Linux Wireless Access Point HOWTO

Chapter 11. Tidying up

11.1 Overview of the cleanup process

In this section are a few quick suggestions concerning possible improvements to your Access Point. We will look at tidying up the system, including auditing security, enabling access by serial console, configuring SSH, removing unnecesary modules and turning off unnecessary services.

11.2 Modifying SSHD

SSHD is the daemon used to allow encrypted remote logins. It is an implementation of the Open-SSH protocol suite. We enable SSHD on our Access Point so that it can be securely adminstered from a remote location. Presented here are a several tips for adjusting SSHD for our purposes. For more in-depth information on SSHD and SSH refer to the Open-SSH homepage and the sshd and ssh manpages.

SSHD is configured by the file /etc/sysconfig/ssh/sshd_config. Two modifications that you can make to this file are these;

-Modify the ListenAddress parameter to your wired interface, e.g. ListenAddress 192.168.5.6 The default configuration has SSHD listening on all interfaces. By making this modification SSHD will not accept incoming connections from systems on the wireless network.

-Modify the X11Forwarding parameter to allow X11 Forwarding, i.e. X11Forwarding yes This enables us to tunnel GUI applications running on the Access Point to other systems running X. This is useful for GUI tools like Ethereal or the unfortunately named EtherApe or any others that you care to run on your Access Point but wish to interact with from a remote system.

11.3 Enabling Serial Console access

It's quite likely that your Access Point will be placed somewhere inaccessible, like near your antenna on your roof. It's extremely useful in that case to configure your Access Point so that it doesn't need a monitor and a keyboard, yet is still accessible if for some reason SSH is unavailable.

For this purpose it's a good idea to configure your Access Point to accept connections on it's serial port, following the steps laid out in the Remote Serial Console Howto. Once configured, you will be able to maintain your Access Point by connecting to it with a serial cable attached to another system.

If you intend to use your Access Point without a monitor, keyboard, or other peripherals, it's a good idea to run the KUDZU hardware detection utility after physically removing them. kudzu will remove the missing hardware's configuration, freeing up system resources.

11.4 Auditing system security

Security is always an issue, particularly for a public facing system like a wireless Access Point. It is over to you to ensure your Access Point is secure and that your wired network is not compromised. There is a vast amount of information on security available and a number of tools that you can use to enhance system security. The CIS Scan auditing tool for Linux is a good place to start. While not a complete auditing solution, CIS-scan covers the major host security areas and comes with excellent documentation.

For Redhat 9, I have found that I needed to make the follwing modification in order to get CIS-scan to work;

In the file /usr/local/CIS/tester.sub comment out the line die ("Couldn't determine Linux Release $release_line"); and add two lines directly underneath it. The first should read $DISTRIBUTION = "RH"; and the second should read $DISTRIBUTION_VERSION = $1; and look like this;

   }
   else {
     $DISTRIBUTION = "RH";
     $DISTRIBUTION_VERSION = $1;
          }
}

11.5 Removing unnecessary kernel modules

Chances are your kernel has loaded a number of modules that your Access Point simply doesn't require. These modules use up valuable real estate, in the form of kernel memory. Refer to the Module HOWTO for an in-depth guide to managing kernel modules. Note that it is wise to know exactly what a module does prior to removing it.

11.6 Turning off unnecessary services

Back in Chapter 3 we turned off a number of services. Subsequently we turned a number on as we configured services in this HOWTO. Here is a list of those that you will probably need for the various functions of your system; CROND, DHCPD, IPTABLES ? KEYTABLE ?, NAMED, NETWORK, OSPFD, RANDOM, RAWDEVICES, SGI_FAM, SSHD, SYSLOG, XFS ?, and ZEBRA.

You will of course add and remove from this list depending on the configuration of your Access Point and the services that you wish to offer. It's a good idea to keep the number of services running to a minimum as they use up system resources and can prove to be security vulnerabilities

11.7 Installing and Configuring Aladin for automatic WDS

In this section we will install and configure the Aladin daemon from the Southhampton Open Wireless Network project to enable automatic wireless linking.

Aladin Is a solution for automatically creating WDS links between systems that run this daemon. Note that if you are attempting to connect to another wireless device using WDS but not using Aladin you will need to manually create static WDS links - a process described at SOWN's Linking Page.

Aladin is distributed as source which we need to download from SOWN. Once you have the package, uncompress it, cd into it's directory and build it with the following series of commands;

[root@accesspoint root]# tar -zxvf aladin.tar.gz
[root@accesspoint root]# cd aladin
[root@accesspoint aladin]# make

Once Aladin has been built successfully you will need to edit the pool value in aladin.conf to reflect the network assigned to you by your wireless administrator for WDS links. This should be at least a /28.

Next, copy the binary and configuration files to useful destinations with the following commands;

[root@accesspoint aladin]# cp aladin /sbin
[root@accesspoint aladin]# cd aladin.conf /etc

The following startup script is suitable for bringing up Aladin at boot time. Copy it to /etc/rc.d/init.d/aladin

#!/bin/sh
#
# Example /etc/rc.d/init.d/aladin startup script
#

PATH=/sbin:/bin:/usr/sbin:/usr/bin
PID=/var/run/aladin.pid

case "$1" in
    start)
          echo -n "Starting automatic link addressing daemon: aladin"
          /sbin/aladin -f /etc/aladin.conf
          echo "."
    ;;

    stop)
          echo -n "Stopping automatic link addressing daemon: aladin"
          kill `cat $PID`
          echo "."
    ;;

    restart)
          $0 stop
          $0 start
    ;;

    *)
          echo "Usage: /etc/init.d/aladin {start|stop|restart}" >&2
          exit 1
    ;;
esac

exit 0

Finally, link the startup script to the appropriate runlevel with this command;

[root@accesspoint aladin]# ln -s /etc/rc.d/init.d/aladin.rc /etc/rc.d/rc3.d/S70aladin

Home