Linux - Wifi Configuration (Detailed)

This guide was tested with Dapper Drake, Feisty Fawn, Gutsy Gibbon, and Hardy Heron.

Since it appears that very few people take wireless security seriously, I'd like to come up with my first HOWTO and explain how I was able to configure a secure home network using WPA2, the latest encryption & authentication standard. There are also other types of configuration (WPA1, mixed mode, LEAP, PEAP, DHCP, etc.) shown in the appendix. Feedback is much appreciated.

Common stumbling blocks - Make sure that:

1. Ethernet cable is unplugged.
2. No firewall & configuration tool is running (e.g. Firestarter).
3. MAC filtering is disabled.
4. NetworkManager, Wifi-Radar & similar wireless configuration tools are disabled/turned off and not in use.
5. Some cards/drivers (e.g. Madwifi) do not support WPA2 (AES). Try WPA1 (TKIP) if WPA2 secured connections fail.
6. RTxxx (Ralink) drivers do not support this approach. Either install "ndiswrapper" replacing Serialmonkey's driver or visit this site.
7. Turn off "roaming" if you repeatedly fail to establish a connection.

My Requirements:
1. WPA2 / RSN
2. AES / CCMP
3. Hidden ESSID (no broadcast)
4. Static IP (because I use port forwarding & firewall, etc.)
5. Pre-shared key (no EAP)
If you want to know more about WPA / RSN & 802.11i security specification, I recommend this site.

Now let's get started:

0. Install "wpa-supplicant":

sudo apt-get install wpasupplicant

1. Verify that your network device ("wlan0"?) is working & your wireless network is detected:

iwconfig

iwlist scan

Your network device & wireless network should appear here.

2. Open "/etc/network/interfaces":

sudo gedit /etc/network/interfaces

The content should look similar to this:

auto lo
iface lo inet loopback
auto wlan0
iface wlan0 inet dhcp

3. Now replace the last 2 lines with the following using your own network settings (the sequence in which the lines appear is crucial):

auto wlan0
iface wlan0 inet static
address 192.168.168.40
gateway 192.168.168.230
dns-nameservers 192.168.168.230
netmask 255.255.255.0
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 2
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

• auto wlan0:
  Your network interface (e.g. wlan0, eth1, rausb0, ra0, etc.).
• iface wlan0 inet static:
  Self-explanatory... I am using a Static IP instead of DHCP. "iface wlan0" must correspond to your network interface (see above).
• address, netmask, [..], dns-nameservers:
  Also self-explanatory... Be aware that "broadcast" needs to end with ".255" for negotiation with the router. These lines need to be according to your own (static) network settings. For DHCP see further below.
• wpa-driver:
  That's the wpa-driver for your card ('wext' is a generic driver that is applicable when using "ndiswrapper"). Leave it as it is. Other drivers are:

hostap = Host AP driver (Intersil Prism2/2.5/3)
atmel = ATMEL AT76C5XXx (USB, PCMCIA)
wext = Linux wireless extensions (generic)
madwifi = Atheros
wired = wpa_supplicant wired Ethernet driver

• wpa-ssid:
  Your network's ESSID (no quotes "").
• wpa-ap-scan:
  "1" = Broadcast of ESSID.
  "2" = Hidden broadcast of ESSID.
• wpa-proto:
  "RSN" = WPA(2)
  "WPA" = WPA(1)
• wpa-pairwise & wpa-group:
  "CCMP" = AES cipher as part of WPA(2) standard.
  "TKIP" = TKIP cipher as part of WPA(1) standard.
• wpa-key-mgmt:
  "WPA-PSK" = Authentication via pre-shared key (see 'key generation' further below).
  "WPA-EAP" = Authentication via enterprise authentication server.

 

VERY IMPORTANT ("WPA PSK Key Generation"):
Now convert your WPA ASCII password using the following command:

wpa_passphrase <your_essid> <your_ascii_key>

Resulting in an output like...

network={
ssid="test"
#psk="12345678"
psk=fe727aa8b64ac9b3f54c72432da14faed933ea511ecab1 5bbc6c52e7522f709a
}

Copy the "hex_key" (next to "psk=...") and replace <your_hex_key> in the "interfaces" files with it. Then save the file and restart your network:

sudo /etc/init.d/networking restart

You should be connecting to your router now... However, I figured that a restart is sometimes necessary so that's what I usually do (I know this sounds a bit clumsy - see post #2 for startup script).

*** Revoking read-permission from ‘others' ***

sudo chmod o=-r /etc/network/interfaces

 

*** Revoking read-permission from 'others' ***
*** Sample configuration WPA2 & DHCP, ESSID broadcast enabled ***

auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

 

*** Sample configuration WPA2 & DHCP, ESSID broadcast enabled ***
*** Sample configuration WPA1 & DHCP, ESSID broadcast enabled ***

auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto WPA
wpa-pairwise TKIP
wpa-group TKIP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

 

*** Sample configuration WPA1 & DHCP, ESSID broadcast enabled ***
*** Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast ***

auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto WPA RSN
wpa-pairwise TKIP CCMP
wpa-group TKIP CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

 

*** Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****
*** Sample conf. LEAP, WEP, DHCP, ESSID broadcast ***

auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-eap LEAP
wpa-key-mgmt IEEE8021X
wpa-identity <your_user_name>
wpa-password <your_password>

 

*** Sample conf. LEAP, WEP, DHCP, ESSID broadcast ***
*** Sample conf. PEAP, AES, DHCP, ESSID broadcast ***

auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-eap PEAP
wpa-key-mgmt WPA-EAP
wpa-identity <your_identity>
wpa-password <your_password>

 

*** Sample conf. PEAP, AES, DHCP, ESSID broadcast ***
*** Sample conf. TTLS, WEP, DHCP, ESSID broadcast ***

auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-eap TTLS
wpa-key-mgmt IEEE8021X
wpa-anonymous-identity <anonymous_identity>
wpa-identity <your_identity>
wpa-password <your_password>
wpa-phase2 auth=PAP [Also: CHAP, MSCHAP, MSCHAPV2]

 

*** Sample conf. TTLS, WEP, DHCP, ESSID broadcast ***
*** NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast ***

auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto RSN WPA
wpa-pairwise CCMP TKIP
wpa-group CCMP TKIP
wpa-key-mgmt WPA-EAP
wpa-eap FAST
wpa-identity <your_user_name>
wpa-password <your_password>
wpa-phase1 fast_provisioning=1
wpa-pac-file /path/to/eap-pac-file

 

*** NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast ****
***Tested adapters***

1. Linksys WUSB54G V4 (ndiswrapper; wpa-driver = wext)
2. Intel IPW2200 (Linux driver; wpa-driver = wext)
3. Linksys WPC54G (ndiswrapper; wpa-driver = wext)
4. D-Link WNA-2330 (Linux driver; wpa-driver = madwifi)
5. Linksys WMP54G V2 (ndiswrapper; wpa-driver = wext)
6. D-Link WDA-2320 (Linux driver; wpa-driver = madwifi)
7. Netgear WPN311 (Linux driver; wpa-driver = wext)
8. Netgear WG511v2 (ndiswrapper; wpa-driver = wext)

 

*** Tested adapters ***
*** Post this if you are stumped ***

# route
# iwconfig
# sudo iwlist scan
# sudo lshw -C network
# sudo cat /etc/network/interfaces
# sudo ifdown -v <your_interface>
# sudo ifup -v <your_interface>

 

*** Post this if you are stumped ***
*** Other useful commands ***

# Ubuntu version & kernel >> uname -a
# Root file access >> alt F2 then 'gksudo nautilus' in cli
# Get IP Address or Renew >> sudo dhclient wlan0 [or whatever your wl adapter is]
# Get wireless info >> iwconfig
# Get AP info >> iwlist scan
# Get wireless info >> iwlist (lots of options will list)
# Routes if wlan0 working >> route
# DNS resolving via eth1 >> cat /etc/resolv.conf
# List devices/modules >> lspci, lsusb, lshw, lsmod
# Restart network >> sudo /etc/init.d/networking restart
# Boot messages >> dmesg
# Kill NWM >> sudo killall NetworkManager
# Events from your wl >> iwevent
# Restart all daemons >> sudo /etc/init.d/dbus restart
# Restart network >> sudo /etc/init.d/networking restart

 

Taken From:

• https://ubuntuforums.org/showthread.php?t=318539

Raspberry Pi – Media Server for Streaming (via DLNA)

 

Here I’m going to quickly show you how to set up you Raspberry Pi as a Media Server for Streaming via DLNA which is a protocol suported in many TVs, Windows PCs (Windows Media Player) and Android Devices (App: Media House).

## Install Mini DLNA ##
sudo apt-get update
sudo apt-get install minidlna

## Mount The Media Disk ##
sudo mkdir /media/HD1
sudo mount /dev/sda1 /media/HD1

## Create The MiniDLNA DB Folder ##
sudo mkdir -p /opt/minidlna
sudo chmod 777 /opt/minidlna

## Edit The MiniDLNA Config File ##
sudo nano /etc/minidlan.conf

minidlna.conf - My Config
------------------------------------
media_dir=V,/media/HD1/Movies
#root_container=B,/media/HD1
network_interface=eth0
inotify=yes
friendly_name=HomePi
db_dir=/opt/minidlna

sudo service minidlna force-reload
sudo service minidlna restart

minidlna.conf – My Config Detailed
-------------------------------------------------------
#################################################
# Path to the directory you want scanned
# for media files.
#
# This option can be specified more than
# once if you want multiple directories
# scanned.
#
# If you want to restrict a media_dir to
# a specific content type, you can prepend
# the directory name with a letter representing
# the type (A, P or V),followed by a comma, as so:
#   * "A" for audio    (eg. media_dir=A,/media/HD1/music)
#   * "P" for pictures (eg. media_dir=P,/media/HD1/pictures)
#   * "V" for video    (eg. media_dir=V,/media/HD1/videos)
#   * "PV" for pictures and video
#  (eg. media_dir=PV,/media/HD1/digital_camera)
#################################################
media_dir=V,/media/HD1/Movies
NOTE: Use media_dir or root_container

#################################################
# Use a different container as the root
# of the directory tree presented to
# clients.
#
# The possible values are:
#   * "." - standard container
#   * "B" - "Browse Directory"
#   * "M" - "Music"
#   * "P" - "Pictures"
#   * "V" - "Video"
#   * Or, you can specify the ObjectID
#     of your desired root container
#     (eg. 1$F for Music/Playlists)
#
# If you specify "B" and the client
# device is audio-only then "Music/Folders"
# will be used as root.
###########################################
#root_container=B,/media/HD1

#################################################
# Network interface(s) to bind to
#(e.g. eth0), comma delimited.
#
# This option can be specified more than once.
#################################################
network_interface=eth0

#################################################
# Automatic discovery of new files
# in the media_dir directory.
#################################################
inotify=yes

#################################################
# Name that the DLNA server presents to clients.
# Defaults to "hostname: username".
#################################################
friendly_name=HomePi

#################################################
# Path to the directory that should
# hold the database and album art cache
#################################################
db_dir=/opt/minidlna
 
 
Now from you TV or other media device, like Android (use MediaHouse) you can stream
or download you media, with no config required on the clients, because these automatically
detect the DLNA server on the LAN.

Related Links

• http://thenewstack.io/building-a-media-server-with-a-raspberry-pi-for-streaming-music-to-a-galaxy-s5/
• http://raspisimon.dlinkddns.com/dlna.php
   
   

GRUB - Rescue BootLoader on a USB Flash Drive

My goal is to just have a GRUB bootloader (without a Linux instalation) on a USB Flash Drive to:

• Boot OS with Bootloaders without entering the BIOS
• Boot OS with Broken Boot Loaders
• Boot Linux Live CDs

 

Installing the GRUB Boot Loader

Run a live CD like Ubuntu, a boot i without installing it.

First list your disks in order to identify you USB Flash Drive

    sudo fdisk -l

if you have trouble identifying you USB Flash Drive just run the command above without the USB Flash Drive, the insert it and list again, compare the outputs, and the extra disk is you USB Flash Drive.

My USB Flash Drive is “sdb1” (b=second HD | 1=first partition), now let’s make a folder to mount the usb flash drive (my Flash Drive was formated with the ext4 filesystem), and mount it:

    sudo mkdir /mnt/USB
    sudo mount /dev/sdb1 /mnt/USB

Now let’s just install the the bootloader

    sudo grub-install --force --removable --boot-directory=/mnt/USB/boot /dev/sdb

boot code goes on /dev/sdb and grub files on /mnt/USB/boot.

 

Set Up the Grub Configuration FIle

Now just create/edit the grub config file

    nano /mnt/USB/boot/grub/grub.cfg

and input the following configuration:

grub.cfg
_____________________________________________

set timeout=10
set default=0

menuentry "#### Boot OS with Bootloaders without entering the BIOS ####" {set root=(hd1)}

menuentry "HD0 (First HD – This USB Flash Drive)" {
set root=(hd0)
chainloader +1
}

menuentry "HD1 (Second HD)" {
set root=(hd1)
chainloader +1
}

menuentry "HD2 (Third HD)" {
set root=(hd2)
chainloader +1
}

menuentry "HD3 (Fourth HD)" {
set root=(hd3)
chainloader +1
}

 

menuentry "#### Boot OS with Broken Boot Loaders ####" {set root=(hd1)}

menuentry "Ubuntu 16.04 (HD1 - First HD)"  {

    insmod part_msdos
    insmod ext2
    set root=(hd1,msdos1)

    echo 'Loading Linux Kernel...'
    linux /boot/vmlinuz-4.4.0-24-generic root=/dev/sda1
       
    echo 'Loading Initial Ramdisk ...'
    initrd /boot/initrd.img-4.4.0-24-generic
    boot
}

menuentry "Windows XP/7/10 (HD1 - First HD)"  {

    insmod part_msdos
    insmod ntfs
    set root=(hd1,msdos1)

    drivemap -s (hd0) ${root}
    chainloader +1
}

 

menuentry "#### Boot Linux Live CDs ####" {set root=(hd1)}
   
menuentry "Ubuntu 16.04 ISO (On This USB PEN Drive)" {

    set isofile="/ubuntu-16.04-desktop-amd64.iso"
    loopback loop (hd0,msdos1)$isofile
    linux (loop)/casper/vmlinuz.efi boot=casper iso-scan/filename=$isofile noprompt noeject
    initrd (loop)/casper/initrd.lz
}

This is what it looks like:

You migth need to adjust some things if you have more disks, partitions or diferent linux distro. To make it easyer I have put the things you migth need to change in bold.

The above config was for the following setup

• One USB Flash Drive (with Grub Installed)
  • hd0,msdos1 - First HD | First Partition – MBR Geometry
  • This is was my USB Flash Drive
• One Hard Drive for OS
  • hd1,msdos1 – Second HD | First Partition – MBR Geometry
  • This is the Disk with the OS

If you have trouble Identifying you disks and partion you can press ‘c’, on the grub menu, to get the GRUB command line and run “ls” :

this was very hepfull, specially identifying the the name for the MBR partitions aka “msdos” .

Related Links

• http://www.pendrivelinux.com/install-grub2-on-usb-from-ubuntu-linux/
• https://www.gnu.org/software/grub/manual/html_node/Chain_002dloading.html
• http://ubuntuhandbook.org/index.php/2014/04/install-grub-customizer-ubuntu-1404/

Windows – SSH SOCKS Proxy

If you have a Raspberry Pi or any Linux machine at home, you can use it as an SSH Proxy with the help of SSH and exit to the Internet via you home conection/IP.

Some of the advantages are:

• Privacy (SSH Traffic is Encrypted)
• Bypassing Local Security Policies (Access Blocked Services)

no aditional configuration needed on the SSH server

You only need to forward port 22 on your internet router to the linux host on your LAN (no aditional configuration needed on youre Linux SSH server).

Now that you have port 22 forwarded to you Linux in you home Lan, from somewhere on the Internet setup an Dynamic SSH Tunnel on Putty like show bellow (replace the 98.125.80.38  with your own Public IP):

The tunnel will remain working as long this Putty windows is open:

Now on your Browser (or any other aplication that supports it) you must configure the Socks Proxy to point to the local end of the Dynamic SSH Tunnel, and that’s it.

Now all your browser’s traffic will be sent to the local port 8080 wich SSH wil tunnel it to you home where it will exit via you linux machine.

Here I show how to set up the Socks Proxy on IE (Internet Explorer).

Tools > Internet Options > Connections > LAN Settings > Proxy Server > Advanced

You can go on your browser to:

• http://whatismyipaddress.com/

to confirm see Public IP and confirm from wich connection you entering the internet