Setting up an All-Linux Wireless LAN
If you've been to a Linux conference lately, you've probably seen a lot of people with wireless network cards, happily checking their e-mail while they sip refreshing beverages. The 802.11b, or “WiFi”, cards are really cheap, convenient and well supported under Linux.
If you want to do wireless networking at home, though, just plugging in a base station might not be too smart. Even with the largest key sizes, the badly named Wired Equivalent Privacy (WEP) encryption protocol that WiFi uses is vulnerable to people walking nearby—for large values of “nearby”. Security consultant Peter Shipley reports connecting to WiFi networks 25 miles away using a directional antenna. And as little as half an hour of intercepted traffic could be enough time for someone to break WEP and get on the Net using your base station (see Resources).
You can do some things to make WEP stronger, but it's inadequate as protection. (Adobe Systems, Inc. reportedly shut down all their WiFi base stations after they got the government to arrest programmer Dmitry Sklyarov. They may be trying to set software and free speech back 500 years, but they aren't stupid.)
The threat to WiFi is not that people might read your data—you're using ssh and SSL to protect sensitive information anyway. The threat is people using the network you're responsible for to do bad things. If a spammer or a script kiddie gets on the Net using your base station, it's almost impossible to find him or her. Who gets the blame? You do.
If you do decide to provide public connectivity via 802.11b, that's mighty neighborly of you. Get a separate net connection, put up a base station, join the relevant mailing lists and have fun. If someone uses your public base station to send spam or break into people's computers, and your ISP cancels the account, you'll still have your regular net connection.
So if off-the-shelf base stations are bad, what's the alternative? How about an old laptop? In case you haven't noticed, prices are coming down, and you probably can get a new laptop with half a gig of RAM and a 1600 × 1200 display for about eight dollars by the time you read this. So treat yourself to a new laptop and convert your old one into the base station. The on-line auction sites also have made damaged laptops really cheap. Busted hinge? Missing battery latch? Might not be the best thing to carry around, but with a little duct tape, there's your base station.
I put Debian on mine because it has packages for all the software mentioned in this article and a good automatic upgrade system. But any current distribution will work. (I didn't have to compile anything from source or reboot to do this article, although I did reboot a couple times after configuration to make sure everything came up in the right order.)
I shouldn't have to say this, but buy WiFi cards that are well supported by your distribution of choice. I got a pair of Orinoco cards.
Since your base station will be exposed to anyone who walks by with a WiFi card, take a few basic administration and security measures (which apply to any internet server) before you plug the card in.
First, forward root's mail to your real e-mail address, so important messages don't go unread.
Check that log rotation is working and that plenty of space is available in /var/log.
Configure the mailer dæmon to listen only on the loopback interface.
Set up either ntpd or a cron job to run ntpdate, so all times in the logs will be correct.
Remove all unused software, and apply any security fixes or updates.
Copy your main ssh key into .ssh/authorized_keys2 in your home directory on the base station, so that you never need to send your password over the Net, even encrypted. Configure sshd to refuse passworded or root logins.
Make sure you are subscribed to the security mailing list for the distribution the base station is running.
Finally, run Nmap against the base station from outside to make sure that no unnecessary services are running. From outside you should see ssh and that's it.
Just in case your base station does get compromised, make sure that no information or keys on the base station would help people get into any of your other systems. For example, accounts on the base station should not have ssh keys.
In this article, I use 10.2 addresses for the underlying WiFi, and 10.3 addresses for the VPN. Now it's time to get on the air.
The actual order of eth0, eth1 numbering depends on the order in which the drivers are insmod-ed, and the cardmgr dæmon probes the slots in order on boot. On my laptop (now base station) the WiFi card and conventional Ethernet card will only fit if the WiFi card is in the top slot, slot 0. That means that my WiFi interface is eth0, and my regular Ethernet is eth1.
By default, when you boot the base station, the PCMCIA script will start the cardmgr dæmon and possibly exit before all the cards are initialized. If you're running a server of any kind, this is not what you want to happen. All the interfaces should be up before dæmons try to start. Pass the -f option to cardmgr by putting it in the PCMCIA init script or configuration file; on Debian it's /etc/pcmcia.conf (see Listing 1). Below is /etc/pcmcia/wireless.opts:
# use "Ad-Hoc" mode to act as a base station. # Set your own ESSID. case "$ADDRESS" in *,*,*,*) ESSID="wifi.ssc.com" MODE="Ad-Hoc" ;; esac
To check your work, do an ifconfig and an iwconfig on the base station, and make sure the information is correct. Make sure that you can still log in to the base station over the regular Ethernet.