kernel.panic = 3 # reboot after 3 seconds
kernel.panic_on_oops = 1 # Panic on kernel oops
vm.panic_on_oom = 1 # 0 = Kill some procs at "Out Of Memory", 1 = panicSoll der Knoten regelmäßig rebootet werden? Zu welcher Zeit, in welchen Fällen?
Soll sich jeder als Knoten am Mesh-Netz beteiligen dürfen? - (De)Aktivierung eines Iptables-Rulesets, siehe /sbin/strict-mesh. Werte:
#@#config management
enable.strict_mesh 2
überprüfen mit:
root@node:~# uci get management.enable.strict_meshDerzeit kann sich jeder als root an jedem Knoten anmelden, der das Passwort kennt (gesnifft hat). Abhilfe: dropbear mit “-g“ (Disable password logins for root) starten. SSH-Key in /etc/dropbear/authorized_keys hinterlegen.
TODO:
#@#config dropbear
PasswordAuth 0 # eval uci set $(uci show dropbear | grep PasswordAuth | cut -d"=" -f1)=0
# uci commit dropbear
# /etc/init.d/dropbear stop
# /etc/init.d/dropbear start
root_ssh_keys $SSH_PUB_KEYS # echo "$SSH_PUB_KEYS" > /etc/dropbear/authorized_keyuci set management.enable.https=0 # falls kein https
uci set general.services.updt_srv=mesh.menole.net #Oder vor dem Build eines Custom Images:
vi ~/packages_11949/net/robin-mesh/files/etc/config/general
cat ~/packages_11949/net/robin-mesh/files/etc/config/general
config 'general' 'services'
option 'updt_srv' 'mesh.menole.net'
option 'upgd_srv' 'www.open-mesh.com/firmware/mr3201a/'
option 'beat_srv' 'mesh.menole.net'
option 'ntpd_srv' 'tick.greyware.com'
option 'cstm_srv' 'www.open-mesh.com/firmware/mr3201a/'
option 'name_srv' ''
option 'upstream' '0'Beispiel vom MadWifi Project
##### hostapd configuration file ##############################################
bridge=br0 # bridge interface usually br0
interface=ath0 #atheros interface
driver=madwifi #driver type
ssid=wpa-test #set essid
#macaddr_acl=2 #optional macaddress authentication instead of user/password pair -- macaddr_acl=2 tells hostapd to use radius
#accept_mac_file=/etc/hostapd.accept
#deny_mac_file=/etc/hostapd.deny
ieee8021x=1
auth_algs=1
eap_server=0
eapol_key_index_workaround=1
###Radius Setup
own_ip_addr=10.0.0.1
nas_identifier=test.5gwireless.com
auth_server_addr=10.0.0.200
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=10.0.0.200
acct_server_port=1813
acct_server_shared_secret=testing123
###WPA
wpa=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP
wpa_group_rekey=300
wpa_gmk_rekey=640/etc/config/wireless:
config 'wifi-iface' 'private'
option 'device' 'wifi0'
option 'network' 'ap2'
option 'mode' 'ap'
option 'isolate' '1'
option 'ssid' 'menole_secure_test'
option 'hidden' '0'
option 'encryption' 'wpa2'
option 'key' 'The Radius Secret'
option 'server' 'Radius Server IP'
option 'nasid' 'other'
option 'port' '1812'/var/run/hostapd-ath2.conf
driver=madwifi
interface=ath2
ssid=menole_secure_test
debug=0
wpa=2
wpa_pairwise=CCMP
auth_server_addr=Radius Server IP
auth_server_port=1812
auth_server_shared_secret=The Radius Secret
nas_identifier=other
eapol_key_index_workaround=1
radius_acct_interim_interval=300
ieee8021x=1
auth_algs=1
wpa_key_mgmt=WPA-EAP
wpa_group_rekey=300
wpa_gmk_rekey=640siehe ieee 802.11x mit radius (wpa2 tls radius)
Außerdem muss noch /usr/sbin/update-wifi.sh aus dem Paket robin-mesh angepasst werden:
diff -urNad orig/update-wifi.sh /usr/sbin/update-wifi.sh
--- orig/update-wifi.sh 2009-05-22 09:39:43.000000000 +0200
+++ /usr/sbin/update-wifi.sh 2009-06-03 13:15:02.000000000 +0200
@@ -43,7 +43,40 @@
k_restart=1
fi
;;
-
+
+ "public.encryption")
+ option="${CONF}.${SECTION_OPTION}"
+ TX_VALUE=$(echo $VALUE |tr -d '\r')
+
+ CURRENT_VALUE=$(uci get ${option})
+ if ! [ "$CURRENT_VALUE" == "$TX_VALUE" ] ; then
+ uci set $option="${TX_VALUE}"
+ k_restart=1
+ fi
+ ;;
+
+ "public.server")
+ option="${CONF}.${SECTION_OPTION}"
+ TX_VALUE=$(echo $VALUE |tr -d '\r')
+
+ CURRENT_VALUE=$(uci get ${option})
+ if ! [ "$CURRENT_VALUE" == "$TX_VALUE" ] ; then
+ uci set $option="${TX_VALUE}"
+ k_restart=1
+ fi
+ ;;
+
+ "public.nasid")
+ option="${CONF}.${SECTION_OPTION}"
+ TX_VALUE=$(echo $VALUE |tr -d '\r')
+
+ CURRENT_VALUE=$(uci get ${option})
+ if ! [ "$CURRENT_VALUE" == "$TX_VALUE" ] ; then
+ uci set $option="${TX_VALUE}"
+ k_restart=1
+ fi
+ ;;
+
### AP2
"private.ssid")
if [ "$(uci get mesh.Myap.up)" -eq 1 ] ; then
@@ -74,6 +107,48 @@
fi
fi
;;
+
+ "private.encryption")
+ if [ "$(uci get mesh.Myap.up)" -eq 1 ] ; then
+
+ option="${CONF}.${SECTION_OPTION}"
+ TX_VALUE=$(echo $VALUE |tr -d '\r')
+
+ CURRENT_VALUE=$(uci get ${option})
+ if ! [ "$CURRENT_VALUE" == "$TX_VALUE" ] ; then
+ uci set $option="${TX_VALUE}"
+ k_restart=1
+ fi
+ fi
+ ;;
+
+ "private.server")
+ if [ "$(uci get mesh.Myap.up)" -eq 1 ] ; then
+
+ option="${CONF}.${SECTION_OPTION}"
+ TX_VALUE=$(echo $VALUE |tr -d '\r')
+
+ CURRENT_VALUE=$(uci get ${option})
+ if ! [ "$CURRENT_VALUE" == "$TX_VALUE" ] ; then
+ uci set $option="${TX_VALUE}"
+ k_restart=1
+ fi
+ fi
+ ;;
+
+ "private.nasid")
+ if [ "$(uci get mesh.Myap.up)" -eq 1 ] ; then
+
+ option="${CONF}.${SECTION_OPTION}"
+ TX_VALUE=$(echo $VALUE |tr -d '\r')
+
+ CURRENT_VALUE=$(uci get ${option})
+ if ! [ "$CURRENT_VALUE" == "$TX_VALUE" ] ; then
+ uci set $option="${TX_VALUE}"
+ k_restart=1
+ fi
+ fi
+ ;;
*) echo "skip"
;;