Linux Distro For Linksys WRT54G

scubacuda writes "Here is a tiny Linux distro for the Linksys wrt54g (d/l the distro here). In just a few seconds, you can give your access point's ramdisk syslog, telnetd, httpd (with cgi-bin support), vi, snort, mount, insmod, rmmod, top, grep, etc." Interesting -- "The script installs strictly to the ram disk of the box. No permanent changes are made. If you mess something up, power-cycle it."

telnetd?

[Herrieman]

Why not SSHD? Nobody in his right mind uses telnet nowadays.

Would this work with other Linksys routers?

[cryptochrome]

None of them support Rendezous (AKA zeroconf), at least not on the level of Apple's airport base stations. That's a hack I'd really like to see.

What is this for?

[Hettch]

I'm really not trying to be a troll, this is a serious question. What does making an access point into linux box atually do? Will it still retain all of its normal functions? Will this increase its functionality in any way? Being able to telnet into something as root automatically doesn't seem the safest thing to do for whatever this is, either.

Re:article in case of slashdotting...

[suwain_2]

Heh, I refreshed it a couple times (it loads instantaneously), and it climbs ~10+ hits every second. 948 was my first number, now it's 1102. I don't recall Slashdot linking to a site with a live hit counter any time recently, much less one this low.

I've got a copy of the file itself if they go down, too.

ssh tunneling?

[JanneM]

Could this be used to establish ssh tunneling from clients to the AP? That would, in my eyes, be far preferable to the somewhat lacking link security that 802.11 offers today.

Re:That's cool.

[FreeLinux]

Snort logs will be written to /var/log/snort

Ramdisk based snort logs aren't too enticing to me.

Another HTTP server on 8000 doesn't do anything for me either, especially when the one on port 80 is already like molases running up hill in winter.

The fact is that this might be useful in troubleshootingsomething on the router but, for production use it isn't terribly practical. But, then again who's going to rely on this router for any real production use. This is after all, a home or small office device.

Yeah, but does it work with the BEFSR41?

[caryw]

Has anyone tried this on a Linksys router other than the WRT54G? My BEFSR41 4 port cable/dsl router is still running strong, and I would love to have telnetd and the such on running on it!

Thanks!

- Cary

Re:Secure?

[temojen]

From the article:

If you wish to change the files sent to the box, untar distro.tar and add or subtract files. Normally you should not run the install script more than once for a power-cycle of the box. i.e. if you want to run the install again, reset the wrt54g first.

Yes, un-authenticated open telnet as root seems really dumb to me too, but you could always remove telnetd and add SSH w SSH2 RSA only authentication.

Power outage anyone?

[Anonymous Coward]

Interesting -- "The script installs strictly to the ram disk of the box. No permanent changes are made. If you mess something up, power-cycle it."

Does this also mean that as soon as a power outage occurs, I will lose *all* logfiles, packet captures and even the distro?

worried

[trans_err]

Wouldn't this be seen as a horrible exploit for this router? Think about it anyone, who knows the router's IP (shesh thats difficult), can install a distro, with telnet access onto the router, thus being able to run things like sniff all day long....

We should be fighting this not supporting it.

Re:More constrained by memory

[anthonyrcalgary]

Can't you use a file on an NFS mount with the loopback driver to get a swap device?

I'm not sure what the point would be... if you have another box, why not just run your services on it... but they nifty value is significant.

Re:That's cool.

[Anonymous Coward]

While logging may not be too cool, controling what goes on may be. The gui does alot sure but you can do SO much more with rule based stuff. Like this machine can talk this way while that one can not...

How about a bind [isc.org] caching server ? How about a blackhole ad removal [schooner.com] server? How about a time server? How about pushing the logs to another machine? While it may be slow these things do not have to be lightning fast, just fast enough. It is afterall just a simple router. Its not meant for 300 machines all trying to get the interenet. Its meant for like 4-5 computers. Also a 125mhz mips processor will do alot more than an equiv x86 machine. The mips processor is AWSOME in pumping data. The limiting factor here will be the 16mb of memory... I used to work on a 25mhz 4 way mips machine. It wasnt till i got to a 766 x86 that I found a computer that was AS good.

Also some logging may not be a bad idea. As it is wireless do you REALLY trust it? What if your leet 12yr old neighbor decides your wireless is cool. Do you really trust him? Sure he may be exploring but do you want him in your network? No you want to know what is going on. And I dont know about you but the logging on this router, as it currently is, SUCKS. It just shows who and what. But does not show when and does not resolve the name. IP A.B.C.D means nothing to me, but www.yahoo.com DOES. I for one will be playing with it...

How does this compare...

[devphil]

...with running a connection through a tool like stunnel? Both are doing encryption, SSH likes keys, stunnel/SSL likes certificates, but after that I'm somewhat ignorant.

I've been tunnelling all kinds of stuff through OpenSSH for years, and while I've heard of stunnel, I only just recently started using it (encrypting an IMAP connection because IMAPS isn't supported).

I'm not asking for an hour-long briefing on /. or anything, but if you know of any web pages, pointers would be appreciated.

wap11

[digitalsushi]

i wonder what would happen if i ran the installer on my wap11 :D

More than SOHO

[quanta]

"This is after all, a home or small office device."

It's more than that - I've used it to bridge several remote locations (1800 ft+) with external antennae.

Very reliable.

Re:What is this for?

[Malc]

Heh: I like the idea of making it a VPN end-point (client, not server) for my PPPoE connection. That offloads the duties from another box. I've had problems with my Windows desktop being multi-homed on multiple VPN connections (it screws up Microsoft Networking, of course) and have to route through another box. Putting PPTP (yeah, yeah) on this and bringing it up after PPPoE connections would save me from have to keep a noisy 100W PC from doing the job. Interesting.

Re:I'm still waiting...

[dre23]

Well the AP1100 and 1200 already support IOS. The AP 350 is going to support IOS soon, but the 340 never will. So you will very likely get your wish. The best part is that there is going to a subset of IOS for the 2600/3600/3700 routers as well as most IOS-based switches (Catalyst 6500, 4500, 3550, 2950, 3570) where on the Ethernet interfaces that connects to the Cisco/Linksys AP, you can configure all the AP parameters right in the interface configuration.

We're testing the AP 1200 802.11 a/b dual-mode with the WLSE (wireless solutions engine linux box which does mini site-surveys, code pushes, management, mass upgrades, etc) with all the latest features... Secure Fast Roaming, Wifi Protected Access, et al.

Cisco/Linksys do make good devices, although the competition is stepping up... SMC with the Media Player competitive unit (Cisco/Linksys only does pictures, while the SMC unit does MPEG and other video streaming) ... and Netgear with the 108Mbps WGT624 AP and WG511T card.

Re:How does this compare...

[Effugas]

Same difference -- stunnel also terminates the TCP session (necessary, since it's operating at userspace), extracts the payloads, and sends them over an encrypted pipe. The differences are:

1) SSL has theoretically better key management, which is actually not theoretical for browsers (it's the only successful deployment of certificates in history), but stunnel by default barely checks SSL certificates. So, unfortunately, you're very vulnerable to a MITM attack (but you probably were anyway, since even if you had a cert, you almost certainly get it signed.)
2) SSH has theoretically worse key management, which is actually not theoretically awful for large installations (there's no real deployable cert systems, no centralized authority, etc.), but ssh by default actually does manage to allow one individual to manage access to a couple of personally relevant servers surprisingly well. SSH also has the advantage of having a port forwarding system flexible enough to execute VPN behaviors through, whereas SSL is really just a pipe to whatever's on the other end. (This is actually sometimes a good thing.)

HTH.

--Dan