jump to navigation

How to Secure Your Network With Tomato April 30, 2009

Posted by tasthius in Uncategorized.
Tags: , , , , ,
add a comment

This post was first written by me for the overclock.net message forum.  I have since transferred it here since I opened this blog.

This is going to be a tutorial to show you how to secure your network using the Tomato firmware. This is not a comprehensive tutorial on every aspect of Tomato, but rather focuses on the security.

This tutorial is going to assume that you have a router than can be flashed with the Tomato firmware. If you are not sure if your router supports it, then you can check here.

In my opinion, Tomato is simpler, yet as fully functional as DD-WRT, while being more lightweight. Like DD-WRT, it runs a Linux kernel (which means it is really just a very small Linux distro). I am going to assume that you know how to flash the router with the firmware. If you don’t, then go here. Once flashed, you should be able to login to your router by entering http://192.168.1.1 or whatever address your router used before.

Here is a screenshot of the introduction screen:

For brevity, I am not going to discuss the “Status,” “Bandwidth,” or “Tools” menus, as they are self-explanatory and not related to security. But you might want to go through them to make sure everything looks to be recognized properly.

I will start with the “Basic” menu. Click on it, and then on “Network.” Under WAN/Internet, the settings are self-explanatory. You will probably want to use DHCP and keep the MTU at default. Under LAN, you can change the router’s IP address, but I see little point in doing so.

Now for the first security tip, next to “IP Address Range” only allow a number of IP addresses to be assigned that are equal to the number of machines on the subnet. If you are using Tomato for, say, one wired machine and one wireless machine, then set the allowable IP addresses to something like

Code:
192.168.1.100 - 192.168.1.101

This will only allow 2 machines to be active at once on the network. The router will not allow any more IP’s to be assigned. See the example below:

Now, move down to the “Wireless” section (still under Basic –> Network). Obviously you will only enable this is you have a need for wireless. If you do need it, then click “enable.” If you don’t need it, be sure to uncheck the box. Now, for “Wireless Mode” select Access Point. For “B/G mode” it is recommended to leave it “Mixed” but I prefer to keep it on “G Only” because my wireless adapter supports G (as most do). Under SSID, set it to whatever name you want to be broadcast. Under that you can check whether you want it to be broadcast at all (I recommend letting it broadcast). Next under “Channel” just select a channel that no neighbors are on.

Now, for the important part. The “Security” setting is going to depend on what your wireless adapter can handle (look in the instruction manual or Google if you don’t know). If your adapter can handle WPA2, then you should definitely use that (select WPA2 Personal). If not, then use WPA Personal. If you are stuck with an ancient adapter that only can handle WEP, then enable that (though WEP sucks and is easy to crack). Now, for “Encryption” select AES. AES is pretty much the standard in strong encryption today and has been approved by the NSA for TOP SECRET data. It will not be broken in our lifetimes (but if it is broken it will be big news and everyone can switch).

Here is perhaps the most important part of wireless security: selecting a strong key. Here is a nice function of Tomato: next to “Shared Key” hit the “random” button. This will automatically generate a pseudo-random pass-key that is 60 characters in length. To brute force a pass phrase of this size would take longer than the age of the universe even if using every computer on earth (see the post in my sig for more detail).

You may ask, how will I remember this? You don’t have to. Simply write the key down (or print it) and transfer it to your wireless PC. Most adapters will store the key so you don’t have to enter it each time. What I did was e-mail the key to myself, then opened the email on my wireless PC and cut and pasted it. This way, I didn’t have to enter it manually. I am not worried about my e-mail being “intercepted,” but if you are, then encrypt your email or simply enter the pass key manually.

Once done with this, be sure to click SAVE.

Here is what my “Wireless” screen looks like:

Now, moving on. Click on Basic —> Static DHCP. You don’t have to do this, but I prefer both of my PC’s to always have a static IP address. Simply enter your computer’s MAC address, then enter the IP address you want it to always have (it has to be an address within the range you specified under “IP Address Range”). Then enter the hostname for the PC and click add. Do this for however many PC’s you have. Save when done.

Now, click on Basic —> Wireless Filter. Click on “Permit Only the Following Clients.” Here you ONLY want to allow however many wireless PC’s you have. So, if you only have 1 PC connecting wirelessly, then enter it’s MAC address and it’s “Description” (for this I entered the hostname). This will enable MAC filtering, which is not all that great of security by itself, but is a smart thing to do to stop casual intruders. Now, click save and let’s move along.

Click on Advanced —> Firewall. The firewall in Tomato is always enabled, but let’s check it to make sure. If you want every inbound packet blocked, then uncheck “Respond to ICMP Ping.” I have all of the three options unchecked. As for NAT Loopback, I have it set to “Forward Only” which is probably desirable for most people. NOTE: If you are a Linux guru and are familiar with IPtables rules, you can write your own custom firewall rules, though I see little reason to do so for a home network, as everything is already blocked on the inbound side by default.

Now click on Advanced —> Wireless. Most of these settings have nothing to do with security, so I will skip them. The one that is important for our purposes is the “Maximum Clients” option. Here you want to set this to however many wireless PC’s you will have connecting to the router. In my case, I only have one, so I set it to “1.” This will make it so that as long as your wireless adapter is actively connected, no other wireless client can be connected at the same time.

Now, let’s move down to Administration —> Admin Access. At this screen, the first option is “Local Access”. I prefer to change it to HTTPS, and put the port on 443. Now, here’s the important part — if you will NOT be connecting to your router from a remote location, then be sure to set “Remote Access” to DISABLED. Below this option is an option to “Allow Wireless Access.” What this does is allow someone connected wirelessly to administrate the router. I prefer to leave this UNCHECKED. If I want to administrate the router, I will simply do it from my main wired box.

Now, for perhaps the most important security option of all: Under “SSH Daemon” you have the option to allow ssh connections or turn it off completely. The main reason you might want SSH is if you want to open a shell within your router for advanced configuration. If you have no need for this, then turn it OFF. If you choose to turn it off, then ignore the next couple of paragraphs. (Be sure to click Save when done).

If you DO want ssh access to the router, then click “Enable at Startup.” Now, the biggest decision here is whether you want to be able to access SSH from the outside. If you do NOT need to access the router from outside the network, then be sure to UNCHECK “Remote Access.” If you do want to access it remotely, then check the “Remote Access” box and change the Port to something other than 22 (port 22 is scanned constantly on the Internet).

Here is another big security enhancement. Uncheck the box “Allow Password Login.” What, you say? Do not allow a password login? That’s right, uncheck that box. Instead of using a password, you want to use a DSA or an RSA key. You will have to generate this key outside of Tomato. How to do this depends on what OS you are using. For Windows, click here. When you generate the key, then cut and paste the public key into the “Authorized Key” box in Tomato. (For Linux, simply install ssh, and then run from the terminal “ssh-keygen -t rsa” — then navigate to /home/username/.ssh/id_rsa.pub. Open id_rsa.pub and cut and paste the key into the “Authorized Keys” box in Tomato. You can also create a DSA key instead of RSA and even change the key length).

Once you get the keys set-up, then you simply open a terminal and type “ssh root@name_of_your_router” That’s it, it will not prompt you for a password because you are now using a ssh key.

Now, still on the same screen, look at “Remote Web/SSH Admin Restriction.” If you plan to administer your router from the outside, then next to “Allowed IP Address” enter the IP address that you want to be allowed to connect (for more than one, separate them by commas). All IP addresses not listed will automatically be blacklisted.

Here’s how I have mine set-up. I have it set where SSH is ONLY allowed locally. If you need it remotely, again, follow the directions above.

Under “Telnet Daemon,” I recommend EVERYONE turn this OFF.

Under “Password” set your administrator password. Make it something strong, but also something you can remember.

Now click Save. You will probably also want to reboot the router.

That’s it. This tutorial should provide more than adequate security for a wireless network, making your network far much more trouble to crack than its worth.

Advertisements

Rip and Encode a DVD With K9Copy in a Few Easy Steps April 29, 2009

Posted by tasthius in Uncategorized.
Tags: , , , , ,
add a comment

With the current advanced state of Linux software and it’s “newb friendliness” there is no need to keep a Windows partition around for doing multimedia tasks.  In this tutorial I will demonstrate how to rip and encode a DVD using an excellent tool called K9Copy.

If you don’t have K9Copy installed, simply search your distro’s package manager and install it.  If you are on Gnome it will probably pull in a lot of KDE dependencies, as K9Copy was created with the QT (KDE) framework.  You will also want to make sure that libdvdcss is installed.  Many distros do not include this package in the official repositories for legal reasons, thus you might have to enable extra repos.

Once you have it installed, all you have to do is insert the DVD you wish to copy into your drive.  Once that’s done, you will want to open the K9Copy “Wizard.”

Wizard dialog in KDE

Wizard dialog in KDE

You can use the other K9Copy option for more advanced configurations, but the wizard is all that is needed and all I use to make backups of my DVD collection.

The first thing the wizard does is ask you for the source.  Like so:

K9Copy Opening Dialog

K9Copy Opening Dialog

K9Copy will automatically detect the DVD and show the source without the user having to select anything (it shows my DVD as being in a folder, which is odd but works nonetheless).  I have noticed that if I select “DVD drive” that it doesn’t work, thus the default folder option should be fine in most instances.

Now hit next and it will ask where you want to output the copy to.

Select where to output the file

Select where to output the file

I selected my “Videos” folder on my home partition.  You can output it wherever you choose.  Now, hit next.

Next up is the main menu where you select what titles you want to keep and which you want to omit.  Since I usually burn my backups to regular DVD 5, I must omit unnecessary trailers, director comments, etc.  If you use dual-layer DVD’s you can simply hit next here.

Select the titles you don't need

Select the titles you don't need

This title selection will be trial and error.  Luckily K9Copy provides a preview box so you can watch and see what each title is.  I usually omit all trailers, directors comments, etc.  The only thing I leave is the main title (usually around 4GB or larger) and the small (less than 1MB) titles.  I recommend you leave the small titles alone as I have noticed that if I omit them that the DVD will hang in my player.  They don’t take up much space, so it wont hurt to leave them.  Once done, hit next.

The next screen is the audio selection:

select the audio tracks you want to keep

select the audio tracks you want to keep

You will want to do the same thing in this section as the last.  If you don’t need the foreign language tracks, then remove them.  Otherwise they will take up precious space.  On this DVD, I removed the French language track.  You can also remove the “director’s comments” track.  Once you have removed what you don’t need, then go to each title and select what track you want to be the default for the title in question (click on the boxes to the right of the screen).  Be sure to only select one track per title as the default!  Now, click next.

The next page simply asks whether you want to keep the original menus.  I like to keep the menus.

Select whether you want the original menus

Select whether you want the original menus

Make your selection and click next.

The last screen simply shows you how much compression each title will have.  In most cases you don’t have to do anything but click “Finish.”

Click Finish unless you want to configure the compression

Click Finish unless you want to configure the compression

The “settings” at the bottom of the screen provide more options but that is outside the scope of this tutorial and should usually not have to be used.  I never use it and just click finish here.

That’s it.  K9Copy will begin ripping and encoding and it will output the files into the folder you specified.  On my dual core Athlon, it takes about 10-15 minutes.  When it’s done you can open your favorite burning software (I use K3b) and copy the files from the “video_ts” folder into the burning software.  You will find the “video_ts” folder inside the folder that you specified for the outputted files to be stored.