Category: Network Services

Dealing with WPA2, WEP-only devices, Ubuntu and DD-WRT

If you have a WLAN router that runs DD-WRT (or OpenWRT), you probably want to protect your wireless LAN with WPA2. However, there are some devices that only support WEP (for instance, some old wireless NICs that even don’t support WPA or don’t support it with Linux - the D-Link G520+ is such a bad example).

It’s possible to get WPA2 while using WEP for some devices at the same time

First, it’s important to know that you can set your router to support WPA2 and WEP at the same time. If you use DD-WRT, you can go to Wireless / Basic Settings and create two networks - a primary one (it will be used for WPA2), then add a “virtual interface” and set it to another SSID.

Then go to Wireless / Wireless Security and set WPA2 Personal (or whatever you like) for the primary interface, WEP for the virtual interface. Set the passwords as you like. Make sure that the credentials are very different because the WEP keys can be cracked easily.

Now, you have configured:

  1. a secure way to connect (your WPA2 network)
  2. an insecure way to connect that can be cracked easily (WEP network)

Introducing VPN for the WEP network

To secure communication on the WEP network, we will use a VPN. First of all, we define a new subnet for our WEP network:

“Wireless” / “Basic settings” / Virtual interface wl0.1: Choose

  • AP isolation: enabled (this will prevent hackers who cracked the WEP key from hacking into other WEP devices in your network)
  • network configuration: unbridged (otherwise the WEP WLAN would be connected to your default one)
  • multicast forwarding: disabled
  • masquerade / NAT: disabled
  • IP address: your router’s IP address in the new subnet (shouldn’t be an existing address), for instance 192.168.2.1
  • subnet mask: for instance 255.255.255.0 (choose another one only if you know what it is)

Then activate the VPN server: “Services” / “VPN” / “PPTP Server”:

  • PPTP Server: enable
  • Force MPPE encryption (will ensure that the VPN is really encrypted, otherwise it won’t bring any additional security)
  • Server IP: use the IP address of the wl0.1 interface (in our example: 192.168.2.1)
  • Client IPs: use the IP range of your default subnet, but not in the DHCP range. For instance, if your normal network has 192.168.1.* addresses (default) and the DHCP server gives addresses beginning from .100 (default), you could use “192.168.1.20-192.168.1.49” for this setting. This would allow 29 VPN clients in your network and doesn’t collide with DHCP leases.
  • CHAP secrets: Enter at least one line in the format “username * password *” (without ” but with *, replace username and password with your values).

VPN client on your WEP-only device (assuming it’s running Ubuntu Linux 10.04):

  • Connect to the WEP network, but set the IP address for the connection manually (for instance, 192.168.2.2 in our example)
  • In the network manager, create a new VPN connection. Use these settings:
    Gateway: your VPN server’s address (192.168.1.2 in our example)
    User name and password as set in CHAP secrets
    Advanced: Use point-to-point encryption (MPPE) , security: 128-bit (most secure)
  • Then you can connect to the VPN as soon as your are connected to the WEP network.
  • As soon as you are connected to the VPN server, your data can’t be read anymore by anyone using the weakly secured WEP connection!
  • Unfortunately, you can’t use the “Automatically connect” feature for the VPN because of a bug in NetworkManager. You can get a script and place it in the dispatcher directory. For more information, see https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/280571

Protecting your network from WEP intruders

If somebody hacks the WEP connection, the intruder shouldn’t be able to access the Internet using the WEP network. So, go to “Administration” / “Commands”, enter:

echo "0" > /proc/sys/net/ipv4/conf/wl0.1/forwarding

Click on “Save startup”, then reboot the router (or run this command)

categories Network Services | rfc2822 | datetime June 21, 2010 00:18 | comments Comments (0)

Privacy hint: Be aware of mailing lists

  • Never post to mailing lists with your real name when you’re not sure that you explicitely WANT the messages to be shown when you’re googled. Keep in mind that when you write something today, you may have opposite opionions in a few years, but the Google results in a few years may just show the message of today!
  • Don’t support mailing lists, use Web-based forums whenever you can. These have a database storage where you can easily delete messages with one command and the messages won’t be distributed over many different archive servers, too. Web-based forums have other advantages, too (more useable, attachments, community features, you can login from everywhere …).
  • If you absolutely have to use mailing lists, use a fake real name. Nobody will notice that and your postings can’t be assigned to you that easily.

Tags: , ,

categories Network Services | rfc2822 | datetime February 26, 2009 14:32 | comments Comments (0)

Using ClamAV and SpamAssassin with Postfix (without Amavis)

Many people use AMaViS or amavisd-new to combine Postfix with ClamAV and SpamAssassin. However, Amavis takes huge amounts of CPU time and memory. Also, it’s quite slow and difficult to configure, so another solution without Amavis would be interesting.

In this article, I will only discuss server-wide solutions without procmail because it can’t be used with virtual domain mailboxes.

It’s possible to use a shell script that calls ClamAV and SpamAssassin as a Postfix content filter:

/opt/mail-scanner

#!/bin/sh

EX_OK=0
EX_BOUNCE=69
EX_DEFER=75

SENDMAIL="/usr/sbin/sendmail -G -i"

SPAM_DIR=/home/mailscan/spam
VIRUS_DIR=/home/mailscan/viruses

function cleanup {
for fname in ${tmpfile[@]}
do
rm -f $fname
done
}

for ((i=0;i<2;i++))
do
fname=`mktemp -p /tmp mail-scanner.XXXXXXXX`
if [ "$?" != 0 ]; then
logger -s -p mail.warning -t scanner "Unable to create temporary file."
exit $EX_DEFER
fi
tmpfile[$i]=$fname
trap cleanup EXIT TERM
done

cat >${tmpfile[0]}

# check for viruses

clamdscan - <${tmpfile[0]} >${tmpfile[1]}
return="$?"
if [ "$return" = 1 ]; then
virus=`grep FOUND ${tmpfile[1]}`
logger -p mail.info "Message rejected by ClamAV: $virus"
mv ${tmpfile[0]} `mktemp -p $VIRUS_DIR virus.XXXXXXXX`
exit $EX_OK             # discard (exit without re-injecting)
elif [ "$return" != 0 ]; then
logger -s -p mail.warning -t scanner "Temporary ClamAV failure (clamdscan returned $return)"
exit $EX_DEFER
fi

# check for spam

spamc -x <${tmpfile[0]} >${tmpfile[1]}
return="$?"
if [ "$return" = 1 ]; then
logger -p mail.info "Message rejected by SpamAssassin"
mv ${tmpfile[0]} `mktemp -p $SPAM_DIR spam.XXXXXXXX`
exit $EX_OK             # discard (exit without re-injecting)
elif [ "$return" != 0 ]; then
logger -s -p mail.warning -t scanner "Temporary SpamAssassin failure (spamc returned $return)"
exit $EX_DEFER
fi

# deliver

$SENDMAIL "$@" <${tmpfile[1]}
exit $?

All you need is to copy this script to a location, let’s say /opt or /usr/local/bin and then edit the master.conf file of your Postfix so that:

  • the smtp service takes a content filter service (called “scanner” here, but you may use any name): 
    smtp  inet  n  -  -  -  -  smtpd -o content_filter=scanner:dummy
  • the content filter service is defined: 
    scanner   unix  -       n       n       -       5       pipe
  flags=Rq user=mailscan argv=/opt/mail-scanner -f $sender -- $recipient

Tags: , ,

categories Network Services | rfc2822 | datetime February 17, 2009 02:08 | comments Comments (0)

Image | WordPress Themes