Prepare your target; if using locally attached removeable storage

Unplug your usb drive or removealbe storage device and boot the system from a linux removeable media. I suggest TRK get to a shell and type ls /dev/sd* make a note of what is there as your internal sata drives. Then plug in the removable storage and type the command again. What has changed, that is your removable media. For example, the first time you typed ls /dev/sd* you may have seen the output of
sda sda1 sda2 sdb sdb1
And the second time, after plugging in the usb drive you would see
sda sda1 sda2 sdb sdb1 sdc sdc1 sdc1 is your first partition on that drive. That will be what you type in the mount command below.

Most likely it is an ntfs partitioned drive. You can verify that by fdisk -l and while fdisk -l is open, figure out what your source drive is. Most likely it is sda or hda.


mkdir /mnt/backupmedia -p
mount -t ntfs-3g /dev/sdwhateveritis /mnt/backupmedia


you can verify the mounted target with

ls /mnt/backupmedia

You should see the contents of your removable media.

Prepare your target; if using remote samba/windows share

Get the windows share servers IP address and arm yourself with login credentials with write access to the share.

mkdir /mnt/backupmedia -p
mount -t smbfs //IPAddress/ShareName /mnt/backupmedia

you can verify the mounted target with an

ls /mnt/backupmedia


To backup…

dd if=/dev/hda conv=sync,noerror bs=64K | gzip -c > /mnt/backupmedia/myharddrive.img.gz


to restore…
Note; If you have the wrong /dev/hd or /dev/sd in the folllowing command then you will destroy whatever you target with this command. Be very very very certain you get the correct /dev/hd or /dev/sd. If you don’t feel comfortable, dont’ do it.

gunzip -c /mnt/backupmedia/myharddrive.img.gz | dd of=/dev/hda conv=sync,noerror bs=64K

Note: you can only restore to a hard drive of equal or greater size than the original hard drive. Not the img size.

There are several tutorials out there for installation of webmin on ubuntu. In a nut shell…

sudo apt-get install –y libnet-ssleay-perl libauthen-pam-perl libio-pty-perl perl5 libnet-ssleay-perl
cd /usr/local/src
sudo wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb
sudo dpkg -i webmin_1.530_all.deb


Routing

Webmin will set up our routing for us. Goto Webmin -> Network -> Network Interfaces. Routing and Gateways Icon.

Default Router tick “None (or from DHCP)” more than likely your ISP is dhcp. Be certain eth0 is the interface specified.

Webmin -> Network -> Network Interfaces. Routing and Gateways Icon. Active configuration tab.

Verify that interfaces entered above are present and that the default route looks right and is assigned to the correct interface. Notice that the destination networks are associated with the correct interface. And that there is only one default gateway. I suppose one could have more than one default gateway, but we aren’t covering that in this tutorial.

Test: Perform a connectivity test by plugging a device into an interface (with a mini switch) and assigning it a static IP in that range. (because we haven’t configured dhcp yet) In the example obove, using eth2 I plugged in a device and gave it the IP of 192.168.3.19 and the gateway 192.168.3.1. Then ping the gateway. Try pinging other IPs. Because we haven’t configured our firewall, we are only going to sweat if our gateway ping fails.

Webmin modifies the /etc/network/interfaces file. But it may not set it up exactly like you’ll need. My interfaces file was missing a valid gateway entry. That is why we just edited the interfaces file manually. Besides, it is quicker to copy and past then it is to point and click for each interface.

Webmin Linux Firewall

Webmin -> Networking -> Linux Firewall and initialize the firewall. Go ahead and choose allow/accept as the the default setting. I didn’t get any screen shots or notes on this step. It is pretty strait forward. But, before you start configuring your, get on your console and type
sudo cp /etc/iptables.up.rules /etc/iptables.up.rules.original

and should you screw something up you can go back to a clean slate by typing

sudo mv /etc/iptables.up.rules.original /etc/iptables.up.rules
sudo shutdown now –r


Back into webmin, setting up the rules is kind of figure it out as you go along. Click the Add Rule button and poke around. Just don’t hit thie Apply Configuration Button until you get it set the way you want it. There are lots of good configuration tutorials on the internet. But don’t sweat it, I’m going to cover what you need to get this router firewall filter with WAP up and running.

Hint: The Iptables read from top to bottom. So each packet that comes in gets compared to the first rule, then the second and so on until it gets accepted, or gets dropped. And the last line should always be a drop all. So a desired packet or connection needs to meet an accept rule someplace above a drop rule.

Hint: If you get a set up that you like, and want to save your work and keep editing you can go back to your console and type
sudo cp /etc/iptables.up.rules /etc/iptables.up.rules.bk.X
where X is the version number. That way you can easily restore to a particular version with a

sudo mv /etc/iptables.up.rules.X /etc/iptables.up.rules && sudo shutdown now –r


Webmin Linux Firewall – INPUT

Notice it says “addressed to this host” this is connections attempted to the machine we are currently configuring. Not data that is being routed or passed through or destined for another system. If the first 2 lines are missing then you just got locked out of your box using webmin and ssh. And then you’ll be sitting at the console and doing the mv command as explained above. The last line is the security line that says basically, if no other conditions are met, then drop this packet. Also set the “default action” to drop by adjusting the drop down box and then clicking the button. I don’t know why there are 2 methods of assigning a default action, but lets cover all bases and do both.

Webmin Linux Firewall – FORWARD

This is the section that allows the packets to move through the host. (this may not be needed with masq section. Need to test)

Again, configure the set default action to Drop

Webmin Linux Firewall – Outgoing

There is nothing to configure here. It is probably ok to leave this with no rules and the default action set to accept. There is no reason to fear this server sending unwanted packets out.

Webmin Linux Firewall – Routing

In order for the routing (configured in webmin’s interfaces and routing sections) to work we need to tell the firewall to masquerade packets. Go to Webmin → Linux Firewall. Select Network Address Translation from the drop down list and if needed click “Show IPTable”. You only need to modify the “Packets After Rouging (POSTROUTING)” section. I want all segments to be able to route to all other segments. If I wanted to make eth3 invisible to other eths then that could be done, but that isn’t in the scope of this tutorial.

Filtering – OpenDNS

We want to Force all internal users to use OpenDNS server, even if they have admin on their computers and change their DNS settings to something else. The firewall can redirect the DNS requests and make them use our OpenDNS account for DNS. And that forces them to use our OpenDNS filtering.

It has come to my attention that webmin does not give much details in the Action setting. Usually this isn’t a problem So far the Action has just been doing drop or accept or masq. But here we are actually doing something complex with the action, and webmin isn’t showing is what it is. It just says Destination NAT. So When that happens I’ll edit the image to include the information from the “Chain Actions Details” pane. And I will try to highlight those changes in a red box on the screenshot. It makes for a butchered looking picture, but it will help clearify what is going on.
Be sure that these rules are above any drop rules that may break it.

Note: OpenDNS is not 100% fool proof. It won’t block anyone from using an IP address to access a blocked site. But this is a great start for filtering.

Filtering – Squid

Squid can be installed from webmin by clicking on the un-used modules and clicking “squid proxy server”. This installs version 2.7 stable. And squid is currently at version 3.x. Why? the package name changed. the package squid is anything under 3. And squid3 is well, squid3. So we are going to install squid3 from the ubuntu repos, and then configure webmin to use squid3.

If you haven’t already installed the module, you may need to do so. Which will install squid 2.7. After installing the module we want to remove any instances squid.

sudo apt-get purge -y squid && sudo apt-get autoremove -y

This is going to break our squid webmin module. But the webmin module will still be waiting and tell you “The Squid executable squid does not exist. If you have Squid installed, adjust your module configuration to use the correct path.” And the words “module configuration” are a hyper link. Click on that. You should have installed squid3 above. If not go back to the command line and sudo apt-get install squid3 then back to the webmin module and make it look like this.

What we are mostly concerned with is the section System Configuration. Make it look like this.

If there is another way to get to module configuration, then you can do that too. Be sure to remove squid and keep squid3

The squid configuration can be done from webmin. But since we have a simple configuration change, it is easiest to copy and paste it form command line.


sudo mv /etc/squid3/squid.conf /etc/squid3/squid.conf.original
sudo nano /etc/squid3/squid.conf

and paste in the following

http_port 3128 transparent
acl our_networks src 10.0.0.0/8
acl localnet src 127.0.0.1/255.255.255.255
acl malware_block_list url_regex -i "/etc/squid3/malware_block_list.txt"
acl porn_block_list url_regex -i "/etc/squid3/blacklists/porn/urls"
http_access deny malware_block_list
http_access deny porn_block_list
http_access allow our_networks
http_access allow localnet
cache_dir ufs /var/spool/squid3 4000 16 256

Note: The first number in cache_dir (4000 aka 4Gigs) in this example is the maximum size of the web cache. Depending on your hard drive size, and how much caching you want to do you should edit this setting.

Note: you can employ more lists than those specified here. The Blacklists (to be downloaded, below) has many more lists. You can use a list by adding an appropriate acl and http_access deny for each list you want to use. For now, lets stick to the ones I’ve suggested. I’m only using these 2 lists because I want to protect children and the computers, but I don’t want to disrupt other users surfing.

We are using squid for added filtering. We want to filter porn, spam and malware. We will use the lists of bad sites provided by the free services malware portal, and Squid Guard & MESD. Squid will check these lists before allowing the connections.


sudo nano /etc/squid3/getlists.sc

paste in the following

#!/bin/sh
wget -O "http://malware.hiperlinks.com.br/cgi/submit?action=list_squid" > /etc/squid3/malware_block_list.txt
rm -R blacklists
wget http://squidguard.mesd.k12.or.us/blacklists.tgz
tar -xf blacklists.tgz
rm blacklists.tgz
squid -k reconfigure


Warning: possible word wrapping on line 2. Line 2 should end with txt.


sudo chmod +x /etc/squid3/getlists.sc
sudo crontab -e

and add the line

1 1 * * * /etc/squid3/getlists.sc

This will download the newly updated lists every day.

Now we have a functional squid3 proxy server running performing list based filtering. It isn’t doing any filtering yet. In fact, it isn’t even receiving any traffic until we configure our firewall to direct traffic to it. Quick, back to the Webmin firewall!

At this point you maybe asking “Why do I have to keep going back to the webmin firewall?” Well, I broke this tutorial down into ‘modules’ so that it maybe easier to implement a feature at a time, or not use some features at all. And still have a sturdy router without a bunch of open holes.

Help decoding the picture: The section highlighted in green is the rules we created earliy for openDNS port redirection and has nothing to do with our squid. The sections highlighted in red are the Actions that webmin isn’t giving us much details on. As explained above. The pertinent information from the “Chain and Action Details” pain has been copied and pasted in the red boxes under the appropriate rule.
After this, get behind the squid proxy with a computer and access the web to be certain it loads. Then go back to your webmin and stop squid (it takes awhile, this is normal) and then try to reload the same site. It should time out because squid is dead. Now go back to webmin and start squid again and reload the page. It should load. You just proved that you are going through the proxy and are at its mercy.

Now try to goto a blocked porn or malware site. Because of your high moral quality you may not know what sites to try. You could peak in the supplied files for a list of sites to try. Squid should Stop you you.

Here is an nmap webmin scanner. It doesn’t do the network scan, but can scan a single host with verbose output.

System Specs

My System is probably a bit over kill. What you’ll need is a system that meets ubuntu server’s specs. And if you are going to run squid with some of the advanced filtering techniques, you will probably want at least 2 Gigs of RAM. You’ll need at least 2 NICs, one can be a wifi, but to make this project the most fun you’ll want at least 2 eth and one wlan. You only need a 100Mb eth card for your uplink to your ISP, but I’d put a 1Gb eth on the internal network interface. My Dell 1750 Server came with 2 eth on board and 2 eth on a PCI and I had a wlan G card from a previous project. My overkill stats include a Xeon Core 2 3Ghz with 4Gigs of RAM and a RAID 1 SCSI with 4Gigs of RAM. I’m running 32bit Ubuntu so I’m only seeing 3.69 Gigs.

Warned
This project isn’t for the linux newb or the networking newb. There will be several assumptions made about the skill level of the practitioner of this project.

Install the OS
There are enough tutorials out there to install the OS. Google one up if you need to. We don’t need the GUI or X so just install ubuntu server. I used 10.4 because it is LTS. When done installing go ahead and update.

sudo apt-get update && sudo apt-get upgrade –y && sudo apt-get autoremove –y

Here are a few of the handy tools we are going to need.

sudo apt-get install –y netperf nmap ntop apt-show-versions


Interfaces

The first thing you need to do is set up your interfaces. Now I’ve got 4 eths and a wlan. You may not have as many eths so modify the following interfaces file as you need for your router. Remember, we are assuming eth0 is the interface connected to the internet or wild network. I connect eth0 to the ISP cable modem and therefore I need eth0 to be dhcp. You probably will too.

Also, I’m setting up each interface as its own subnet. This is a router, not a bridge. If you want all of your interfaces on the same subnet you will need to set up a bridge. And that is not covered in this tutorial.

Warning: Always, make a backup of the original file. If anywhere anytime I or anyone else suggests you edit a file that already exists quickly back it up.

sudo mv /etc/network/interfaces /etc/network/interfaces.original

then

sudo nano /etc/network/interfaces
and paste in the following.

auto lo
iface lo inet loopback

#External Interface
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 10.1.1.1
netmask 255.255.255.0
network 10.1.1.0

auto eth2
iface eth2 inet static
address 10.2.1.1
netmask 255.255.255.0
network 10.2.1.0

auto eth3
iface eth3 inet static
address 10.3.1.1
netmask 255.255.255.0
network 10.3.1.0

auto wlan0
iface wlan0 inet static
address 10.4.1.1
netmask 255.255.255.0
network 10.4.1.0

Routing

To make this computer become a linux router it a route we need to edit a few files.

Argument: I suppose one could argue that this is not a true router but is instead a multi-interface gateway device. A true router could share a routing table. And this device does not. I suppose it could, but since I don’t want it to, it isn’t.

sudo cp /etc/sysctl.conf /etc/sysctl.conf.bak && sudo nano /etc/sysctl.conf

to enable router mode you must remove the # before the line

net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward

and be sure it says 1 instead of 0. I’ve seen it not take for some reason. If not just nano it.
And then reboot

sudo shutdown now –r


When the system comes back up it will have the potential to route packets. It wont. Not until you configure the firewall via iptables. Particularly the masquerade section.

iptables Firewall

I determined that webmin firewall is easy to configure and gives a nice graphic representation of the firewall, but it wasn’t as flexible and quick as I wanted. I wanted to run a script and link other non firewall things to that script. As a result I trashed my webmin firewall and implamented this script. But, I saved my documentation and made it its own blog entry. If you want to use webmin and make a router firewall with it instead of using an iptables script you can check it out.

WARNING: there maybe some nasty word wrapping in this script due to this blog layout.

sudo nano /bin/iptables.sc

and paste in the following

#!/bin/bash
######################
#
# Settings up variables for the script
#
######################
#SETS SERVER IPS TO VARAIBLES AND DETERMINES DHCP GATEWAY
echo "setting up variables"
#_GATEWAY=$(nslookup nedimare.game-host.org | grep 97 | cut -d : -f 2 | sed -e 's/^[ \t]*//')
_GATEWAY=$(ifconfig eth0 | grep -v inet6 | grep inet | cut -d : -f 2 | sed 's/Bcast//')
echo "The gateway inteface IP is $_GATEWAY"
_FTP=10.1.1.5
_HTTP=10.1.1.6
_RUNUO=10.1.1.7
_CYGNENOS=10.1.1.3
_Win2k8Server=10.1.1.8

########################
#
# Flushing and setting defaults
# accepts for some
#
######################
echo “Flushing and setting defaults”
echo ” flush nat”
iptables -t nat -F
echo ” flush input”
iptables -F INPUT
echo ” flush nat prerouting”
iptables -t nat -F PREROUTING
echo ” flush nat postrouting”
iptables -t nat -F POSTROUTING
echo ” flush output”
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT
echo ” flush forward”
iptables -F FORWARD

##########################
#
# ICMP
#
##########################
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -i eth0 -j ACCEPT
# Work around for stupid websites blocking ICMP (just for normal surfing)
# iptables -t mangle -A FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
# Allow ICMP for frag notification
# –icmp-type 8 = ping
# iptables -t filter -A INPUT -p icmp -s 0/0 -d $ip_eth2 -m state –state NEW -j ACCEPT

################
#
# Masqurading
# allows routing to work
#
#################
echo “setting up masqurading”
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

################
#
# INPUT
# connections to this firewall/router
###############
echo “setting up INPUT”
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp –dport ssh -j ACCEPT
iptables -A INPUT -p tcp –dport 10000 -j ACCEPT

################
#
# OUTPUT
# connections from this firewall/router
################
echo “setting up OUTPUT”
iptables -A OUTPUT -j ACCEPT

###################
#
# FORWARD
# connections going through this firewall/router
##################
echo “setting up FORWARD”
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

##################
#
# Webmin DNATs
# allow various servers to connect from the internet
##################
echo “setting up Webmin DNATs”
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 10001 -j DNAT –to 10.1.1.5:10000
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 10003 -j DNAT –to 10.1.1.3:10000
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 10006 -j DNAT –to 10.1.1.6:10000
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 10007 -j DNAT –to 10.1.1.7:10000

##################
#
# RUNUO DNAT
#
#################
echo “setting up RUNUO DNAT”
iptables -t nat -A PREROUTING -p tcp –dport 2593 -j DNAT –to $_RUNUO:2593
iptables -t nat -A POSTROUTING -s $_RUNUO -p tcp –sport 2593 -j SNAT –to-source $_GATEWAY
iptables -A INPUT -d $_RUNUO -p tcp –dport 2593 -j ACCEPT
iptables -A OUTPUT -s $_RUNUO -p tcp –dport 2593 -j ACCEPT

##########################
#
# RDP DNAT
# untested
#########################
echo “setting up RDP DNAT”
iptables -A FORWARD -p tcp –dport 3389 -m state –state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p tcp –dport 3389 -j DNAT –to $_Win2k8Server:3389
iptables -A FORWARD -i eth0 -p tcp –destination $_Win2k8Server -m multiport –dports 3389 -j ACCEPT

####################
#
# FTP DNAT
#
####################
# THIS SECTION IS STILL NOT FUNCTIONING CORRECTLY
echo setting up FTP DNAT
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
PREROUTING -p tcp –dport 20 -j DNAT –to $_FTP:20
PREROUTING -p tcp –dport 21 -j DNAT –to $_FTP:21
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 21 -j DNAT –to $_FTP:21
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 20 -j DNAT –to $_FTP:20
iptables -A FORWARD -i eth0 -p tcp -d $_FTP -m multiport –dports 20,21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp –dport 20 -j DNAT –to $_FTP:20
iptables -t nat -A POSTROUTING -s $_FTP -p tcp –sport 20 -j SNAT –to-source $_GATEWAY
iptables -A INPUT -d $_FTP -p tcp –dport 20 -j ACCEPT
iptables -A OUTPUT -s $_FTP -p tcp –dport 20 -j ACCEPT

######################
#
# Webserver DNAT
#
#######################
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 80 -j DNAT –to $_HTTP:80
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 443 -j DNAT –to $_HTTP:443
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 10022 -j DNAT –to $_HTTP:22

#####################
#
# OpenDNS DNAT OUTGOING
#
####################
# note 10.1.1.3 is the IP of my internal DNS server
echo “setting up OpenDNS prerouting (the trap)”
iptables -t nat -A PREROUTING ! -s 10.1.1.3 -p udp –dport 53 -j DNAT –to 208.67.222.222:53
iptables -t nat -A PREROUTING ! -s 10.1.1.3 -p tcp –dport 53 -j DNAT –to 208.67.222.222:53

###################
#
# Default settings end of chain and rejects
#
## tighten this up later.
echo “default rejects, end of chains”
iptables -P INPUT REJECT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD REJECT

Note: this is still a work in progress and may need tightening a bit more

Now that we have this script we can add modules like the ftp modules that load on execution, call this script from other scripts like the malware script below, call it from cron, and we can put a link into the /etc/network/if-pre-up.d and if-up.d folders so when the interfaces comes up the iptables gets reloaded.


sudo ln -s /bin/iptables.sc ./if-pre-up.d/iptables.sc
sudo ln -s /bin/iptables.sc ./if-up.d/iptables.sc


Wireless Access Point – Can you host?

Get the tools
sudo apt-get install -y wpasupplicant wireless-tools iw

Step 1 test your card:
Be sure your wireless device is up and functional. One test is to do a iwlist scanning wlan0 and verify that you can see other wireless networks. Setting up a WAP with a wifi card or other device that may or may not function could be a waste of time.

Step 2 Verify that your card supports being an access point
First try

sudo iw
and verify that AP is somewhere in the Supported Interface modes. If so, then just jump down to the section Wireless Access Point – hostapd, below. If not then you can try

sudo iwconfig mode master

If you got no errors in “mode master” then you need to do something like…

sudo nano /etc/network/interfaces

Find the wireless interface (often wlan0) and add these lines

wireless-mode master
wireless-essid YOURESSIDNAME

But I don’t have that type of card, so I can’t help with that, You can still try the next section about hostapd. It may still work. Otherwise, you are going to have to get another card, or research the wireless-mode master method.

Wireless Access Point – hostapd (basic unsecured setup

There is no webmin module for hostapd. Maybe someone should write one. That would be cool. For now, to the command line.


sudo apt-get install hostapd
cd /etc/hostapd
sudo mv hostapd.conf hostapd.conf.original

We are going to set up an unsecure wireless network and then lock it down. It is hard to troubleshoot security and connectivity. Lets first verify that we can connect. Then we will work on security.

sudo nano hostapd.conf

Paste in the following. Remember to change wlan0 to your wireless device that is displayed in an ifconfig. Also, the driver= section may not be the same as mine you may need to do some googling with “hostapd driver {your wifi card type}” and see what driver is suggest you use. I tried nl80211 on the first try and got lucky. Actually, my understanding is that nl80211 is the most common driver, so give it a try too.

interface=wlan0
driver=nl80211
ssid=test
channel=1

Exit saving and then

sudo hostapd ./hostapd.conf &

If there are no errors. Then we are golden. Go to another device and scan for a the network and see if you can see it.

Init.d fail: I noticed that starting this program as service by doing a “sudo /etc/init.d/hostapd restart” failed to load the correct conf file. Although the output was implying that the service started just fine. Using “sudo hostapd ./hostapd.conf &” brought up the service with the correct conf file. You know what that means? The init.d script borked. I have to edit the init.d script.
First backup the original

cd /etc/init.d
sudo mv hostapd hostapd.original
sudo chmod –x hostapd.original

Then
sudo nano hostapd

and paste in the following.

#!/bin/sh
### BEGIN INIT INFO
# Provides: hostapd
# Required-Start: $remote_fs
# Required-Stop: $remote_fs
# Should-Start: $network
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Advanced IEEE 802.11 management daemon
# Description: Userspace IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP
# Authenticator
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
case "$1" in
start)
echo "attempting to start hostapd using /etc/hostapd/hostapd.conf"
hostapd /etc/hostapd/hostapd.conf &
echo "done attempting. Did we fail? I can't tell because I'm a very simple script."
ps -A | grep hostapd
;;
stop)
echo "i'm going to attempt to kill hostpad using killall"
killall hostapd &
echo "done attempting. Did we fail? I can't tell because I'm a very simple script. If I did fail you can try again as there mayve multiple instances."
ps -A | grep hostapd
;;
reload)
echo "I'm too simple of a script to attampt a reload, do restart instead."
;;
restart|force-reload)
$0 stop
sleep 8
$0 start
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
(this blog post screws up the tabbing format from the original. This looks sloppy, but works.)

sudo chmod +x hostapd


Now /etc/init.d/hostapd start | stop etc works and it loads up on reboot. I realize this is a hack. My init.d script skills aren't the best. If anyone has a better solution feel free to reply to this blog and I'll put it in here.

When hostapd is running, do an ifconfig. You should notice a new device named mon.wlan0. Got a client computer and scan for new networks. You should see, and be able to connect to it. If not, first suspect the driver= section.

Wireless Access Point – hostapd WPA2

Hint: Before continuing, connect to the WAP while unsecured to rule out security as a possible cause for failure to connect.

again do a

sudo mv /etc/hostapd/hostapd.conf /etc/hostapd/hostapd.conf_simple
sudo nano /etc/hostapd/hostapd.conf

and paste in the following.

interface=wlan0
driver=nl80211
ssid=rampart
hw_mode=g
channel=11
wpa=2
wpa_passphrase=yourpasswordinplaintext
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=600

restart the service and try to connect. If you fail, but you succeeded when you had no security, then one of your devices may not support wpa2 (AP or wifi card) or the pairwise may need changing. You will need to research and attempt another security type.

DynDNS.com

If, like me, you plan to use DynDNS and OpenDNS, then you need an account at dnsomatic.com. This basically links your 2 services so you update your IP to dnsomatic and it updates the other 2. Yes, you must have 3 internet accounts to accomplish this. I used the same user name and the same secure password for each. But this password I use for these accounts only.

You must install ddclient and it will update dnsomatic. Most of the installation instructions can be located here

sudo apt-get install ddclient

The installer prompts you for the service info like user name and password and the hosts you want to update etc. It probably doesn't matter what you enter because we'll be editing the conf file on our own after it installs. The conf file is located at /etc/ddclient.conf

Below is a sample ddcient.conf file that I found here.

##
## DNS-O-Matic account-configuration
##
use=web, web=myip.dnsomatic.com
server=updates.dnsomatic.com
protocol=dyndns2
login=dnsomatic_username
password=dnsomatic_password
all.dnsomatic.com


Our iptables script above forces all outgoing dns queries to opendns. So now would be a good time to log into opendns and set up your filtering rules. Anyone who accesses the internet from inside your network will now be filtered to your opendns account. Even if they set their DNS settings to something else.

IP Tables and Malware

At first I was using swquid for filtering as described on the Webmin Firewall page. After I got it all to work I realized that I wanted to do something different. I descided to dump squid...

sudo apt-get remove squid3 -y

... and just use iptables to filter these malware sites, and allow opendns to filter the porn. Why? Well, for one it woudld be faster and use less resources. And, it sounded like a fun challenge. If you wanted to use dansguardian or squidguard or do some actual proxying then you may want to leave squid in place.

sudo nano /bin/malware.sc

and paste in the following

#!/bin/bash
cd /tmp
# Get the malware site list, exiting if it is not downloadable.
wget "http://malware.hiperlinks.com.br/cgi/submit?action=list_hosts_win_127001" -O malware.tmp || exit 0

# creating the scripts from the malware site list.
cat ./malware.tmp | sed '/^$/d' | sed '/#/d' > malware2.tmp
echo "#!/bin/bash" > mal_INPUT.sc
echo "#!/bin/bash" > mal_OUTPUT.sc

cat malware2.tmp | sed 's/127.0.0.1/iptables -A INPUT -s/' | sed 's/$/ -j REJECT/' >> mal_INPUT.sc
cat malware2.tmp | sed 's/127.0.0.1/iptables -A OUTPUT -d/' | sed 's/$/ -j REJECT/' >> mal_OUTPUT.sc
cat malware2.tmp | sed 's/127.0.0.1/iptables -A FORWARD -d/' | sed 's/$/ -j REJECT/' >> mal_FORWARD.sc
rm *.tmp

chmod +x mal_INPUT.sc
chmod +x mal_OUTPUT.sc

echo "exit" >> mal_INPUT.sc
echo "exit" >> mal_OUTPUT.sc

# Excution of the scripts adding them to iptables
/bin/iptables.sc
/tmp/mal_INPUT.sc
/tmp/mal_OUTPUT.sc
/tmp/mal_FORWARD.sc

Now we need to set it up to run once a day.

sudo crontab -e

and paste in the following

1 4 * * * /bin/malware

This will update the malware list and resets the firewall every day at 4:01AM.

ntop - network usage monitor

ntop installed from repos just fine. But it wouldn't launch I had to create the ntop directory and adjust its permissions. These permissions could be tightened up a bit maybe. I wonder if anyone knows the proper permissions and ownership for this

sudo apt-get install ntop
sudo mkdir -p /var/lib/ntop
sudo chmod 755 -R /var/lib/ntop
sudo nano /var/lib/ntop/init.cfg

and then verify the interfaces. I had to add more interfaces inside the quotes and seperate each one with a comma. Like this.
INTERFACES="eth0,eth1,eth2,eth3,wlan0"

Once installed, you can direct your browser to

and get some very interesting statistics throughput and network usage. This is a very robust monitoring utility. Click here to see some screenshots of ntop.

DHCPD and DNS

Many Walmart brand home router boxes have DHCP and DNS Masquerading features built in. If you are creating a device to replace such a box then you will need to set up these servers as well. There should be ample documentation on the internet for these proceedures. I use DNS and DHCP on a device inside of the network. It is much more secure to not have these servers forward facing. If you also have a seperate yet internal DNS and DHCP server set up this box won't route dhcp broadcasts from subnet to subnet. So if you, like me, have eth0 internet facing, eth1 and eth2 with internal hosts then those hosts connected to the eth that the DHCP server is not connected to will not get an IP address. You must install a dhcp relay.

sudo apt-get install -y dhcp3-relay

and configure it to point to your internal dhcp server. It is all pretty strait forward.

nmap - network scanner
This tool can scan your network and look for hosts inside of your firewall. You can use this output to look for rouge devices. nmap is such an indepth tool that it deserves its own blog post.

sudo nano /bin/nmap.sc

and paste in the following.

#!/bin/bash
nmap -sP 10.1.1.0/24 > /tmp/nmap.last
nmap -sP 10.2.1.0/24 >> /tmp/nmap.last
nmap -sP 10.3.1.0/24 >> /tmp/nmap.last
nmap -sP 10.4.1.0/24 >> /tmp/nmap.last

Note: You probably wont be using the same networks as I am. So scanning a network that doesn't exist is not necessary. Edit the script to suit your network.


sudo crontabe -e

paste in the following line.

1 * * * * * /bin/nmap.sc

This will scan the network on the first minute of every hour and put the results into /tmp/nmap.last.log We’ll add more fun later in which we can set more detailed scans on those clients as well as send alerts if something doesn’t belong. For now, you can look at that log by doing a

cat /tmp/nmap.last.log


netperf

This handy utility measures actual throughput. Having this running on your gateway/router allows you to check your speed on any segment, and even though the internet.

tshark
coming soon

Basic Specs
This is a 12 inch 800Mhz dual USB IBook G3. This is a fairly light little yet rugged iBook. It was being recycled from my old job and I think I paid $40 for it. This system is very functional, but isn’t very powerful. It is perfect for light web browsing, email, word processing, and blogging.

Memory
The first thing to get upgraded was the RAM. I’m a RAM junky, so I crammed in as much as it would hold. A 512 stick of RAM was about $30 from ebay. The iBook has 128MB soldered to the board. So it gives me a grand total of 640MB.

Battery
Again, from ebay I got a new (not refurbished and not used) battery for about $30 dollars plus shipping. This battery lasts between 2.5 and 3 hours with the pata spinner hard drive. When suspended the battery lasts for many days.

The Optical Drive
A friends laptop, i think it was an HP, died. I examined it for parts. The hard drive was no bigger than the iBooks, and no other parts were compatible with anything I had. I looked at the DVD Read / CD Write drive because I was thinking of converting it to a USB drive. But I noticed the connectors appeared to be the same as my iBook. I shrugged and put it in. Installed, the tray wouldn’t close so I had to trim down the plastic of the door with a utility knife and then smoothed it with sandpaper. It worked! It will read DVDs and it can burn CDs. I haven’t watched a movie on it yet, but I don’t see why it wouldn’t. The thing I love the most is the button on the tray door that pops it open. Macs seem to lack this handy manual way of opening the tray.
Pics of drive with the top off:

I need a pic of drive with iBook top re-assembled.

The Hard Drive
I finally bought a Solid State hard drive for this system. Hard drive replacement on these iBooks is not for the faint of heart. You can find directions at ifixit.com, so I wont get into the details, but it is a lot of work. I paid $60ish for this 16GB solid state drive from an online store on ebay.

I did some unofficial tests today. I was at the coffee shop on battery power for an hour and a half and used about 20% of my battery charge. If that rate continued it would be looking at 7 hours or more of battery life. Yes i know battery monitors are rarely so linear. Even conservativly speaking I bet I top 4 and a half hours.

hdparm -tT /dev/hda test with original pata hdd

Timing cached reads: 102 MB in 2.00 seconds = 50.91 MB/sec
Timing buffered disk reads: 70 MB in 3.02 seconds = 23.21 MB/sec

hdparm -tT /dev/hda test with new ssd hard drive

Timing cached reads: 160 MB in 2.00 seconds = 79.82 MB/sec
Timing buffered disk reads: 78 MB in 3.07 seconds = 25.42 MB/sec

Not much improvement in the buffered reads, which isn’t surprising. The cached reads improved by a decent margin. It still isn’t as fast as a more modern sata drive. Of course performance tests never reflect the real world and ‘feel’.

I recorded my boot up before and after this installation. With the spinner the boot was right at 1 minute and 20 seconds and after it is shaved down to right at a minute. This from press of power button to a login prompt. And I swear, it hangs at the yaboot prompts longer with the new drive. One can modify that so it waits less time. I wonder if I did that with the old hard drive and forgot to do it with the new hard drive. I suppose I could post videos of the before and after boot times if anyone is interested.

UPDATE: Well, I just realized the readahead isn’t installed, and I know it is on the original hard drive. So after installing that I expect a few more seconds shaved off. Probably not a whole lot, though.

UPDATE: again, here is some more tweaking on the SSD

The Operating System
Mac OS sucks. So, I put linux MintPPC!! MintPPC out performs Mac OS in speed, user friendliness, and flexibility. Not to mention cost. This OS is a lightweight and attractive and very functional. It is perfect for light web browsing, email, word processing, and blogging. By default, it has media & music software, network tools, graphics tools and much more. At least for my iBook, all of the hardware just worked out of the box. Even the wireless with WPA support. If you read my other blog posts you can see that I’ve tried a lot of other distros on this iBook and nothing compares to mintPPC. Of course, I’m probably biased as I’m a mintPPC developer.

The Case To complete the frankintosh I removed the top of the display case and painted it green with krylon plastic spray paint. I put several coats on. Now I can’t see that stupid apple. And the green lid does look different.

This boot up video was recorded pre updates described above. After the updates I shaved the boot time down a bit.

Update

Mint 11 is based on Debian Wheezy using kernel 3.1 and is incredibly fast. It is very impressive and I have to to hand it to linuxopjemac!! This version is awesome.

sudo apt-get remove openoffice*.*
mkdir ~/sc
nano ~/sc/install_OOo.sc

paste in the following. Beware of word wrapping on the wget line

cd ~/Downloads
wget http://ftp.ussg.iu.edu/openoffice/stable/3.2.1/OOo_3.2.1_Linux_x86-64_install-deb_en-US.tar.gz
tar -xvzf OOo_3.2.1_Linux_x86-64_install-deb_en-US.tar.gz
cd OOO320_m18_native_packed-1_en-US.9502/DEBS
sudo dpkg -i *.deb
cd desktop-integration
sudo dpkg -i *.deb

end paste

chmod +x ~/sc/install_OOo.sc
cd ~/sc
sudo ~/sc/install_OOo.sc

In order for this to work the same user name must exist on both the local and the remote systems. Now it is possible to get this to work using different user names, but not with the scripts I supply here. So for simplicity be sure that the same username exists on both systems, and that they have a Documents directory in the location of /home/username/Documents on both systems.

Also, unision must be installed on both systems. Using debian you can “apt-get install unison” easy enough.

Both of the following scripts are executed on the system doing the syncing. This is normally the client, laptop, or the system which is disconnected from the network (or powered off) the most.

Script 1
This script just generates keys and then copies the keys to the remote server. This way you don’t need to enter login credentials to log into the remote server via ssh. Without this, the cron job will just hang waiting for input.

As root execute the following commands. You may need sudo if running ubuntu.

nano /bin/sshkeys.sc

paste in the following

echo GETTING INFORMATION
echo enter the target systems username
read _USER
echo enter the target systems name or IP address
read _SERVER
echo GENERATING KEYS
echo do not enter a passphrase. Just hit enter twice. In fact
echo just accept all defaults and keep hitting enter.
ssh-keygen -t rsa
cd ~/.ssh
echo COPYING the generated keys to the remote server
echo you will be prompted for the password for the supplied user
echo but, this should be the last time!
scp ./id_rsa.pub $_USER@$_SERVER:/home/$_USER/.ssh/authorized_keys

end paste

chmod +x /bin/sshkeys.sc

Here is the tricky part… NOT as root execute the following command.

/bin/sshkeys.sc

If you are logged in as root you just set up root’s key’s on the remote server, which would be fine if root’s documents are the ones you want to synch. If your user account is a sudoer, DO NOT execute this command with a sudo.

So lets examine this script. At first we are prompted for user input with the echo and read commands. You must supply the user name, and information about the target remote server. (with either hostname, FQDN, or IP address.) It is kind of self explanatory there. Then we are generating the encryption keys and copying them to the remote server. For the secure copying, you will be prompted for the user’s password. This should be the last time you are asked. Because from here on out it will use the copied keys, and we told it (by hitting enter twice) to not request a pass phrase.

Another (unrelated) fun trick:
Once you have done the keygen you can do all kinds of nifty things, like execute commands remotely without logging in

ssh user@servernameorIP ‘ls -l /tmp’

Would list the contents of the /tmp directory on the remote machine

ssh -X ant2ne@192.168.1.5 VirtualBox

Would launch the Virtual Box console on the remote machine, but display it on the local machine.

Script 2
as root execute these commands. you may need to proceed them with sudo if using ubuntu.

nano /bin/unison.sc

Paste in the following.

Syncing()
{
_LOG=/tmp/my_unison.log
_DEST=ssh://remoteuser@remoteServer//home/remoteuser/Documents
_SOURCE=/home/localuser/Documents

date > $_LOG
unison -silent -auto -fastcheck true $_DEST $_SOURCE
date >> $_LOG
}
ping -c 1 RemtoeServer && Syncing

End paste

chmod +x /bin/unison.sc

So lets examine this script

_LOG is the location for your log file. I suggest /tmp/my_unison.log or some other directory where you have write access to.

_DEST is the remote destination to sync the files to. It must be in the format of “ssh://remoteuser@remoteServer//path/to/destination”. Lets break this down further. “ssh:” is the protocol to be used for the synch. ssh is encrypted and more secure. “remoteuser@remoteserver” this is the information that ssh needs to make a connection. remoteuser needs to be a valid user with write access on the path/to/destination part. and remoteserver is the FQDN or IP address of the target server. “//path/to/destination” is a UNC path to the target of the sync. If you were to navigate to the directory on the remote server and type pwd, that would be the information included here. BUt don’t forget to have the 2 wacks ( aka “//”) at the beginning of this path and not just one.

_SOURCE is the local location of the directory to be synced. if you were to navigate to that directory and type pwd this would be the exact information entered here.
date > $_LOG and date >> $_LOG are just a little way to find out exactly how long it took to sync. If this takes too long then perhaps unison isn’t the method for you.

ping -c 1 remoteserver && Syncing This is the last line, but it is executed first. This line tells the local computer to ping the remoteserver and if the remote server responds, then jump the the function Syncing, which then executes the stuff contained within the {} of the Syncing heading. If the ping fails, then the script just exits and there is not Syncing attempt. You don’t want to sync to a server that doesn’t exist do you? This is very handy for a laptop.

Once again, as root execute this command. You may need to proceed them with sudo if using ubuntu.

nano /bin/unison.sc

This time you need to edit _DEST= and _SOURCE= to fit your environment. I don’t know what that is. The words remoteuser remoteserver and localuser all need to be modified to fit your needs.

Cron
The first synchronisation may take awhile because not only does it have to copy the files, but I think it builds a database of the meta data for the files. So you may want to execute the script manually by typing “unison.sc”. After this one completes, you’ll want it to be automated.

The final step is to configure cron to perform the sync on a regular basis. With your limited user account (the user that wants to sync the documents) execute.

crontab -e

And paste in the following line

*/15 * * * * /bin/unison.sc

End paste
This line executes this unision.sc ever 15 minutes, basically causing the Documents directory to synchronise every 15 minutes.

Disclaimer
Synchronisation is not a form of backup. If you delete a file, or it becomes corrupted, that file will be deleted and corrupted on the remote system as well. This is just a method of keeping your Documents consistent across multiple platforms.

But, once the Documents are synced, the remote system (assuming the remote system is a file server) can use tar to backup the Documents for archiving purposes. Didn’t I talk about backups using tar on another blog post?

nano /bin/vboxlist.sc

and paste in the following

VBoxManage list vms | grep { | cut -d{ -f 1 | sed ‘s/”//g’ > /tmp/vboxlist
cat /tmp/vboxlist

exit saving and then

nano /bin/vboxon.sc

and paste in

vboxlist.sc
vboxon_list=’/tmp/vboxlist’
for VPS in `cat $vboxon_list`; do
echo starting “$VPS”
VBoxHeadless -startvm “$VPS” &
sleep 20
done
exit 0

save and exit and then

chmod +x /bin/*.sc

then as your regular user who executes the VMs. (often not root)

crontab -e

and enter

*/5 * * * * /bin/vboxon.sc

This will now launch your entire list of VMs in a headless mode every 5 minutes. If the VM is already running, it will simply fail to launch the VM and move onto the next. If you just want a list of VMs on the system you can type vboxlist.sc. If you want to manually turn on the VMs, you can type vboxon.sc

disclaimer: this was writtin on a debian VirtualBox host. The line “VBoxManage list vms | grep { | cut -d{ -f 1 | sed ‘s/”//g’ > /tmp/vboxlist” maybe different on different distributions or VirtualBox versions.

5 – Protect yourself, from yourself.
You just bought the computer. It asked you a bunch of questions including your name and time zone and the account name. You were then logged into the computer and presented with a desktop. You just created an administrator account. And most people just continue to use that account and never think twice about it. Being and administrator sounds glamorous, and maybe it is, but it is also dangerous.

Don’t be an admin. Don’t log into a computer as an administrator. Don’t be a power user. Don’t ! ! Have you ever notice that at work or at school that you log into a computer as a Standard user and you are ‘locked out’ of some computer functions. Why does the IT Department lock down the workstations? Because they hate you and don’t trust you. Well, probably. But mainly to protect the employees’ computers and data from the employees.

While logged into a computer as an administrator, every thing you do on the computer you do with the authority of an administrator. Everything you click on, launch or type has ultimate power on the computer system (and in some situation, the network as well) Supposing you are logged in as an administrator and doing some web surfing and you click on a link titled “fuzzy puppys” and the link does take you to a site of cute pooches. But the link also downloaded some code behind the scenes, and since you were logged in as an administrator, it has complete authority on the system. It launched and installer that begins to infect your operating system. In a few hours you’ll be contacting you “computer geek” friend and bribing him with pizza to come over and “look at” your computer. He maybe a “computer geek”, but you are the “computer moron” who isn’t smart enough to follow these (very simple) rules.

“Ahh, but I’m good with computers, I know what I’m doing, I’ll just keep logging in as administrator.” The way I see it, if you are savvy enough to log in to your computer as an administrator, you are also savvy enough to fix it when you screw it up.

In Windows 7: Click Win Logo Button (old start button) – Control Panel – User Accounts – Give other users access to this computer
This launches the “User Accounts” form. Click the Add button and enter a name. And Next. Now here is the important part, you want “Standard User” and click finish.

Now log off and back on with the new Standard User. Only log in with the old Admin User when you need to install something or run some system utility. But 98% of what you do does not need Admin authority. Because you now have the inconvenience of logging off and back on to perform admin functions, you are less likely to spontaneously do things and click on crap. And you might think a little longer and harder about what it is you are doing.

6 – Don’t install that
Do not install unreputable software or software from unknown and untrustworthy sources. All because your buddy who “is good with computers” has it installed, does not mean it is reputable. After all, that moron logs in as an administrator. And all because you can download it from sourceforge doesn’t mean you can trust it. So before you click that setup.exe ask the person who is going to end up fixing your broken system if the program is reputable. If that person isn’t available, do some research on your own. Try googling “limewire and virus”.

Quote of the day; “Limewire is installed. I think I know what the problem is…” Limewire is a program that offers copy written and non-free software, media, or files for free. Regardless of this illegality and lets forget about how limewire eats up your bandwidth and system performance, and lets ignore that it ruins your privacy by sharing your files… Limewire is a horrible program that opens a hole in your firewall and gives access to your system to anything that wants it. I’d say a mere 10% of the systems I’ve cleaned did not have limewire or similar programs installed and were infected by some other source such as email or flash drive or sick link.

“Quit installing limewaire!”… “Why?”… “you’ll not find a more wretched hive of scum, and villany than limewire that’s why!!!!!”

power
Squeeze also has fairly functional suspend features. Hibernate is still borked though.The power management of lxde isn’t as configurable as I would like and when compared to gnome. But merely pushing the power button executed a suspend to ram. Somehow closing the lid and suspending was giving me issues as well. But somehow it started working again. It appears that squeeze uses ppbuttonsd, but powerprefs 9the gui front) was not installed and could be installed manually from the lenny packages.

right click
The right click is mapped to the F11, and my fix (below) didn’t seem to move it. I removed mouseemu with a ‘apt-get remove mouseemu’ and my fix worked. I tried to configure and use mouseemu, but it wasn’t cooperating with me. I figure it is one less service running, right?

mint
Running the mint ppc 9 install script on top of a basic installation (no gui) adds lxde with enough features for most needs. To install mint jump over to mintppc.org and register and click on the installation link and choose mint9. Pay special attention to the part where the author says, “We cannot yet install Squeeze natively as there is still a bug in the Debian Installer with respect to yaboot.” There are steps explained to overcome that problem. It can be a bit confusing. But you download the Lenny netinst or business card install CD and when prompted to enter “install”, “install video=ofonly” or “expert” just type “expert. And go through each step. You will eventually be prompted to select ‘lenny’ ‘squeeze’ or ‘sid’. Select squeeze. Continue the installation and when asked what packages you want, un-check desktop but leave laptop.

Out of date information below this point…

To install Mint, you should jump over to http://mac.linux.be/content/mint-lxde-debian-lenny-ppc#4 and read what there is to learn. then come back here and see how I tweaked it to run on the iBook. And get everything else to work as well. After playin with mint for some time, i detemined that lxde wasn’t enough of a window manager for me. So I went back to a gnome desktop. But, I have a 800Mhz cpu with 640MB of RAM so I didn’t need lxde. Some of the lighter iBooks out there will have better performance with lxde.

The tutorial outlined by linuxopjemac assumes that you have a default and basic install of debian with no other X sessions managers (ie. gnome or kde) and was intended to run on a desktop not laptop computer. But to get wpa and suspend, I had to sacrifice the ultra trim debian installation and go ahead and install a gnome desktop and applications. Then configure gnome to work properly. I then added only the required mint packages and themes and left out the other packages suggested by linuxopjemac. This left me with a minty lxde OS, but using mostly gnome applications. This is a situation that I’m quite happy with.

So first grab yourself a lenny (5.04) debian install CD and install it on your iBook, including gnome desktop. When that is done, you can begin configuring.
all of this needs to be done as root. So

su

and enter the root password
As usual, for iBook suspend and wpa you need a 2.6.32 or better kernel. In debian, you don’t have to roll your own.

nano /etc/apt/sources.list

add

deb http://http.us.debian.org/debian/ unstable main contrib non-free

save and back in terminal

apt-get update && apt-get install -y lxde linux-headers-2.6.32-3-powerpc linux-image-2.6.32-3-powerpc
apt-get remove -y pmud powerprefs pbuttonsd
nano /etc/apt/sources.list

and comment out

#deb http://http.us.debian.org/debian/ unstable main contrib non-free

Back in the terminal

cp /etc/yaboot.conf /etc/yaboot.conf.original
nano /etc/yaboot.conf

remove “video=ofonly”, but leave the quotes.

ybin -v

shutdown now -r

on reboot

uname -r

and verify the new kernel.

su
apt-get autoremove

now we get and apply the orinoco driver for wpa

cd /tmp
wget http://www.ant2ne.com/downloads/iBook_orinoco.fw.tar.bz2
tar -xvjf iBook_orinoco.fw.tar.bz2
mv orinoco.fw /lib/firmware/agere_sta_fw.bin
modprobe airport
shutdown now -r

After all of that, we have a functional 2.6.32 kernel with wpa and we can suspend to ram with the command s2ram. But you need to configure it to unload and reload these drivers on suspend. The method I’m playing with now is on ifup and ifdown events.

su
cd /bin
nano power_suspend.sc

and then copy and paste in the following

#!/bin/bash
case $1 in
hibernate)
#echo “Hey guy, we are going to suspend to disk!”
ifdown eth1
modprobe -r airport
modprobe -r orinoco
echo hibernate ————– >> /tmp/power.log
date >> /tmp/power.log
;;
suspend)
#echo “Oh, this time we’re doing a suspend to RAM. Cool!”
ifdown eth1
modprobe -r airport
modprobe -r orinoco
echo suspend ————— >> /tmp/power.log
date >> /tmp/power.log
;;
thaw)
#echo “oh, suspend to disk is over, we are resuming…”
#modprobe orinoco
modprobe airport
ifup eth1
echo thaw ————— >> /tmp/power.log
date >> /tmp/power.log
;;
resume)
#echo “hey, the suspend to RAM seems to be over…”
#modprobe orinoco
modprobe airport
ifup eth1
echo resume ————— >> /tmp/power.log
date >> /tmp/power.log
;;
*) echo “somebody is calling me totally wrong.”
;;
esac

Now we need to link this script in bin to the loction where the power management will look for it. Scripts in the sleep.d directory are executed each time the computer is suspended, resumed, hibernated or thawed. Notice that I never did get hibernate and thaw to work. But with a good battery the suspend and resume is awesome. It is fast and conserves a lot of energy.

chmod +x *.sc
ln -s /bin/power_suspend.sc /etc/pm/sleep.d/22power_suspend.sc

Hard Drive tweaks

hdparm -B 127 /dev/hda
hdparm -M 254 /dev/hda

Right Click The right click is naturally mapped to the F12, wich is dumb. The fn & alt keys are much more conveneint.

nano /etc/sysctl.conf

And edit or add the following

dev.mac_hid.mouse_button_emulation = 1
dev.mac_hid.mouse_button2_keycode = 87
dev.mac_hid.mouse_button3_keycode = 100

exit and save. Then, back in the terminal execute

invoke-rc.d procps start

so the changes take effect.

I now have suspend, wpa and screen dimming on a debian system.

Mint
To install Mint, you should jump over to http://mac.linux.be/content/mint-lxde-debian-lenny-ppc#4 and read what there is to learn. This install script assumes that you are installing on a basic debian install only. And not with gnome or configured settings for suspend and wpa. I noticed that some application in that script breaks suspend. So for a functional suspend, grab the install script called mint-installer. Then trim out the part that will install the other applications. With the current mint-installer script (as of 5/5/2010) you can just…

tail -105 mint-installer > iBook_mint.sc
rm mint-installer
chmod +x iBook_mint.sc
Apt-get install lxde
./ iBook_mint.sc

After playing around some, I determined that lxde and mint didn’t fit my needs so I went back to a default gnome-debian install on my ibook.

It will be a goal of mine, to share any of my knowledge of Linux to anyone who wants to learn. I’m also contemplating starting a lug in my area or finding some other way to contribute to the community.

Associates degree in Computer Networking (with a 4.0 gpa), A+, Network+, Linux+, and now I’m dusting off that Security+ book.