[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Securing internet access from a WiFi network via login



Hi,

> I am wondering if anyone can help me, I am trying to setup a small
> limited-use wireless network (web/ftp/email only) and I am trying to
> find the best way to limit unauthorized access to the Internet from
> the wireless network.

> WEP is not an option - I do not want to have to change any settings
> on a client and I want more than WEP can offer.

I use WEP in addition to other methods of limiting the access. An easy and
quite effective method of preventing unauthorized clients is to limit the
MAC adresses of your clients. My access point allows this configuration
andf the only thing I need is a list of MAC adresses of my clients.
However if you want to offer a hotspot, this is not what you need.
>
> What I would like to know is; is it possible to set up a proxy server
> for web/ftp/email using SuSE 8.1 Pro (or higher) that could also issue
> (expiring) usernames/passwords for many temporary users and force them
> to login before allowing them access to the Internet?
>
> Or, to put it in less words, I need:
>   - A way to keep people off the Internet unless they are allowed.
>   - A way to stop users from accessing services other than
>     http/ftp/imap/pop/smtp.
>   - A way to block certain sites.
>   - An "easy" way to create temporary usernames/passwords for Internet
>     access and to expire them.

I am supporting my old school in the network area, this is what we use there:

I use SuSEfirewall without masquerading to block all trafic to the
internet and redirect http requests to port 8080 on the firewall. On that
we run a dansguardian for content filtering. Dansguardian redirects to
squid on the firewall.

With squid I use mysql_auth (a slightly modified version which runs with
mysql 4.x and allows some more options) as authentication program. The
users can sign up on a webpage for access to internet/personal mail/samba.
The signup creates a database entry (still inactive) and a form to
printout sign (legal stuff). When the teacher receives the paper, he then
activates the account and from that point on, the student can access the
web through the proxy (and his personal mail/samba folder etc.).

>
> So, if anyone has ANY information that could help, even if it's just
> to "RTFM for xyz software and go away", I would greatly appreciate it.

If you want my version of mysql_auth, a squid config and or the
web/intranet stuff, you can contact me at white(at)ott-service[dot]de.
Ofc, this is work in progress so it is not yet published anywhere else.

cya
Jörn

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here