.0.1.252 00:A5:F8:0A:D8:17_
wireless_auth_daemon.pl[26673]: [info] revoked internet access from 10.0.1.252 00:A5:F8:0A:D8:17_
wireless_auth_daemon.pl[27052]: [info] saw file with improper uid/gid: uid: 0 gid: 0_
The last line there is an example of my quasi-security (testing uid/gid) showing a problem and not authenticating the user’s net connection.
Anyway, the setup seems to work really well, I’ve been stress testing it all weekend, and it does exactly what I expect. The time from authentication to net access is only about 10 seconds (I have a sleep 10 in the daemon script) and if a host goes offline, it only takes about 17 seconds max before it’s access is revoked, so the chances of someone spoofing my ip and mac pair to jump on right after I power off a wireless device are nearly nil.
Quick readme/requirements.. the perl modules listed in each script (duh).. simple cpan commands will install them. You’ll also need a dhcp server setup that’s handing out IPs on the wireless subnet. The scripts are partly coded to my setup (subnet 10.0.1.0 netmask 255.255.255.0, gateway is 10.0.1.1) and of course, an apache server on the gateway box. I’m going to redo the scripts a bit to remove the parts that are hard coded to the subnet, and the interface name (mine’s eth2).
If anyone tries this out, and especially if you change/improve it, please let me know. Always interested to see what happens.
Update: Hmm.. just noticed when reading the post that the syslog bits don’t include the timestamp. I’ll need to figure that out.
Ok, so I already wrote a quick date addition to the syslog bits for the daemon.. that was easy:
Oct 20 00:30:54 [wireless_auth_daemon.pl] info: Daemon started up_
I have no idea why all the log entries have a _ after them.