En los últimos días me he ido preguntando si la crisis pasa factura a la tecnología, todos sabemos que cuestiones como garantizar recursos a servidores, escalabilidad, etc conllevaban a un desembolso económico por el cual, se duplicaban memorias, se aumentaban mhz, casi siempre de manera exponencial (en base 2, 4, hasta donde llegara el dinero).. esto ha ocurrido así en un 90% (y puede que me quede corto) de las veces pero… ¿y el otro 10%?  El otro 10%, una minoría, comprende al grupo que antes de escalar una máquina, bien por sentido común o bien por ahorro, prefieren revisar el código, algoritmos, etc para buscar cualquier malgasto de recursos, subsanarlo y ganar así en eficiencia y seguir funcionando con su hardware.

En tiempos como los de ahora, dónde los presupuestos económicos no van a entender de conceptos como balanceador de carga, switch, catalysts o incluso de memoria RAM, el porcentaje de revisiones en el código de aplicaciones, procesos batch, etc va a ser mucho mayor que antes, se van a eliminar consultas SQL mal construidas que hacen gastar recursos innecesarios en los servidores, se van a revisar algoritmos de programas, fórmulas de cálculo, etc, etc… pero, ¿van a estar las empresas preparadas para efectuar estas revisiones? Teniendo en cuenta que la solución, hasta ahora, era realmente sencilla y que escalando el hardware se conseguía que cualquier ineficiencia del software fuera subsanada.. me temo que no van a estar preparadas y probablemente grandes empresas como fabricantes de ERP, BI, CRM o Antivirus verán como sus clientes les exigen medidas como revisiones de las aplicaciones o versiones más "lite" de los clients, etc.. Es posible que las consultoras tecnológicas puedan ver filón en esto, de hecho.. en que no lo ven?.. sin embargo, deberían hilar muy fino el presupuesto que den ya que pueden cogerse los dedos facilmente dando un presupuesto superior a la operación de ampliar memoria o balancear la carga..

Un buen principio para reducir recursos que consumen altos porcentajes de CPU  puede ser comenzar a revisar todos los procesos batches que se lanzan periodicamente o aquellas extracciones de datos que dependan de procesos como llamadas desde aplicaciones, etc.

Otro dato en el que habrá curiosidad será el conocer si el uso de aplicaciones de software libre ha aumentado desde que se inicio la crisis, por Junio 2009 podrá compararse y valorarse realemente, si bien muchas aplicaciones de código abierto son patrocinadas por empresas que dan dinero para que salgan adelante y habrá que ver cómo se mantienen una vez las empresas ya han comenzado a cerrar estos grifos.

¿Nos agudizará el ingenio la crisis? Dada la falta de escalabilidad, ¿nos pondremos las pilas en revisar procesos y código? Lo iremos viendo..

Hoy comienza la andadura de este blog por godaddy, aún tengo que darle unos ajustes pero por lo general ya funciona bien, tengo revisar algunas funcionalidades como el ajax de los comentarios, que aunque funcionen bien, dan un error al lanzar el comentario y detalles así. Godaddy utiliza phpmyadmin como gestor de la base de datos MySQL, lo cual ha sido muy de mi agrado dado que es el gestor que siempre he utilizado, gracias a ello la importación y exportación de la base de datos ha sido realmente sencilla.

Sobre los ficheros del blog (wordpress), unicamente he tenido que editar el fichero de configuración wp-config.php para indicar los nuevos datos de la base de datos, aquí hay que tener en cuenta que el host de la base de datos cambia, ya no es "localhost" si no otro servidor.

De esta forma tengo mi blog en internet por unos 40 EUR al año (dominio incluido) que es mas o menos lo que me cuesta un mes de conexión de ONO, con la diferencia que a partir de dentro de poco voy a poder apagar el servidor, (y hacerle un monumento! uptime ahora mismo = 289 días)

Resumiendo para migrar wordpress a godaddy he hecho lo siguiente

1- Crear la base de datos desde el panel de control de godaddy. Podéis ver más detalles aquí

2- Export desde phpmyadmin de mi servidor de la base de datos.

3- Import desde phpmyadmin de godaddy

4- Subir todo el directorio wordpress a la cuenta de godaddy

5- Configurar el fichero wp-config.php con los datos de la nueva base de datos.

Las utilidades son varias, desde un pequeño o simbólico servidor web a una herramienta para obtener claves wep de redes colindantes. En este caso, nuestro objetivo será transformar la fonera en un dispositivo para capturar y crackear la clave wep de algún punto de acceso cercano guardando la información generada en un directorio de un equipo con windows o linux de nuestra red….

El primer paso es actualizar el firmware de la fonera al kamikaze, esto se puede hacer siguiendo el manual presentado en fonera.info  Nota: os recomiendo que consulteis la web www.fonera.info, está muy bien y contiene buenos manuales.

 Montar directorio remoto en openwrt

Como podeis imaginar la capacidad de espacio en disco de nuestra fonera es limitada, por lo que al guardar paquetes .cap del airodump para despues obtener la clave con el aircrack es una limitación por lo que una buena opción es montar una carpeta compartida o por NFS un disco de nuestro portatil, servidor, etc. Yo lo tengo configurado tanto que windows como en linux.

Para windows: En nuestro windows creamos y/o compartimos un directorio al cual accederá nuestra fonera, en este caso sería el directorio wep creado en c:\wep

En la fonera tendremos que instalar el módulo cifs, en el siguiente enlace de fonera.info se comenta en su foro el modo de hacerlo. Basicamente tendremos que bajarnos estos paquetes:

Añadir esta linea en el /etc/ipkg.conf

src fonera http://www.fonera.info/files/ipkg/kamikaze-2.6

Tras ello, hacer un update e instalar los siguientes paquetes:

ipkg update
ipkg install kmod-fs-cifs
ipkg install kmod-nls-base
ipkg install kmod-nls-koi8r

Si encontrais algún problema, podeis visitar la página del foro de la fonera.

Si todo va bien, haciendo un lsmod veremos que aparece el módulo:

root@OpenWrt:~# lsmod | grep cifs
cifs 248416 0
nls_base 4416 2
cifs,nls_koi8_r

Ahora ya podemos montar el directorio compartido en nuestra fonera de la siguiente forma:
mount //192.168.0.2/wep /mnt -o username=user,password=pass donde username y password es el usuario y contraseña que usamos para acceder a windows (sesión).

Para Linux: Lo he montado a través de NFS, para ello haremos lo siguiente:
En la fonera:
ipkg update
ipkg install kmod-fs-nfs
En nuestro servidor o estación linux tendremos que tener instalados los paquetes nfs-common, nfs-user-server y portmap, a continuación os pongo como se instalaría en debian o ubuntu:
apt-get install nfs-common
apt-get install nfs-user-server
apt-get install portmap

Una vez instalados, recordar abrir en el firewall de la estación o servidor una regla para permitir que la fonera (ej. 192.168.0.10) pueda conectarse a vuestro servidor (ej. 192.168.0.2) Además, habilitareis a la fonera en el exports, editando el fichero /etc/exports con la siguiente línea:

/home/fonera 192.168.0.10(rw,no_root_squash)

Ahora  montaremos el directorio /home/fonera en /mnt :
mount 192.168.0.2:/home/fonera /mnt -t nfs -o nolock 

Nota: nolock es la opción que nos permite montar el directorio exportado sin la necesidad de tener complejo software adicional en el WRT. Básicamente la funcionalidad que se pierde es la de poder bloquear archivos. Por tanto es conveniente recordar esto y no realizar tareas sobre el directorio montado que impliquen bloqueos.

Fuentes:
Montevideolibre
Fonera.info

Conversor.sh is a script programmed to convert pictures and images. Normally, digital cameras’ pictures can take lot of MB in every image, this script uses the convert program from the imagemagick packet and can reduce the space in more than 90%. Basically, the user will be able to change the picture dimensions, rotate the picture, change the picture quality, convert it into monochrome, etc, etc.

Conversor.sh can be downloaded from here


#!/bin/bash

if test -e /usr/bin/convert
then
echo ························································
echo ·
echo · Introduce the folder where your images are.
echo ·; read folder
if test -e $folder
then
echo ·
echo · Creating auxiliary folder in $folder
echo ·
mkdir $folder/aux >& /dev/null
echo · Auxiliary folder in $folder/aux
echo ·
echo · Which kind of file would you like to convert "(jpg, png...)"
echo ·; read extension
echo ·
echo · Press 0 to exit
echo · Pulsa 1 to change quality
echo · Pulsa 2 to change dimensions W*H
echo · Pulsa 3 to add a comment on each image.
echo · Pulsa 4 to transform images White and Black
echo · Pulsa 5 to rotate the image "(Grades)"
echo ·; read answer
if test "$answer" = "0"
then exit
else
if test "$answer" = "1"
then action="-quality"
echo · Insert the quality grade you want to apply
echo ·; read subaction
else
if test "$answer" = "2"
then action="-size"
echo · Insert the dimesions eg.: 300x400
echo ·; read subaction
else
if test "$answer" = "3"
then action="-comment"
echo · Insert the comment you would like to add
echo ·; read subaction
else
if test "$answer" = "4"
then action="-monochrome"
echo · This process will take a some seconds.
echo ·; subaction=""
else
if test "$answer" = "5"
then action="-rotate"
echo · Introduce the rotation grades you would like to apply Eg.: 90
echo ·; read subaction
fi
fi
fi
fi
fi
fi
cd $folder
for i in *.$extension;
do convert $action $subaction $folder/$i $folder/aux/$i
echo · Conversing image $i
done
echo ·
echo · Conversed images are allocated on $folder/aux
else
echo
echo $folder not found on the system
echo
fi
else
echo
echo Imagemagick not installed on the system
echo
fi

The goal of this work is to give the maximum connectivity under minimum resources. Using a small box with only one pci slot, the objective is to create a Wireless Access Point under a Linux server using only opensource software.

Hardware

The Hardware used for this purpose is as basic and simple as possible:

* Servicebox:

Motherboard: VIA TechVIA Technologies, Inc.

Processor: VIA Samuel 2 800 Mhz.

Ram: 367 SDRam.

Hard Disc: Seagate 40 GB.

Back up disc: 250 MB Memory Card.

Ethernet: VIA Technologies, Inc. VT6102 [Rhine-II].

* Conceptronic c54i pci Wireless Ethernet.

Software

The Software specifications are the following:

Operating System: Debian GNU/Linux (Sarge).

The way of installing packages under Debian and its proved stability makes this distribution a very good option for accomplish this goal.

Debian uses the Linux kernel (the core of an operating system), but most of the basic OS tools come from the GNU Project; hence the name GNU/Linux.

Using the apt-get or dpkg tool, a user can install thousands of precompiled packages listed on official or unofficial list.

Linux Kernel: 2.4.27

Is necessary adapt our kernel to the hardware requirements. Like for example tunneling optiones with tun.o

Other:

Wireless ethernet driver: Madwifi – MADWiFi is short for Multiband Atheros Driver for WiFi and provides a Linux kernel driver for Atheros-based Wireless LAN devices. The driver works such that your WLAN card will appear as normal network interface in the system (ath0) and gives the possibility to perfom the Wlan card in master mode.

Chillispot: ChilliSpot is an open source Wireless LAN access point controller. ChilliSpot is a captive portal which authenticates users of a wireless LAN. It supports web based login which is today’s standard for public HotSpots, Authentication, authorization and accounting (AAA) is handled by a radius server.

Radius server: Freeradius – The FreeRADIUS server is being used all over the world in large scale installations comprising multiple radius servers with thousands of users and millions of sessions.

Database: Mysql is used for storing the user/passwords and other fields from the radius server.

Database management: PhpMyAdmin is used for controlling (adding, deleting, modifying, etc) the user/passwords parameters from the database.

Madwifi Project driver

We need to use this driver because for building the AccessPoint, the master mode is required.

First of all, we must be sure our Wireless Lan Card has the Atheros chipset and can work under the madwifi driver, so after plugin it we should do a lspci to find out this information:

12:35 [EW_AP~]# lspci

0000:00:00.0 Host bridge: VIA Technologies, Inc. VT8601 [Apollo ProMedia] (rev 05)

0000:00:01.0 PCI bridge: VIA Technologies, Inc. VT8601 [Apollo ProMedia AGP]

0000:00:11.0 ISA bridge: VIA Technologies, Inc. VT8231 [PCI-to-ISA Bridge] (rev 10)

0000:00:11.1 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/C PIPC Bus Master IDE (rev 06)

0000:00:11.2 USB Controller: VIA Technologies, Inc. VT82xxUHCI USB 1.1 Controller (rev 1e)

0000:00:11.4 Bridge: VIA Technologies, Inc. VT8235 ACPI (rev 10)

0000:00:12.0 Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] (rev 51)

0000:00:14.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01)

0000:01:00.0 VGA compatible controller: Trident Microsystems CyberBlade/i1 (rev 6a)

There are currently 3 generations of Atheros 802.11 wireless devices:

5210 supports 11a only

5211 supports both 11a and 11b

5212 supports 11a, 11b, and 11g

Our Atheros chipset model is AR5212, this card uses the 5212+2112 Chipset (and operates in b/g modes) and since the8/11/2003 version, this PCI card seems to be working at least in 802.11b, both in ad-hoc and master mode.

Nowadays Madwifi driver is not included in the Kernel series, so its compilation and building is required in order to run it into the system, the documentantion and for downloading the madwifi, user can access in the project webpage: madwifi.sourceforge.net

The driver functions as a normal network device and uses the Wireless Extensions API. As such normal Linux tools can and should be used with it.

There is only one driver included here; it supports miniPCI and Cardbus devices. The driver can be built as a module or linked into the kernel.

The driver depends on two other modules: wlan.o and ath_hal.o.

Downloading the driver

The current version of MADWiFi can be retrieved from CVS with the following command:

cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/madwifi co madwifi

Previously its possible that we need to install the CVS package, we can do it easily throught the apt-get tool:

apt-get install cvs

Building the driver

To build the driver at the top level you may need to edit Makefile.inc to set the pathname to your Linux kernel distribution. By default this path is obtained automatically.

If you are cross-compiling the driver for a different platform define the CC, LD, and STRIP macros appropriately. For example:

#CC= /export/tools/bin/mips-linux-gcc

#LD= /export/tools/bin/mips-linux-ld

#STRIP= /export/tools/bin/mips-linux-strip

Once you’ve got Makefile.inc configured appropriately, do:

make

This will generate three important files:

Linux 2.4

driver/ath_pci.o (driver for PCI/Cardbus devices),

ath_hal/ath_hal.o (Atheros HAL), and

wlan/wlan.o (802.11 support layer)

Using the driver

These files can be loaded with insmod or modprobe; e.g.

Linux 2.4

insmod wlan/wlan.o

insmod ath_hal/ath_hal.o

insmod driver/ath_pci.o

We should include this file in the /etc/modules file if we want them to be loaded since the starting of the system.

So we edit the /etc/modules file and add:

ath_pci

We check if modules are working with an ls of the modules:

13:31 [EW_AP~]# lsmod

Module Size Used by Tainted: P

bnep 9012 1 (autoclean)

rfcomm 27776 0 (autoclean)

l2cap 14508 3 (autoclean) [bnep rfcomm]

hci_usb 6172 1

bluez 27652 3 [bnep rfcomm l2cap hci_usb]

via82cxxx_audio 18808 0 (unused)

soundcore 3460 2 [via82cxxx_audio]

ac97_codec 12012 0 [via82cxxx_audio]

ftdi_sio 19160 0 (unused)

usbserial 19324 0 [ftdi_sio]

usb-uhci 20972 0 (unused)

usbcore 62464 1 [hci_usb ftdi_sio usbserial usb-uhci]

hostap 84456 0 (unused)

ath_pci 28448 1

wlan 40744 1 [ath_pci]

ath_hal 108208 1 [ath_pci]

via-rhine 11600 1

mii 2304 0 [via-rhine]

crc32 2848 0 [bnep via-rhine]

So our new device interface is ath0, and we can see how kernel log has recognize it:

13:42 [EW_AP~]# cat /var/log/kern.log.0 | grep ath0

Apr 11 18:09:17 EW_AP kernel: ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps

Apr 11 18:09:17 EW_AP kernel: ath0: 802.11 address: 00:0d:88:56:0b:a2

Apr 11 18:09:17 EW_AP kernel: ath0: Atheros 5212: mem=0xe3000000, irq=11

Management uses the normal Linux tools such as ifconfig and the recient wireless-tools package, very useful to interactuate with the card, for installing these tools we need to perform:

apt-get install wireless-tools

iwconfig is the star program inside the wireless-tools package, here we are some iwconfig options:

13:44 [EW_AP~]# iwconfig –help

Usage: iwconfig interface [essid {NN|on|off}]

[nwid {NN|on|off}]

[mode {managed|ad-hoc|...}

[freq N.NNNN[k|M|G]]

[channel N]

[ap {N|off|auto}]

[sens N]

[nick N]

[rate {N|auto|fixed}]

[rts {N|auto|fixed|off}]

[frag {N|auto|fixed|off}]

[enc {NNNN-NNNN|off}]

[power {period N|timeout N}]

13:29 [EW_AP~]# iwconfig

ath0 IEEE 802.11g ESSID:”NordicAP” Nickname:”WareAP”

Mode:Master Frequency:2.457 GHz Access Point: 00:0D:88:56:0B:A2

Bit Rate:0 kb/s Tx-Power:off Sensitivity=0/3

Retry:off RTS thr:off Fragment thr:off

Encryption key:off

Power Management:off

Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

Tx excessive retries:0 Invalid misc:0 Missed beacon:0

13:29 [EW_AP~]# ifconfig ath0

ath0 Link encap:Ethernet HWaddr 00:0D:88:56:0B:A2

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:82504 errors:296765 dropped:0 overruns:0 frame:95134

TX packets:1021 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:199

RX bytes:3267369 (3.1 MiB) TX bytes:65344 (63.8 KiB)

Interrupt:11 Memory:d00a2000-d00b2000

We are going to insert a valid IP configuration for this device, on the /etc/network/interfaces, something like:

auto ath0

iface ath0 inet static

_..address 1.0.0.1

_..netmask 255.255.255.0

_..network 1.0.0.0

_..broadcast 1.0.0.255

_..wireless_essid NordicAP

_..wireless_mode master

_..wireless_channel 10

Chillispot

Chillispot is a tool destinated to give a Wifi service through the authetification in a webpage using https protocol with a user/password controlled by a Radius server and protect itself from the non-authentificated connections. For all this, Chillispot creates one new virtual interface device, tun0 where all this traffic will pass and will be filtered.

Chillispot supports two authentication methods:

*

Universal Access Method (UAM)
*

Wireless Protected Access (WPA)

At this time we will use the UAM method in the Wireless Access Point. With UAM the wireless client requests an IP address, and is allocated a an IP address by Chilli. When the user starts a web browser chilli will capture the tcp connection and redirect to browser to an authentication web server. The web server queries the user for his username and password. The password is encrypted and sent back to chilli.Then chilli forwards the authentication request to a radius server. The radius server sends an access-accept message back to chilli if authentication was successful. Otherwise an access-reject is sent back.

An authentication web server is needed in order to authenticate users using the universal access method.

The communication interface to the web server is implemented using only the HTTP protocol. No “call backs” from the web server to chilli is needed in order to authenticate the client. This means that the HotSpot can be placed behind a NAT gateway, proxy or firewall, while the web server is located on the public Internet.

A cgi script for your web server which will query the user for his username and password. Once this information has been entered by the user the encrypted password is sent back to chilli which forwards the request to the radius server. We should use SSL/TLS on the web server in order to protect the username and passwords, we will use, of course, Apache-SSL.

So, basically, Chillispot is composed by a cgi script “hotspotlogin.cgi” and a daemon “chilli”.

The Chillispot used in the moment of writing this document is 0.96-1

17:37 [EW_AP~]# dpkg -l chillispot

Name Version Description

===================================================================

===================================================================

chillispot 0.96-1 ChilliSpot is a Wireless LAN Access Point Controller.

Preparing the Software

Before downloading and installing Chillispot, we need to install some tools in order to have the “best conditions” for making it works.

*

Iptables: Iptables is a building block of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling.Iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

For installing we will type:

apt-get install iptables

*

Apache-ssl: Will be our secure webserver that will protect the process of inserting the user and password, for that ssl module will encrypt the user and password in order to avoid any undesired trying of getting this kind of information.

For installing we will type this time:

apt-get install apache-ssl

*

Mysql: Will be the database for storing the users and password and rest of data.

For installing we will type:

apt-get install mysql-server
apt-get install mysql-client

*

Freeradius: Will be the Radius Server which will support the user/password service. The package was included recently in the Sarge version of Debian GNU/Linux.

For installing we will type now:

apt-get install freeradius
apt-get install freeradius-mysql

*

Module TUN/TAP: We will use the tun.o from our Kernel in order to provides a virtual point-to-point network interfaces so the IP packets written to the /dev/tun0 character device will be received by the kernel from the tun0 interface.

TUN/TAP should be included in our Kernel, if not it will be necessary to recompile it.

[*] Network device support

< *> Universal TUN/TAP device driver support

Debian will not create any “tun” virtual device automatically so we will need to type the following in our system:

mkdir /dev/net
mknod /dev/net/tun c 10 200
modprobe tun

Now we should make sure if the following line:
alias char-major-10-200 tun
is included in our /etc/modules.conf file. If not, then we should add it.

For finishing TUN configuration we will type the following in our shell:

echo “alias char-major-10-200 tun” >> /etc/modutils/chillispot
update-modules

Installing the Chillispot package

Still while writing this document, chillispot deb package is not included in the official respository source.list of the Debian Operating System, we could find it under any unofficial respository but in this time we will install it downloading the package manually and using the dpkg tool.

For downloading the Chillispot, we will go to the official website of the project, located at: www.chillispot.org where we will visit: chillispot.org/download.html and will download directly the debian binary package (.deb).

Once we download the package (chillispot_0.96-1_i386.deb in this case) we will use dpkg tool to install it:

dpkg -i chillispot_0.96-1_i386.deb

That will install the chillispot package in our system and leave directories/files at:

/usr/share/doc/chillispot/firewall.iptables –> Firewall rules.

/usr/share/doc/chillispot/hotspotlogin.cgi.gz –> cgi script (index for webserver)

/etc/chilli.conf –> configuration file

/etc/init.d/chilli –> daemon

Now we will configurate the cgi script,

cp /usr/share/doc/chillispot/hotspotlogin.cgi.gz /usr/lib/cgi-bin/
cd /usr/lib/cgi-bin
gunzip hotspotlogin.cgi.gz
chmod a+x hotspotlogin.cgi

On the resultant hotspotlogin.cgi we will uncomment the following line:

$uamsecret = “secretchilli”;

Now we will configure the chilli daemon, configuration file is located at /etc/chilli.conf, we will change some parameters:

net 5.0.0.0/24 ::: The IP of our Wireless LAN will be of this private 5.0.0.0 IP range.

dns1 194.47.0.30 ::: Or any other DNS server, this is from Högskolan Halmstad (Sweden) .

radiuslisten 127.0.0.1 ::: Our server will be where the radius server will be as well.
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1

radiussecret secretradius ::: Same key as in cgi script.

radiusnasid NordicAP ::: Name of our Access Point

radiuslocationid isocc=es,cc=34,ac=46020,network=N_AP ::: Detailed information about the WAP

radiuslocationname PNM,Valencia

dhcpif ath0 ::: Over which ethernet will the Chilli serve the IP described on “net” parameter above.

uamserver https://5.0.0.1/cgi-bin/hotspotlogin.cgi ::: web server handling auth.

uamsecret secretchilli ::: Shared between chilli and authentication web server.

uamlisten 5.0.0.1 ::: IP address to listen to for auth. request.

uamallowed www.carlosguerra.com ::: Allow browsing without first authentication.

Iptables rules configuration of the firewall

Its time now to configure some iptables rules for our firewall, first we should copy the file chilli.iptables on the /etc/ folder:

cp /usr/share/doc/chillispot/firewall.iptables /etc/chilli.iptables
chmod u+x /etc/chilli.iptables

Inside the file /etc/chilli.iptables, we need to modify the EXTIF and INTIF parameters.

EXTIF=”eth0″ ::: Provides us the LAN and Internet connection.

INTIF=”ath0″ ::: Device where EXTIF is propagated, that is, the Access Point.

The rest of file is composed by iptables rules about allowing, denying and filtering the traffic and ports from the tunnel with the devices, etc.

But of course, we should verify in the /etc/network/options configuration file that ip_forward variable is set to yes, if not we must change it:

ip_forward=yes

Freeradius configuration

We installed the freeradius server before with the apt-get instruction, now that chilli daemon is already set up, we have to modify some parameters in the freeradius configuration.

First of all, we have to change the shared key we modify in the /etc/chilli.conf, so we should modify the “secret” parameter inside /etc/freeradius/clients.conf

secret = secretradius

Now Let’s add the following lines on the /etc/chilli.iptables in order to have access to certains ports when the authentication is not validated still:

# SSH
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp –dport 22 –syn -j ACCEPT
# imap over SSL
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp –dport 993 –syn -j ACCEPT

We have to create the database where the information required from the radius server will be allocated, as this document is not for learning mysql commands, we will create the database very fast and entering commands from the shell directly.

For create the mysql database we will type the following in our shell prompt:

echo “create database radius;” | mysql -u root -p

echo “grant all on radius.* to radius@’%’ identified by ‘password_sql’; flush privileges;” | mysql -u root -p

zcat /usr/share/doc/freeradius/examples/db_mysql.sql.tgz | mysql -u root -p radius

Note: where in -p, we should put our root password for the mysql-server

We should configurate the sql.conf from the freeradius in order to tell the freeradius that it should find out the user/password information in a database.

The file to modify is /etc/freeradius/sql.conf

sql {
driver = “rlm_sql_mysql”
server = “localhost”
login = “radius”
password = “password_sql”
radius_db = “radius”
[...]
}

No we need to determine that the database type is mysql in the /etc/freeradius/radiusd.conf file:

$INCLUDE ${confdir}/sql.conf
authorize {
[...]
sql
[...]
}
accounting {
[...]
sql
[...]
}

The access point configuration is finished, let’s restart the daemons and services with the restart command:

/etc/init.d/mysql restart

/etc/init.d/apache-ssl restart

/etc/init.d/chilli restart

/etc/init.d/freeradius restart

/etc/chilli.iptables

For ending this document, we will explain how to create, erase, modify users on the radius database:

We access to the database through web browsing the phpmyadmin we have installed previously, for that we type at the web browser the local IP address of the server and slash phpmyadmin, for example: http://11.0.0.54/phpmyadmin

Once we have validate our user and password, we should explore the radiusact table, on this table is where the user information is, we need now to add a new line and fill the form with the new user and password, also is posible to delete and edit this kind of data.

Carlos Guerra Alberti

mapache@carlosguerra.com