Keywords: Ldap,Kerberos,proxy, captive portal,radius
Introductions:
Hello once again, as you would notice we had done a lot of service applications.I think its time for us to focus (or deviate our views ) on security and networking.Why? well simply because ,we just don't want it to be robust enough for a rigid applications but to secure our system with a centralized access-as our goal.This time we will be discussing a sort of making the safest system to make intruders or hacker wonders away from the scenes of our network confidentiality .Yet,with out the efforts of digging out deep knowledge on how to anticipate those intruders ,malicious access that will ruin our system in peril.Of course not only that , we need to monitor activities(logging) also on 24/7 basis ;for us to analyze rather determine if it is working smoothly or nobody will crash our system -as our assurance.
One thing which may follow is the outsourcing(research ) of appropriate software (which if free..) that will cater all our necessity and requirements.If you could still recall, we had previously tried different free application services on the net: pfsense,ipcop, drupal with chillihotspot and lastly the WifiAdmin.Well they been tested also as good as what they did promised, yet we needed these all to be in one package and Zeroshell have it all.
Zeroshell is a small Linux distribution for servers and embedded systems which aims to provide network services. As its name implies, its administration relies on a web based graphical interface. There is no need to use a shell to administer and configure it. Zeroshell is available as Live CD and CompactFlash images, and VMware virtual machines.Zeroshell is not based on an already existing distribution as for example Knoppix is based on Debian. The author has compiled the whole software of which the distribution is composed starting from the source code in the tar.gz or tar.bz2 packets. The compiler gcc and the glibcs of the GNU have been compiled too and have had the so-called phase of bootstrap in which they have recompiled themselves more times. This has been necessary to optimize the compiler and to eliminate every dependence from the glibcs of the system from which the first compilation took place. Some of the initialization scripts, as well as the guidelines followed by the author are those of Linux From Scratch. For a list of the used software look here.
Some of the innovations that we will aim for this free software are porting its applications to an embedded PC, a rack mounting deployment in our Data Center, then a quality testing on gateway and router applications and lastly to test rigidly all its features.
Best features of Zeroshell:
Captive portal
Radius
Firewall
Router/Bridge/Gateway
MRTG
LDAP
X509 certificates
QOS
Load Balancing
NAT
Requirements:
Phase I
PC (p4 or higher) Zeroshell server
PC (windows) software loader/imager
Image burner software
Zerohshell (linux)
Hard disk (SATA/IDE /USB or CF card)
Phase II
Embedded PC(Soekris Net501)
Methodology:
Download softwares(Windows and Linux)
Linux:
Download install
root@localhost# wget
root@localhost#
Windows:
Setup hardware
Connect the Zeroshell HDD as slave
Open phDiskwriter
Drag the image and save
Detail(1): Download accessories file required for Zeroshell installatios.
Detail(2)Physdiskwrite-GUI as another options (Oww-Russian?)
Captive portal
Radius
Firewall
Router/Bridge/Gateway
MRTG
LDAP
X509 certificates
QOS
Load Balancing
NAT
Requirements:
Phase I
PC (p4 or higher) Zeroshell server
PC (windows) software loader/imager
Image burner software
Zerohshell (linux)
Hard disk (SATA/IDE /USB or CF card)
Phase II
Embedded PC(Soekris Net501)
Methodology:
Download softwares(Windows and Linux)
Linux:
Download install
root@localhost# wget
root@localhost#
Windows:
Setup hardware
Connect the Zeroshell HDD as slave
Open phDiskwriter
Drag the image and save
Detail(1): Download accessories file required for Zeroshell installatios.
Detail(2)Physdiskwrite-GUI as another options (Oww-Russian?)
Detail(1) Please check your working drive to avoid form accident damage
(else forget yourself)
Detail(2) physdiskwrite.exe -u ZeroShell-1.0.beta14-CompactFlash-IDE-USB-SATA-1GB.img
Detail(3) Choosing the 2nd drive is by marking your working HDD
Detail(4) after bytes image "Finish"
Detail(4) A glance of a working prototype -Zeroshell Gateway
Detail(5) Web administration login
Detail(5) Zeroshell menu setup
Detail(6): Zeroshell configuration menu
Detail(7) Assigning WAN/LAN IP address
Detail(7):The issuance of credential /certificate x509 -SSL
Detail(8): Network IP Addressing notes
Detail() Multi Router Traffic Grapher
Detail() Captive portal login:
Remarks:
Hints:
Please take note on setting up a wireless connection using Zeroshell:
Here are our cases:
Case I:
1)We don't have a preferred Altheros wireless card ,instead we will use the available WiFI-Access point.
2) We want zeroshell to captive our wireless clients before an Internet access .
(-)In doing so, our zeroshell will acts like a router/gateway .
1)Zeroshell : 192.168.0.1(internal IP address) ,as a router.
2)Disable the DHCP server of the Wifi Access point (WRTG54g) , make its IP address within the Zeroshell subnets.WRTG54g IP address must be in the subnet range which is assigned by Zeroshell that acts as DHCP server now.
Ex:
192.168.0.1/24 (Zeroshell)
IP address range
192.168.0.2 to 192.168.0.255
3)WRTG54g: 192.168.0.2 now acts as a client
4) Connect Zeroshell [192.168.0.1] ether port to WRTG54g LAN port not to its WAN port! (usually with 4 LAN ports)
5) Wifi-clients (PC or laptops) should be able to access the Internet at this time.
5.1) Refresh wifi network icon
5.2) Connect to the WRTG54g ssid
5.3) You must see a captive portal's login (as mentioned above)
5.4) Then bingo, you are now redirected to the www(:=))
Case II:
1) We want to directly connect clients to our networks permitted first by Zeroshell
2) Main router/gateway will broadcast IP address to our clients.
(-) In doing so we need to configure Zeroshell in a Bridge Mode setup.
Case III:
1) We want Zeroshell to do the authentication process using external LDAP
http://www.zeroshell.net/eng/qos/#Add-QoS-Class
(-) To do so, we need to configure FreeRadius server hard coded in our Zeroshell to use the LDAP backend instead, this is trough configuring FreeRadius script -radius.conf.
http://www.ibm.com/developerworks/library/l-radius/
III.1) Zeroshell uses freeradius which supports proxy and ldap integration.Find radiusd.conf and edit with vi or emacs ; uncomment the LDAP statement as necessary.
ldap {
server = FQDN for your server or IP address
login = ldap login looks like cn=?,o=?,c=?
password = ldap password
basedn = ou=?,dc=?,dc=?
III.2)To make it work. look for any other sections for ldap then uncomment it.Edit your dictionary.conf, make sure a Value of LDAP IS PRESENT if not add it in or uncomment it.
III.4)Look for users.conf and add the default entry for :
Auth-Type =: LDAP
Fall-Through = 1
Note:
For your LDAP server to authenticate then it should be ready to serve requests. So reestart freeradius service and Zeroshell should be checking with the ldap server for credentials.
Conclusions:
So far I considered zeroshell as a promising Linux software applications which is a complete embedded web security portal.
ZeroShell is by far the best open source wifi manager solution we have used. We have been using it in our environment for over 2 years now, providing guest wireless access as well as VPN services for internal users and have recently implemented dual internet fail-over to allow for a seamless wifi experience.
ReplyDeleteWe initially had difficulty getting it to browse until we understood fully how the nating feature of the system works.
The system works flawlessly and can be considered to be a "Set it - Forget it" type solution.
Looking to employing Qos and Radius features of ZeroShell in the near future and would recommend you try this solution at either the business or the home end.