|
|
Home |
X-isp dialer tool. |
|
X-isp is a dialer that does not require kde or gnome libs which makes
it ideal for installing with smaller window managers.
It has flexible configuration and plenty of documentation.
You can download it from the X-isp homepage
or if you use Slackware it is available as a staticly linked package here.
Xisp-2.7.tgz static
Distro's also have it on their repository sites.
|
|
|
This page describes how I configured a modem group which enabled users
to dial-up using pap and automatic dns on the E3 56k connection.
The build and installation of modem modules (drivers) is not dealt with
here. I recommend linmodems.org
and the Modem-Howto if you want info on hardware support and install
of the modules.
In this setup I use a 56k pci Lucent Linmodem (/dev/ttyLT0) from
Dse. These modems sell with proprietory Lucent drivers
(lt_serial, lt_modem) on a cdrom disk which require the kernel source and headers
to build.
Default executable paths,permissions and modem group name vary per distro.
It helps to have a saved copy of output from -
ls -lR /etc/ppp > ppp_default.txt
that you can refer to if you want to revert to defaults.
If you use the mouse it is quite easy to patse the following commands (highlighted in
blue) from the web browser window into a root console window. I am using the Jed editor
here but any editor will suit.
This page is written for Slackware-10 so make changes to the path in later commands
where required if your distro differs. The tic marks around commands are to be included as
they execute the command within the tics. You will have to be Root Admin for all of this.
Example to find files and permissions.
'locate ip-up' ('updatedb' renews the locate database)
'which xisp pppd' show command paths
'ls -lR /etc/ppp' display permissions in /etc/ppp
Warning
Before installing Xisp I back up Slackwares ip-up/ip-down scripts in /etc/ppp
as Xisp may write over them depending on the Xisp package version obtained.
|
cd /etc/ppp cp ip-up ip-up.orig cp ip-down ip-down.orig |
Set the modem group, distro's will have different names for this. (uucp, modem or dialout)
|
grep uucp /etc/group (check for uucp group) groupadd uucp (adds uucp group if not in group file) jed /etc/group (edit group file to add user name to uucp group) groups user (display groups that a user is in) |
Set xisp.
|
chown root:uucp /usr/X11R6/bin/xisp (default usually root:bin) chmod 750 /usr/X11R6/bin/xisp (xisp should be without suid) |
Set pppd.
|
chown root:uucp /usr/sbin/pppd (default usually root:bin) chmod 4550 /usr/sbin/pppd (set suid, users required in uucp group) |
Setting pppd suid is a security issue but as long as pppd is updated
with security patches and "libsafe" is installed no one is going to be able
to exploit it with a buffer overflow and gain root access.
Besides on a home dialup machine you trust who is using Xisp don't you?
Setting the firewall to deny all except the required services and joining
the Slackware Security Announcements Mailist are two things you can do to start
securing your machine.
See also www.linuxsecurity.com
Set chat.
|
chown root:uucp /usr/sbin/chat (default owners usually root:bin) chmod 550 /usr/sbin/chat (read/exec for chats group) |
Set modem device.
|
chown root:uucp /dev/ttyLT0 (whatever modem device is, ttyS1,ttyS14) chmod 660 /dev/ttyLT0 (read/write to device) |
|
ln -s /dev/ttyLT0 /dev/modem (leave soft link as default 777) |
dns and /etc/resolv.conf
For Xisp dialup I would use Xisp's default script /etc/ppp/ip-up
so Xisp will use its "auto" dns query to the Isp to locate the dns server
and write the addresses to /etc/resolv.conf. Select "auto" dns on the tcp/ip
forms page.
If you intend to use another dialer (such as ppp-go) in combination with Xisp
refer to the xisp docs and this User Xisp section for
the requirement to run the ~/.xisp-up script in the user's home directory.
Unfortunately it appears that running ~/.xisp-up does not have write
access to resolv.conf, so static dns addresses will have to be put into
/etc/resolv.conf by Root to enable Xisp to connect without dealing with
dns. You have to do this anyway if you are going to be using ppp-go as that
is how ppp-go normally operates.
Resolver dns address file permissions have to be changed so the modem group
can dial with Xisp and have the auto dns write to the file.
|
chown root:uucp /etc/resolv.conf chmod 660 /etc/resolv.conf |
Resolver host lookups file /etc/host.conf can work as default.
|
order hosts, bind multi on |
The /etc/ppp directory.
Is authentication required from isp to dialer? Most isps are trusted because it is a subscription service so authentication is one way only from dialer to isp. This will require 'noauth' option to prevent pppd dying prematurely although not all dialers require this, I had to use it with both xisp and kppp. see man pppd 'noauth' option.
For /etc/ppp/options
Keep the default setting root:root 644.
|
noauth name "loginname@your_isp" #this points to /etc/pap-secrets |
In pap-secrets enter login and password. If you have more than one login just
add it on the next line. Note the asteric * for the isp server.
|
loginname@your_isp * password |
root:root 600 is the secured default for pap-secrets and chap-secrets files.
|
chown root:root pap-secrets chap-secrets chmod 600 pap-secrets chap-secrets |
Xisp dialer scripts are usually installed in /etc/ppp as ip-up.xisp and ip-down.xisp. Backup the original ip-up + ip-down scripts and rename the Xisp scripts to replace them. If you loose the originals you can get them from the ppp-2.4.2-i486-2.tgz package.
|
mv ip-up ip-up.orig mv ip-down ip-down.orig cp ip-up.xisp ip-up cp ip-down.xisp ip-down |
Change Xisp dialer scripts,executables and peer file for group access.
|
chown root:uucp ip-up ip-down xispdial xispterm chmod 750 ip-up ip-down xispdial xispterm |
Grant group read access to default xisp_modem file.
|
cd /etc/ppp/peers chown root:uucp xisp_modem chmod 640 xisp_modem |
Check for the modem soft link created from"Add soft link"
section above.
|
ls -l /dev/modem returns /dev/modem --> /dev/LT0 |
Locate the xisp pid and converter executables.
Usually in /usr/local/bin
|
which xispid xisprccv cd /usr/local/bin chown root:uucp xispid xisprccv chmod 750 xispid xisprccv |
| $ xisp & |
Select File-->Options menu to set up the account.
If xisp refuses to start with "Can't open XispCost permission denied"
messages see the XispCost section below.
If you have concerns about security see this Secure
section for tips on making your machine secure for internet use. Note that
Xisp has info about xisp security in /usr/doc/xisp/INSTALL.
Here are shots of my Xisp forms to setup my E3 accont.
Accounts Form.
|
On the Accounts Form add the new account, telephone number and
specify pap as the authentication protocol.
You do not have to enter name and password on the form because
for E3 login /etc/ppp/pap-secrets is to send the name and password.
Dialing/Login
|
Modem Settings
|
tcp/ip
|
Using Xisp's /etc/ppp/ip-up.xisp script with Xisp's "automatic" dns search or its
"manual" dns write requires that /etc/resolv.conf be set rw (660) and chowned
root:uucp so Xisp can write to it. This is what what done in the /etc/resolve section
above.
Note that 210.55.24.8, 210.55.24.14 in the primary/secondary dns boxes are the E3
addresses for manual dns.
Programme Paths
|
Xisp refuses to start with "XispCost" messages.
When xisp is first used the 'xisprccv' executable creates database ptt and
cost files in ~/.xisplogs. If xisp refuses to start and outputs the message
"Can't open XispCost permission denied" the database files are in error. The
easiest fix is to delete the ~/.xisplogs directory and then restart Xisp which
will then create a new ptt database with correct permissions.
Forcefully remove .xisplog dir without prompting.
|
rm -rf .xisplogs |
User Xisp configuration.
The advantage of the user directory scripts (~/.xisp-up,~/.xisp-down) is that they
are independent xisp scripts and the default system ppp /etc/ppp/ip-up and ip-down
scripts can continue to be used by console dialers such as 'ppp-go'.
As explained above in the "dns and /etc/resolv.conf" section there is a problem with the user directory xisp script dialup process which can login but not write the dns addresses to resolv.conf no matter what permissions are set with the exception of making Xisp suid.
The user directory xisp scripts work provided you edit /etc/resolv.conf as root and
manually put static dns addresses in so dns is something Xisp does not have to contend
with.
The Xisp User directory scripts are supplied as sample.xisp-up,
sample.xisp-down. See /usr/doc/xisp/INSTALL for more details.
Copy sample scripts over to user directory.
|
cp sample.xisp-up /home/user/.xisp-up cp sample.xisp-down /home/user/.xisp-down |
Security.
This applies mainly to home users on dialup connections. Watch directory
permissions, use ssh, iptables, tcp-wrappers and Portsentry to secure the
machine.
Your distros update programme can regularly check Changelogs for
announcements of security updates. Slackware uses kSlackcheck.
I recommend the following sites for security information and tools.
www.linuxsecurity.com
guides for all aspects of security.
Portsentry-1.1 Homepage.
blocks and records the source address of port scanners.
Firehol
a firewall generator script with ample documentation.
Nmap
a port scanner that locates open ports plus info about
how crackers operate.
Ntop real time graph and
table display of network hosts activity in a web browser aimed at port 3000
with data dumps to log for extraction using perl scripts. Uses 'tcpdump'
Squid proxy caching server
for web clients using http and ftp.
Slackware specific
www.userlocal.com
slackware tips and links
kSlackcheck a console or kde tool that checks Slackwares changelog
and can download updated packages as a cron job or you view a list and select
downloads manually. Easy to setup and use.
|
comments to
keithmg at e3netnz
home webpage: http://homepages.e3.net.nz/~keithmg/ |