Linux Disable Wireless Networking ( Wi-Fi )

by on July 10, 2009 · 10 comments· LAST UPDATED July 10, 2009

in , ,

We have over 20+ Dell Precision M6400 laptops pre installed with Red Hat Enterprise Linux version 5.x. I was asked to disable Wi-Fi on all laptops as it poses a serious security risk to our sensitive (classified) systems and networks. How do I disable wireless networking (802.11) under Linux?

You can easily disable Wi-Fi under Linux using the following techniques.

Remove Wireless Hardware

This is the best solution. Find out wireless hardware and if possible remove it. Refer to your laptops’s hardware manual which should contain information on its wireless capabilities. A mini-PCI card is typically accessible via a removable slot of the laptop. Some laptop comes with USB wireless device. Use the following commands to list installed devices (list PCI devices):
# lspci
List usb devices:
# lsusb

Disable Wireless in BIOS

Many laptops includes wireless support via BIOS. You can go to your BIOS setup and disable wireless. Again, read your laptops manual.

Disable Wireless Drivers

cd to /lib/modules/$(uname -r)/kernel/drivers/net/wireless and remove wireless driver. A simple solution as follows should work:
# mkdir -p /root/backup/
# mv /lib/modules/$(uname -r)/kernel/drivers/net/wireless /root/backup/
# reboot

Above will remove the kernel drivers that provide support for wireless devices and it will prevent users from easily activating the devices. Please note that you need to repeat above commands every time the kernel is upgraded.

Deactivate Wireless Interfaces ( Remove Config Files)

You can also deactive the wireless interfaces as normal user can not touch config file without root level access. Open terminal and type the following command to list the wireless interface:
# ifconfig -a
Usually, wireless interfaces may have names like wlan0, ath0, wifi0, or eth0:
Sample Outputs:

eth0      Link encap:Ethernet  HWaddr 00:19:d1:2a:ba:a8
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:e3180000-e31a0000
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2475 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2475 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:330752 (330.7 KB)  TX bytes:330752 (330.7 KB)
ppp0      Link encap:Point-to-Point Protocol
          inet addr:10.1.3.49  P-t-P:10.0.31.18  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1496  Metric:1
          RX packets:230 errors:0 dropped:0 overruns:0 frame:0
          TX packets:496 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:37976 (37.9 KB)  TX bytes:47460 (47.4 KB)
wlan0     Link encap:Ethernet  HWaddr 00:1e:2a:47:42:8d
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:2aff:fe47:428d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:908222 errors:0 dropped:0 overruns:0 frame:0
          TX packets:837085 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:787222721 (787.2 MB)  TX bytes:322049568 (322.0 MB)
          Interrupt:18 Memory:e3000000-e3010000

Turn of wireless interfaces after identifying the same with ifdown command:
# ifdown interface
# ifdown wlan0

Finally, remove wireless configuration file /etc/sysconfig/network-scripts/ifcfg-interfaceName. In above example you should use interface config file /etc/sysconfig/network-scripts/ifcfg-wlan0:
# mv /etc/sysconfig/network-scripts/ifcfg-wlan0 /root/backup
OR just remove config file, enter:
# rm /etc/sysconfig/network-scripts/ifcfg-wlan0
Above will make sure wlan0 will not return after the next reboot.

How Do I Restore Wi-Fi Again?

Just copy back all files and reboot the system:
# mv /root/backup/ifcfg-wlan0 /etc/sysconfig/network-scripts/ifcfg-wlan0
# mv /root/backup/wireless /lib/modules/$(uname -r)/kernel/drivers/net/wireless
# reboot

A Note About Debian / Ubuntu Systems

You need to edit /etc/network/interfaces file to remove wireless configuration.

You need to remove /lib/modules/$(uname -r)/kernel/drivers/net/wireless directory.

See also:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 10 comments… read them below or add one }

1 Peko July 10, 2009 at 10:29 am

Hi, Vivek,

Good topic.

Would you consider this as a typo? (a copy-paste typo ;-) )
# rm /etc/sysconfig/network-scripts/ifcfg-wlan0 __/root/backup__

(you don’t want to have backup here IMNSHO)

Peko

Reply

2 nixCraft July 10, 2009 at 11:05 am

Peko,

Yes, it was a typo from mv command.

Appreciate your feedback.

Reply

3 Rob Haag July 10, 2009 at 2:17 pm

Vivek,
1st of all: I love the posts…I look forward to them hitting my in-box!

I like your answer to the problem here, it is useful to know how to disable through the OS and I like the module solution as it would really do the trick…But if I had charge of classified/sensitive devices that had wireless then I would feel compelled to remove the wireless cards from the laptops, as you pointed out, and then one should click the ‘see also’ link above as to deal w/ the possibility of someone trying a USB wireless device.

What about a firewall solution though? iptables would probably be willing to block everything on a particular interface…or even better, only allow the one interface ( e.g. eth0) to do anything at all.

Just asking because I’m moving in a direction where I will have to deal w/ these issues too…

Thanks for all the insight

Reply

4 Humberto Massa July 10, 2009 at 2:24 pm

One more suggestion: blacklist ( /etc/modprobe.d/blacklist ) all wifi hardware. This is better than erasing the drivers because next time you update the kernel (and you _do_ update the kernel from time to time, don’t you? :-D) the drivers will be back.

Reply

5 Leslie Satenstein July 10, 2009 at 2:31 pm

If the user really wants to circumvent all your blockages, I believe that he will be able to.

He will just use a USB wireless adapter, and voila.

But if he knows doing so will result in dismissal, you would have more success.

Reply

6 Rana July 10, 2009 at 2:40 pm

@Leslie: there is a link at the bottom of post about disabling USB, RTFM.

Reply

7 Go Appa July 10, 2009 at 3:11 pm

What about Bluetooth ? It does serves a different purpose and possesses a much shorter range, but it still presents serious security risks.

Reply

8 nixCraft July 10, 2009 at 3:36 pm

@Go Appa: I’ve update the faq.

@Humberto, good suggestion or you can write protect wireless directory so that no one can write it including root ;) [hint: chattr command]

@Rob, Yes, firewall will make it pretty hard, if installed on each laptop. iptables has support option to enable or disable traffic based upon user ID. So user foo can access wifi but not anyone else. Personally, I recommend avoiding the purchase of equipment (wireless add-on modules) that will be used in sensitive spaces and including bluetooth.

HTH.

Reply

9 pramod July 12, 2009 at 1:35 am

friends, its working, i have tried it, nice forum. nagpur india

Reply

10 Andrew June 7, 2012 at 2:13 am

There is also rfkill.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , ,

Previous Faq:

Next Faq: