Posts

Posted on

Host your own PBX – A Beginners Guide

Introduction

This blog is a good place to start if you’re  just starting out with VOIP and want to run your own PBX, but note very well that it is just a getting started guide! This blog focus’s on how to setup a single PBX with two public telephone numbers that one can route to handsets (generally soft-phones on one’s mobile phones) for incoming calls, and for handsets to be able to make outgoing calls or internal calls whether those handsets are connected to the PBX internally or externally. For my proof of concept I’ve used a Single Board Computer (my SBC is a Raspberry PI 3B+) with Incredible PBX installed on the Raspberry PI. Although I’ve installed Incredible PBX (also known as PBXinaflash), there are many flavours of Asterisk/FreePBX based PBX’s that can be installed on many hardware platforms. What I’m writing here is relevant for all flavours of Asterisk/FreePBX based PBX’s.

The following picture shows the setup I am documenting in this blog.

The VOIP provider(s) will route all inbound calls for your telephone number(s) to your PBX, and the PBX will then route the call to a local handset(s)/softphone(s). The VOIP provider(s) will also route all outbound calls to external telephone numbers.

Scope

The scope of this document is basically mentioned in the Introduction. The scope is to explain how to connect handsets to a PBX to make internal and external calls.

Not in Scope:
Installation
Minimum HW requirements
How to trunk to potential Internal PBX’s (e.g. additional Incredible PBX’s)
How to encrypt phone calls
Video calling
Call recording
Combox features
Interactive Voice Response (IVR – “press 1 for English, drücken Sie 2 für Deutsch….”)
and much more.

Getting started

The first thing to do is to buy the right equipment and install the base system. You should find everything you need here – https://sourceforge.net/projects/pbxinaflash/files/IncrediblePBX2020%20for%20Raspbian%2010%20Buster/, and here “http://nerdvittles.com/” (at the time of writing, the exact “Nerdvittles” tutorial is documented in the “Sourceforge.net” link above). The Nerdvittles has a lot of excellent information, but a lot of that information I am not using. For example, I am not interested in Wifi, Fax, Mail, or how to configure trunks to North American VOIP providers, and I also have not followed all the  Incredible PBX recommendations as I’m only doing proof of concept. For example, I am using a RPI3+ B with 1GB RAM and a 8GB SD card.

The nerdvittles documentation fails to point out that you should really use a static internal IP address, so I’ll explain here how I did it as it wasn’t as straightforward as I thought it would be.

I logged in through a terminal window and issued the command “ifconfig”. When I looked at the name given for my ethernet interface, it was “enxb827eb244acc”, and not “eth0” as I am use to. I changed this to “eth0” through “raspi-config”, selecting “Advanced Options”, “Network Interface Names” and disabling “predictable network i/f names” (the system will reboot after changing this setting). Alternatively you can use that long interface name, or take this interesting solution that I found – https://blog.agung.tech/post/2020-02-14-assign-interface-name-to-device/. Once Incredible PBX was available again I set the static IP address by editting /etc/dhcpcd.conf (nano /etc/dhcpcd.conf) and changed the following lines to meet my needs

# Example static IP configuration:
#interface eth0
#static ip_address=192.168.0.10/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
#static routers=192.168.0.1
#static domain_name_servers=192.168.0.1 8.8.8.8 fd51:42f8:caae:d92e::1

You will have to issue the command “service networking restart” for the change to take place, or simply just reboot the server again.

Many of you, like myself, will only have a single dynamic Internet IP address. For those of you that have a dynamic Internet IP address provided from your service provider, it is strongly recommended that you register and setup with a Dynamic DNS provider so you can access the Incredible PBX from the Internet with a name like “mypbx.acme.com” instead of your WAN IP address which will change from time-to-time. There are plenty of Dynamic DNS providers to choose from.

Another thing I have done differently compared to the Nerdvittles documentation is that I have not opened any incoming ports for SIP traffic on my firewall. Instead I have just opened the IAX2 port, UDP port 4569 which is required for my soft phones. You might be asking yourself how can SIP trunking to my VOIP providers work. This works because I have one free single telephone number per provider, and I am connecting from my Incredible PBX to the provider, and like most home user firewall configurations, all ports outbound are open. My Incredible PBX always keeps the connection to the SIP service provider alive. If you want to open incoming UDP ports 10000-20000 and UDP ports 5060, 5061 for incoming SIP so you can use SIP soft phones go ahead, but I’m not covering that in this blog. With an incoming SIP configuration one has a much wider range of soft phones one can use, but I want to use IAX2 softphones.  I use Zoiper as my softphone as it can make calls using the IAX2 protocol as well a the SIP protocol. Zoiper is available for Android and IOS mobile phones and tablets, and one can also install it on your Windows, Apple, Linux laptop.

One last thing to mention, that Nerdvittles fail to mention is “SIP-ALG” (Session Initiation Protocol – Application Layer Gateway). “SIP-ALG” is implemented on most modem/routers. In general it should be disabled. If you want to understand more about “SIP-ALG” there are plenty of explanations to be found on the Internet.

Configuration

Configuration is done by pointing your browser at the internal IP address of your Incredible PBX and logging in as admin. If you do not know your password you skipped an important part in the Sourceforge/Nerdvittles documentation, like myself. 🙂 To set the “admin” password you’ll need to logon to the Incredible PBX server, using SSH, as the “root” user and run “./admin-pw-change”.

I intend to use as many graphical illustrations as possible to show you how to configure and to only explain the essential settings.

The Incredible PBX logon process for administrators.

  • From your PC/laptop/notebook point your browser to “http://your.incredibles.pbx.ip.address/
  • Select “Incredible PBX Admin” for the credentials login dialogue

Once logged in I set about removing a lot of the settings that Incredible PBX had put in place to various North American SIP providers. Although the settings (generally trunks) are disabled I didn’t want irrelevant settings hanging around. You can leave them there if you want but it just was a nuisance for me.

The first thing to do is to take 2 smartphones and install a SIP client App on both of them. There are many Apps out there but I’ve chosen Zoiper because I want a client that works with IAX2 besides SIP. As I explained earlier, it’s far easier to work with IAX2 when trying to connect your handsets through a firewall. With the App Zoiper one can connect via SIP or IAX2.

Now it is time to make a simple call so lets configure one handset with Zoiper SIP with extension number 201 and the other handset as Zoiper IAX2 with the extension number 202. NOTE: I’m starting from 200. I’ve done this deliberately as a lot of countries use numbers in the 100, 800, 900 range as special numbers. One should think about how one assigns extensions numbers as one might want to assign numbers to different groups or regions, for example 200-299 for sales, 300-399 for support, etc. Or in future one might like to route a set of numbers to another PBX (trunking). Anyhow, I recommend you follow this blog for the time being.

Setup SIP extension 201

Click on the tab “Applications” and select “Extensions”

Once the Extensions screen is displayed, under the “All Extensions” tab, select “+ Add Extension”, “+ Add New Sip….”. NOTE: I recommend one chooses “Add New Sip (legacy)….” to start with. The reason being is that Incredible PBX is setup to use the default SIP port (UDP port 5060) for legacy SIP. For pjsip extensions Incredible PBX defaults to a non-standard UDP port 5061. Once again, I recommend you follow this blog and experiment later with pjsip settings.

On the “Add SIP Extension” screen you only need to fill in 3 fields (or 2 if you accept the “Secret” offered). The “User Extension” will be “201” for the purpose of following this documentation. The “Display Name” is free text but using your name makes sense, maybe for testing a good display name would be “Your Name SIP”. The “Secret” is the password you want for extension 201.

  • Enter a User Extension – “201”
  • Enter a “Display Name” – “Your Name SIP”
  • Enter a “Secret” or accept the Secret offered.
  • Select “Submit”
  • Select “Apply Config”

Make sure to “Submit” your input and “Apply Config”.

Setup IAX2 extension 202

The process is the same as above except, of course, one would be adding an IAX2 extension, using “202” as the “User Extension”, and using a “Display Name” of “Your Name IAX2″ . For testing I always use the same “Secret” to simplify things.

Setup SIP or AIX2 Softphone using the App Zoiper

So as to keep this getting started guide as simple as possible, I’m showing you here how to simply connect internal Softphones  using the internal IP address of the Incredible PBX server.
NOTE: I actually connect using the hostname by which my Incredible PBX server is known as on the Internet (e.g. pbx.acme.com), but this guide is to get you started so please stick to using the IP address for ease of following this blog. Once again, my recommendation is to experiment and perfect things later.

Here is a graphical explanation of how to connect your Zoiper Softphone to SIP extension 201. On starting Zoiper for the first time you will be asked to setup an account

  • Username is the extension number, so in our example “201”.
  • Enter the password (the value in the “Secret” field) for extension “201”.
  • Select “Create an account”.

 

  • Enter the internal IP address of the Incredible PBX server.
  • Select “Next”.

 

  • Select “Skip”.

 

  • Select SIP UDP (should be the only option automatically selected if one is following this guide).
  • Select “Finish”.

Now take your second Softphone and set up Extension “202” exactly the same way. It should be automatically recognised as an IAX UDP phone. You are now ready to test internal phone calls by making calls from 201 <-> 202.

Trobleshoot

If you cannot make 201 <-> 202 internal calls, check that the Softphones registered fine.

  • Start the Zoiper Softphones.
  • Select the 3 parallel bars

After the selecting the 3 parallel bars next to “Search ….” you should get a screen like this

 

If you don’t have the “Account is ready” then check the “settings” (or delete and create the account again), or logon to the Incredible PBX server and check within asterisk, or look at the log. I prefer to look at the log with the command “tail -f /var/log/asterisk/full”. One can also debug/troubleshoot within Incredible PBX with the command “asterisk -rv”.

Trunk Configuration to Public VOIP provider

Here I have “cheated” a bit. I use two Public VOIP providers here in Switzerland, but have not paid for trunking. I have one “pay as you go” number from each provider which, I believe, makes a small difference to how your trunk is setup. Also, I believe, this is the reason why I don’t have to open up many incoming ports on my firewall for SIP connectivity. Please note that I have written “I believe” as I have never proved this! You will also notice that the VOIP providers I am using here in Switzerland are two excellent providers, Phonestar and Sipcall.

There are many settings but the majority can be left at their default values. It’s possible that these settings might not work for your provider, but should work for most.

  • Select Connectivity/Trunks
  • Select “+ Add Trunk”
  • (most probably) select “+ Add SIP (chan_pjsip) Trunk”

On selecting  “+ Add SIP (chan_pjsip) Trunk” should take you to the following screen where, on the “General” tab you:

  • Provide a meaningful “Trunk Name”.
  • Provide a “Outbound Caller ID”. Commonly your phone number.
  • Click “Submit”

Next, select the “pjsip settings” tab

  • Enter the Username/Secret provided by your VOIP provider.
  • Enter your SIP Server provided by your provider.
  • Enter SIP Server port which is normally 5060
  • Enter Context “from-pstn-toheader”. NOTE: the default for Context is “from-pstn” is what I believe would be correct if one had actually subscribed to trunking from the VOIP provider.
  • Click “Submit” then click “Apply Config”

To see if this is working, login to your VOIP provider administration web-site and see whether your Incredible PBX has successfully registered. Alternatively look in the log file for the appropriate log entry.

We now are at a point where we can make internal calls and we are connected to the VOIP service provider(s).

Calls between handsets outside the internal network

As mentioned in the “Getting Started” Section, I have decided not to open a load of ports on my firewall router, so SIP softphones can’t connect to my Incredible PBX server from the the Internet, but I have opened one port so that Zoiper IAX2 configured softphones can connect.  The port to open on your Router is UDP port 4569 and connect it to your incredible PBX server.

The configuration for your IAX2 softphone is exactly the same as explained in “Setup SIP or AIX2 Softphone using the App Zoiper”, but you will need to use the Internet facing IP address of your Router.

NOTE: As explained earlier, I don’t have a fixed Internet IP address so I use Dynamic DNS and a typical Internet styled host name like “pbx.acme.com” to connect to my Incredible PBX. This enables me to use a single configuration for my smartphone regardless of whether I’m on my internal network or Internet. Setting up Dynamic DNS is outside the scope of this blog.

Now we need to handle outgoing calls – e.g. An internal Softphone wants to make an external call. We also need to know how to handle incoming calls from our VOIP provider(s) – e.g. Someone, somewhere in the world, wants to call you on your number. Before we do this make an adjustment to the SIP settings.

Adjust SIP Settings

  • NAT Settings enter the “External Address” (the Internet host name), or click on “Detect Network Settings” which should fill in the field automatically with the Internet IP address.
  • Enter “Local Networks”
  • “Submit” and “Apply Config”

Outbound Call Routing

  • Select the tab Connectivity and the option “Outbound Routes”
  • Select “+ Add Outbound Route”

Following is how I added the Outbound route for one of my VOIP providers (Phonestar).

  • Select “Route Settings” tab
  • Fill in the field “Route Name” with a meaningful name of your choice
  • Select from the drop-down “Trunk Sequence for Matched Routes” the trunk you previously created.
  • Select “Submit”

  • Click on the “Dial Patterns” tab
  • Enter [+0]xx. in the match pattern field
  • Select “Submit”
  • Select “Apply Config”

One may need to study dial patterns closer to meet their full needs. The dial pattern I have used indicates that all calls starting with “0” use this trunk. The simple logic being any call starting with any digit from “1 – 9” remains within Incredible PBX, and any call starting with “0” is passed over to my VOIP provider. As always, stick to doing what is in this blog and experiment later.

For those that noted there is a “#1” in the prefix field, this is there because I use Sipcall as the default VOIP provider for outgoing calls (so no prefix). With the #1 the Phonestar trunk will be used and not the Sipcall trunk. Therefore, instead of dialling “0441234567”, I would dial #10441234567″.

Test by making a call to any number starting with “0”.  If you have problems do troubleshooting as mentioned previously. Also don’t forget the problem might be your “Sip-ALG” setting on your firewall.

Hopefully one now has internal calls and outbound calls working fine, so let’s get the last step working, inbound calls.

Inbound Call Routing

You will notice that for an incoming call from my Sipcall trunk, I route the call to a single extension (NOTE: I’ve got more extensions defined than just “201” and “202” that I’ve used in this blog). For incoming calls from my Phonestar trunk, I route the call to several phones (Ring Group). I am not going into details about creating Ring Groups, but will mention that you can create “Ring Groups”, by going to the “Applications” tab and selecting “Ring Groups”.

Inbound Call Routing

For initial testing only set up an Inbound Route for one of your VOIP providers.

  • Select the tab “Connectivity” and then “Inbound Routes”
  • Select “+Add Inbound Route”

  • Select the “General” tab
  • Provide a meaningful “Description”
  • Leave “DID Number” field empty for initial testing (I’ll explain providing a DID later)
  • “Set Destination” to “Extension” then choose the extension number to be rung – e.g. “201” or “202”
  • Select “Submit”
  • Select “Apply Config”

Test incoming calls are working by calling your VOIP telephone number from your mobile or landline phone for example. Make sure you are not using your mobile phone that you have also setup as a softphone to receive calls! 🙂

Any problems, do the troubleshooting I keep mentioning and don’t forget that it could be your firewall Sip-ALG setting.

Inbound Call Routing using DID (Direct Inward Dialing)

The DID is provided by your VOIP provider. If you have multiple VOIP providers then quite possibly you will want to route information dependent on whether the external caller dialed number “A” or number “B”. If you want all Inbound calls to be routed to the same phones, regardless of what number was dialed then you don’t need to concern yourself with “DID Number” and just leave the “DID Number” field blank.

If you do want to do Inbound routing dependent on what number is called, you have to make an Inbound Route for every DID (in my case every VOIP provider) like I have done.

The graphic again showing my 2 inbound routes

I had problem with defining the DID. As I explained earlier I had to change the “context” setting on the trunk. Here is a snippet of what I wrote from setting up your trunk:

  • Enter Context “from-pstn-toheader”. NOTE: the default for Context is “from-pstn” is what I believe would be correct if one had actually subscribed to trunking from the VOIP provider.

You can see if your Incredible PBX server is finding the DID by looking at the logs. If things aren’t working when you have defined a DID, you’ll probably get what I was getting in the log which was the word “Forbidden”. If you are getting “Forbidden”, then maybe your VOIP provider isn’t sending a DID, you need to change your context to “from-pstn”, or you entered an incorrect DID. If/when it is working correctly you will see lines with “your-DID@from-pstn” in the log. Example – “41192462386@from-pstn” where “41192462386” is your DID. NOTE: if you have subscribed to trunking from your VOIP provider, which I haven’t, your DID’s are probably much shorter with 3 or 4 digits.

Conclusion

Although there are many features not covered, and the features covered only cover the essentials to get going with Incredible PBX, I trust one has learned a lot and is inspired to look deeper into Incredible PBX/Asterisk.

Have fun! 🙂

Posted on

SSH/SFTP with Two Factor Authentication

If you are wanting to access your home network from the Internet, then you really should strongly consider security. Although accessing your servers by using a unique username and a strong password is still very popular there is still a small amount of risk involved. The more you can reduce the risk the better. In this blog I’m going to explain how I access my computers at home from the Internet.

As the title suggests, I use Secure Shell for remote access to either manage my computers (SSH login)  or to shift files backwards and forwards (SFTP). You can find many articles telling you that using an SSH key pair is just like having two factor authentication (2FA), but I prefer to go for the security of a typical username/password login followed by a 2nd authentication using TOTP (Time based One Time Password) with a 2nd device, the 2nd device generally being a mobile phone with an APP (you will also hear this referred to as a soft token).

The first time I installed the SSH daemon (SSHD) with 2FA, I installed SSHD with Google Authenticator. Although it worked fine I couldn’t get it to work with SFTP clients logging into an SFTP jail, so I looked and found an alternative method which I prefer as it is totally Open Source, and of course it did what I wanted. I used PAM_OATH.

Installation & Configuration

My Linux server is Debian based, so here are the steps I did:

  • Install pam_oath and oathtool
    sudo apt-get update
    sudo apt-get upgrade
  • Edited /etc/ssh/sshd_config
    ChallengeResponseAuthentication yes
    UsePAM yes
  • Restart the SSH Daemon
    sudo service sshd restart
  • Now generate a hexadecimal key that will be put into the file users.oath
    head -10 /dev/urandom | md5sum | cut -b 1-30
    this will provide a 30 character result. An example result 8fa4acca0483c5694096ff9d1cc360
    Using this result populate /etc/users.oath with a line like this:
    HOTP/T30/6 yourusername – 8fa4acca0483c5694096ff9d1cc360
    Make sure that /etc/users.oath is only accessible by root, so enter the commands –
    sudo chmod 600 /etc/users.oath
    sudo chown root:root /etc/users.oath
  • Now we need to note the base32 result of the hex key. One can do this using a Hex to Base32 converter, but the recommendation is to use oathtool and issue the command –
    oathtool –verbose –totp  yourhexkey, so using our example hexadecimal key from above,  oathtool –verbose –totp 8fa4acca0483c5694096ff9d1cc360 The result will display, amongst other things,  the line “Base32 secret: R6SKZSQEQPCWSQEW76ORZQ3A”.
  • Now go to your device (most likely your mobile phone) and install the App. I generally use the App Aegis, but you can use Google Authenticator, Authy, FreeOTP, just to name a few. Open the App and add an account. Here are a few pictures to give you an idea of how to add an account using the App “Authy”.

    Note: in “Add account” select “Enter Code Manually”
  • Now we need to activate things. On my Debian based distribution (Raspbian), I editted /etc/pam.d/sshd and added the line –
    auth required pam_oath.so usersfile=/etc/users.oath window=30 digits=6 as the last line.
  • Now it is time to test. Stay logged on to your server just in case you have done things wrong, the follow this procedure:

1. Open a new terminal window on your client device. Your PC, another PC, or Smartphone for example.
2. Open the App on your second device (so mobile phone with Authy, Aegis, GoogleAuthenticator etc.) so you are ready with your Time based OTP.
3. Open a new SSH session from your terminal window to your server and login.

It should look something like this –
ssh username@yourserver
Password:
One-time password (OATH) for `username’:
Last login: Fri Apr 10 13:09:55 2020 from yourhost
username@yourserver:~$

CONGRATULATIONS! It works

  • There is one thing you probably will want to do, and that is to avoid 2FA on your local network(s) for your trusted users. To do this create a file to exclude networks. I created the file /etc/security/access-local.conf and the contents of it are –
    + : ALL : 192.168.1.0/24
    + : ALL : LOCAL
    – : ALL : ALL
    so the network 192.168.1.x and localhost will be excluded.
    To make this active update /etc/pam.d/sshd again by inserting a line just before the line you added above. The last 2 lines will now look like this –
    auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
    auth required pam_oath.so usersfile=/etc/users.oath window=30 digits=6
    Be sure to test again.

At this point we are basically finished, but it’s really worthwhile fully understanding how it works and the extra configuration options.

For those wanting to know more, I’m going to carry on and show you how to create a user-friendly QR code, and explain why I believe one should add even more security.

Creating a QR

It’s much more user friendly to give your users a QR (Quick Response) code image to scan using their 2nd device/mobile phone. Here is a typical QR code image for my example above with the Base32 secret “R6SKZSQEQPCWSQEW76ORZQ3A”.

This was created with the command qr “otpauth://totp/username@yourserver?secret=R6SKZSQEQPCWSQEW76ORZQ3A” > exampleQR.png

How to Install and execute QR Code Image Generator

I’m sure one could find a nice web-interface to do everything for you, but here I’m going to explain how I generate my QR code.

I have Python  installed on my server so I’m using the Python tools for QR Code Image Generation. For this I will need to install qrcode and pillow. To do this execute the following from the command line –
sudo pip install qrcode (or sudo pip3 install qrcode for Python v3)
sudo pip install pillow (or sudo pip3 install pillow for Python v3)
Now you can make the image with  –
qr “otpauth://totp/username@yourserver?secret=R6SKZSQEQPCWSQEW76ORZQ3A” > exampleQR.png
NOTE: the above is a single line command!
This command is the very basic and a few assumptions are made with this command (e.g. number of digits for the TOTP will be 6 and the time expiration will be 30 seconds).

After you have run the command you just need to display the image, exampleQR.png in our example, and scan it with your App

I’ve given you the basic information that should be good enough to get you going but it’s probably worth your while understanding the URI format of otpauth (e.g. understand “otpauth://totp….” and the parameters).

Additional Security (Fail2Ban)

If you were to look at the number of connection attempts from the Internet you’d be surprised at how many people, robots, are trying to crack your username and password and break into your server. Take a look at how many are attempting to break in with the command –
sudo lastb -a | less
On my SSH server I have attempts from addresses that have been trying for months, so would be trying continually many times a minute if fail2ban were to be inactive. With fail2ban you can ban an IP address after the configured amount of attempts for a configured amount of time.

Fail2ban Installation and Configuration

Installation is very straightforward irrespective of Linux distribution. So for a Debian based distribution just do –
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install fail2ban

If you want to play around with the default configuration of fail2ban then copy fail2ban.conf to fail2ban.local and make changes in this file. The fail2ban.local settings will override the fail2ban.conf settings. I didn’t bother creating a fail2ban.local as I was happy with the default setting for such things as where to place the log files, the verbosity of logging, the file to contain the PID number etc.

Where you will most probably want to play around with the configuration is within jail.conf. To do this copy jail.conf to jail.local sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local – and change the settings in jail.local. You’ll notice that there are settings for many protocols beside SSH, but we’re only interested in the settings for SSHD. I’m no Fail2ban expert so I’m only going to show you example settings for SSHD which are very similar to what I use –

[sshd]

# To use more aggressive sshd modes set filter parameter “mode” in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See “tests/files/logs/sshd” or “filter.d/sshd.conf” for usage example and details.
#mode = normal
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = 60m
maxretry = 2
ignoreip = 192.168.1.0/24
logpath = %(sshd_log)s
backend = %(sshd_backend)s

The only lines that interest me are the lines “bantime”, “maxretry” and “ignoreip”. Using the example above any user within the local network, 192.168.1.0/24 in my example, is excluded. This means they can try numerous times to login. Anyone trying to login from the Internet can enter false credentials 2 times (maxretry), but will be banned from trying for 60 minutes (bantime) if the 3rd attempt is false. Don’t forget to reload the fail2ban configuration after any change –
sudo service fail2ban reload

Further Thoughts and Information

Maybe you are wanting to do 2FA more for your SFTP clients. I haven’t looked that hard for GUI clients that can cope with 2nd authentication, but the popular Windows client, WinSCP, works very well. Unfortunately the popular Linux client, Filezilla, does not handle the 2nd authentication so I always do things from a terminal and CLI on my Linux clients. As for IOS, I haven’t looked for a compatible client.

Finally, if you’re really interested in SFTP, you may want to read my “How to make your own NAS” blog, which covers how to make an SFTP jail.

 

 

Posted on

Apache and Two-factor Authentication (2FA) using LDAP accounts

Introduction

Although I am happy locking down my Apache web server so I can  just use web management tools from my local network, I’m also interested in potentially doing this from the Internet, therefore I decided to try and find a secure way to do this. For several years I just protected my web sites using an LDAP user account and password, which in most cases is most likely good enough. Nevertheless I decided I wanted to add that second layer of security. In this post I will describe how I implemented Two-factored authentication (2FA). If you have no basic Apache web server and/or no basic LDAP know-how then please familiarise yourself with both of these services before proceeding.

Before I start explaining, it’s worth understanding what you are getting as you don’t want to spend a lot of time trying to get things to work and then deciding it’s not what you want. The first authentication is an LDAP authentication using Apache basic authentication, and not a Forms based authentication. What this means is that the LDAP authentication is valid as long as your browser is open, e.g. there is no expiration after so many minutes/hours of inactivity. So if you want session time expiration then this solution is potentially not for you. One can build in some session time expiration on the 2nd Authentication which I will explain later. The 2nd authentication will be done using Time-Based One-Time Password (TOTP), so typically an App on your smartphone like Google Authenticator or Authy (I use an App called Aegis simply because it’s Open Source).

For the know-how for the 2nd Authentication, credit has to go to the person contributing code and instructions to Github. Besides reading my blog you should also read that persons guide! – Apache 2FA instructions.

If you want to take a look at how things work first, feel free to scroll down to the “Let’s try it out” section further down.

Preparation

As I’ve mentioned  please go through the  Apache 2FA instructions, but specifically for my guide you’ll need to do the following commands mentioned in the Apache 2FA instructions:

git clone https://github.com/itemir/apache_2fa
cd apache_2fa
sudo pip3 install onetimepass
mkdir state
sudo chmod 750 state
sudo chmod 640 tokens.json

Enable mod_rewrite, mod_auth_digest and mod_cgid if not already enabled

sudo a2enmod rewrite
sudo a2enmod auth_digest
sudo a2enmod cgid
sudo service apache2 restart

If you want to exactly follow my instructions, then you’ll either have to move the directory apache_2fa and it’s contents to /usr/share/ or make a symbolic link called /usr/share/apache_2fa to point to wherever you placed apache_2fa when you executed the “git” command above.

Finally do:

sudo chmod -R www-data:www-data /usr/share/apache_2fa

Let’s Get Started

My goal is to protect certain parts of my website that I don’t want the public to have access to. In my example, I want to restrict access to https://www.hallam.ch/2fa/ and everything that lies under this URL.

1st Authentication (LDAP)

As previously written, the assumption is, is that you have some basic understanding on how LDAP and Apache services work. To figure out how to implement LDAP basic authentication for Apache please refer to Apache documentation or to the many websites that will detail how to do this. A search using your preferred search engine for “Apache LDAP basic authentication” will help you get going. What I will explain here is how I configured Apache with Basic LDAP authentication to protect my “2fa” web pages.

To configure Apache to protect https://www.hallam.ch/2fa/  I created an Apache configuration file in /etc/apache2/sites-available/ . I called my configuration file “2fa_test.conf” which at the moment is misleading as we are only doing a single LDAP authentication. NOTE: We will be changing the content of “2fa_test.conf” when we finalise things with the 2nd Authentication.

Make sure the file has the correct ownership and permissions so it can be accessed by Apache. The file will have to be present in /etc/apache2/sites-enabled for the directives to be activated on an Apache server restart, so to ensure that the file is in /etc/apache2/sites-enabled from a CLI prompt, execute the command “ln -s /etc/apache2/sites-available/2fa_test.conf /etc/apache2/sites-enabled/2fa_test.conf”.

Don’t forget to reload or restart your Apache web server after any configuration change with “service apache2 reload” (or “service apache2 restart”)

Here is an example of what the “2fa_test.conf” content should look like:

<Directory “/var/www/2fa/”>
SSLRequireSSL
AuthType Basic
AuthName “Please provide your credentials”
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap-server/dc=acme,dc=com?mail?sub
require ldap-group cn=group-test2fa,ou=groups,dc=acme,dc=com
</Directory>

and here the explanation

<Directory “/var/www/2fa/”>  (The directory you are trying to protect)
SSLRequireSSL  (Ensure basic authentication is done using HTTPS)
AuthType Basic
AuthName “Please provide your credentials”  (you can type whatever you want between the quotes)
AuthBasicProvider ldap  (use LDAP for Authentication)
AuthLDAPURL ldap://ldap-server/dc=acme,dc=com?mail?sub (explained below)
require ldap-group cn=group-test2fa,ou=groups,dc=acme,dc=com (explained below)
</Directory>

AuthLDAPURL ldap://ldap-server/dc=acme,dc=com?mail?sub

“ldap-server” is the hostname of where your ldap server is – e.g. localhost, ldap.acme.com.
“dc=acme,dc=com” is where to start searching from for the user you want to authenticate.
“mail” this is the attribute I have chosen to find the appropriate LDAP entry. I could use. Other attributes that will have a unique value like uid, or for Active Directory UserPrincipalName.
“sub” a tree search of your LDAP server

require ldap-group cn=group-test2fa,ou=groups,dc=acme,dc=com (easier is require valid-user)

The above statement, require ldap-group, is an extra step that authorises anyone who is a member of the LDAP group “group-test2fa” to access the protected web pages. All others have no access. Maybe at this stage you should just use the less restrictive “require valid-user“.

If the above is all a bit too much, then start by looking at the appropriate Apache and LDAP documentation as mentioned.

A lot of you might be happy just with this level of security which would be hard to crack if you use LDAP/TLS.

If things are working fine you should get a dialogue box like this when trying to access https://your-website/2fa/

NOTE VERY WELL: In my example above, it is configured to use LDAP but not LDAP/TLS, therefore if your LDAP server is not on the same box as your Apache server then there is a potential security risk. I actually do have it working with LDAP/TLS so here is an example of what  my 2fa_test.conf would look like (note the extra line “LDAPTrustedGlobalCert that points to you LDAP certificate, and note the “TLS” at the end of the “AuthLDAPURL line):

LDAPTrustedGlobalCert CA_DER “/certs/ldap.crt”

<Directory “/var/www/2fa/”>
SSLRequireSSL
AuthType Basic
AuthName “Please provide your credentials”
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap-server/dc=acme,dc=com?mail?sub TLS
require ldap-group cn=group-test2fa,ou=groups,dc=acme,dc=com
</Directory>

2nd Authentication (TOTP)

This is the harder part for me as I’m a novice regarding the Python programming language (maybe I should learn), and I’ve never really got involved with Apache rewrite rules. Anyhow, I started off by following these instructions, the Apache 2FA instructions. I’m not going to repeat what’s written there so note those instructions and I will outline here what I’ve done differently.

I started by trying to implement exactly the Apache 2FA instructions, but I couldn’t get it to work and I struggled to understand why, maybe because the example given is to achieve something different to what I want to do? As stated right at the beginning, my goal is to restrict access to everything under https://www.hallam.ch/2fa/.

In “1st  Authentication (LDAP)” I explained how I setup “2fa_test.conf”  to configure Apache for LDAP authentication and authorisation. Following is how I’ve now changed “2fa_test.conf”  to accommodate the 1st and 2nd level authentication

<Directory “/usr/share/apache_2fa/”>

SSLRequireSSL
AuthType Basic
AuthName “2FA First Authentication”
AuthBasicProvider ldap
AuthLDAPURL ldap://localhost/dc=local,dc=net?mail?sub
require ldap-group cn=group-test2fa,ou=groups,dc=local,dc=net

</Directory>

ScriptAlias /auth/ /usr/share/apache_2fa/

<Directory “/var/www/2fa/”>

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /auth/auth?%{REQUEST_URI} [L,R=302]

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /usr/share/apache_2fa/state/%1 !-f
RewriteRule ^(.*)$ /auth/auth?%{REQUEST_URI} [L,R=302]

SSLRequireSSL
AuthType Basic
AuthName “2FA First Authentication”
AuthBasicProvider ldap
AuthLDAPURL ldap://localhost/dc=local,dc=net?mail?sub
require ldap-group cn=group-test2fa,ou=groups,dc=local,dc=net

</Directory>

Let’s go through the configuration.

<Directory “/usr/share/apache_2fa/”>

/usr/share/apache_2fa  is where I’ve put the downloaded code (the code downloaded with the command git clone https://github.com/itemir/apache_2fa).

The directives from “<Directory “/usr/share/apache_2fa/”>” to “</Directory>” I explained in the 1st Authentication (LDAP) section.

ScriptAlias /auth/ /usr/share/apache_2fa/

This forces Apache  to get all the HTML code and scripts for https://www.hallam.ch/auth/ from  /usr/share/apache_2fa/ . Please note that the web server does not have have a directory called “auth” (e.g. you won’t find a directory “<DocumentRoot>/auth”, in my case “/var/www/auth”). When you read the next part on the rewrite rules it will hopefully become clear what is happening.

<Directory “/var/www/2fa/”> (The directory you are trying to protect, but rewriting will take place when I enter https://www.hallam.ch/2fa/ in my web-browser as you will see).

RewriteEngine On (Should be self-explanatory)

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /auth/auth?%{REQUEST_URI} [L,R=302]

To fully understand the above 3 lines please read the Apache documentation rewrite rules. Basically it states if the “RewriteCond” conditions are met it will execute the “RewriteRule“.  The following explanation might well be good enough for you.
The first Rewrite Condition “RewriteCond %{REQUEST_URI} !^/auth/“. If the requested URI is not “/auth/”. It won’t be initially as it will be “/2fa/” (https://www.hallam.ch/2fa/).
The second Rewrite Condition “RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)” is basically checking whether the Cookie “2FA_Auth” does not exist. Initially it won’t.
Assuming the Rewrite Conditions are met the Rewrite Rule will execute RewriteRule ^(.*)$ /auth/auth?%{REQUEST_URI} [L,R=302]
This will cause the Apache server to execute https://www.hallam.ch/auth/auth?/2fa/ – do you remember the line “ScriptAlias /auth/ /usr/share/apache_2fa/” from above? What happens is that Apache goes to /usr/share/apache_2fa/ and executes the python script “auth”. The python program uses everything after the “?”, so /2fa/ in my case – https://www.hallam.ch/auth/auth?/2fa/.

I’m not going to show you the “auth” python script and I’m not going into details on what the “auth” script does. You can always get the code from Github. What I will tell you about the “auth” python script is that it creates a cookie with an expiration time and a file in the directory /usr/share/apache_2fa/state/. The filename is the same as the cookie value. I’ve explained this because of the next part of the rewrite rules.

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /usr/share/apache_2fa/state/%1 !-f
RewriteRule ^(.*)$ /auth/auth?%{REQUEST_URI} [L,R=302]

Let’s go straight to the second rewrite condition as I’ve already explained the first.
The second rewrite condition practically the same as as the second rewrite condition above except this time it is checking whether the cookie “2FA_Auth” exist.
The third rewrite condition RewriteCond /usr/share/apache_2fa/state/%1 !-f is looking to see if there is not a file that matches the cookie value under “/usr/share/apache_2fa/state/”.
The RewriteRule has also previously been explained.

PLEASE NOTE: I’ve also included further directives after the rewrite rules (a repeat of the directives in the 1st authentication). I believe these directives are superfluous and you can exclude them. I only put them there because that’s how things were setup in the Apache 2FA instructions, and leaving them there is harmless.

Generating secret keys and QR codes

I don’t intend to go into too much detail, but will tell you enough for you to get things working. For the generation of the secret keys one just needs to issue this CLI command:

“head -10 /dev/urandom | md5sum | cut -b 1-30 | xargs oathtool –verbose –totp | grep “Base32” | cut -b 16-“

This will give a result of something like this – TBSYABA5VOLRMYWSF5SGTTY5

you will then need to put the result into the “tokens.json” file which you’ll find under /usr/share/apache_2fa. I’ve done things for a user with the email address of “test.user@acme.com” so my “tokens.json” file looks like this

{
“test.user@acme.com”: “TBSYABA5VOLRMYWSF5SGTTY5”
}

You can leave things like this and tell the user what their secret key is so they can add it to the Mobile phone App, or you can be a bit more user-friendly and generate a QR code for their Mobile phone App to scan in.

To generate the QR code using the above secret key enter the following CLI command (NOTE: it’s a single line command):

qr “otpauth://totp/test.user@acme.com?secret=TBSYABA5VOLRMYWSF5SGTTY5”

You can always save the QR generate to an image file by saving the output, so:

qr “otpauth://totp/test.user@acme.com?secret=TBSYABA5VOLRMYWSF5SGTTY5” > testuser.png

Let’s try it out

So you can see how it should work for you, I have set things up so you can access what’s behind https://www.hallam.ch/2fa/ .

To start with you will need an App on your smartphone for the 2nd authentication. I am using an Open Source App called “Aegis”, but if you want you can use Apps like “Authy” or “Google Authenticator”. You can add a new profile by adding the Authentication secret key manually which is TBSYABA5VOLRMYWSF5SGTTY5, but you’ll probably find it easier to just scan the QR code that I generated which you will find here – https://www.hallam.ch/QRcode/ .

You are now ready to go, so go to https://www.hallam.ch/2fa/ and when the dialogue box appears for “User Name” and “Password” enter the following credentials:
User Name = test.user@acme.com
Password =  testuserxx

Assuming you have entered the credential correctly you will get the page for the 2nd Authentication for the TOTP code from your smartphone App.

Enter the token value that is presented by your smartphone App (Authy, Google Authenticator, Aegis etc.) and you should see the following page.

Additional thoughts and information

  • Take a look at the python script auth (in my case /usr/share/apache_2fa/auth), and try and figure out what it’s doing. The beauty about auth is that you can play around with it to meet your needs.
  • I made a small change to the template.html to use my own image for the 2nd Authentication instead of getting the *Google Authenticator” image from the Internet.
  • If you want to protect another part of your website with this solution, you’ll have to think a bit. For example, you won’t want to use the same cookie generate by the auth script is an immediate thought.
  • You can put a bit of session control in place by changing the expiration time of the 2FA_Auth cookie that auth generates, and maybe one would like to change auth so that the cookie expiration time is updated everytime the website is accessed. If you have a short expiration time, auth will force the 2nd Authentication to take place again. Current expiration time is 6 hours.
  • Don’t forget to implement the latter part of the Maintenance section of Apache 2FA instructions (the state clean part).
  • You can play around with solution to fit your need. For example, it might be nice to keep the tokens within your LDAP directory instead of the file “tokens.json”.
  • Maybe I should spend some of my time to come up with a “Forms Based” 2FA using PHP 🙂

 

Posted on

Tips on how to use your Smartphone as a travel survival kit

As I have written in a previous post, ones Smartphone is much more than just a phone. I view my Smartphone as a pocket PC. Recently I’ve been travelling in unfamiliar foreign lands, namely SE Asia and Russia. I was also doing a lot of moving about from place-to-place and in areas whereby people only spoke in their mother tongue, or languages that I did not understand. I was in remote places so needed to figure out how to get from A to B and the best form of Transport to get me there. I was not alone and travelling with other people that I wanted to stay in contact with, besides contacting friends back home. Finally, like most people, I wanted to travel on a sensible budget and still not have to forego those small luxuries. Following is a summary of how I used my Smartphone to help me achieve my goals.

My Smartphone is an Android phone, but I’ll try and keep this post as generic as possible as it doesn’t really matter what flavour of Operating System (Android, IOS etc.) as long as you have a Smartphone.

I tried for a while to live with just using WiFi for data connectivity, but discovered it was worthwhile to purchase a local Sim card. In Russia I purchased a Sim card that gave me more than enough cellular data, 15GB, for a month, and this for a small price (approx $10). I used a second Smartphone for my foreign Sim card, but I could’ve also replaced my current Sim card  or used the 2nd Sim slot on my dual-Sim phone. Study first to ensure you get the type of service you want from a local Sim card. Maybe your Service Provider provides a good package for when you leave your homeland and buying a foreign Sim is not necessary. Obviously, if you replace your home Sim card, you have the disadvantage of not being able to receive SMS’s or phone calls on your usual number. I disabled my home Sim card as the charges for incoming calls were far too high. I made use of one of the many Apps to make/receive calls (WhatsApp, Facetime, Skype, Facebook etc.), or connected to my VOIP landline number from my Smartphone to make/receive calls (see Landline/Festnetz Telephony (VOIP) for more information on this).

Another consideration, if you are travelling as a group, is just for one of you to buy a good data package like I did in Russia. One can set up the phone that has the data package installed as a Hotspot (on my Android phone “Settings/Network & Internet/Hotspot & Tethering). This will enable your companion(s) to connect to the phone via WiFi and then surf the Internet. Obviously your companion(s) have to be in WiFi range.

Now you have an idea of how you can make and receive calls at little to no cost, and on how to get on to the Internet without being charged a fortune let’s move on to the type of Apps I found really useful.

If you haven’t booked all your flights and accommodation before you left home, you’ll want an Apps like Skyscanner, Tripadvisor, etc to find you flights, and Apps like Agoda, AirBnB, Tripadvisor etc. to find your accommodation.

When trying to get from A to B it’s very advisable to use a “Maps” application. I use the default Maps application on my phone, Google Maps, but there are plenty of other good “Maps” Apps. Nowadays when travelling you don’t actually need to purchase a GPS for your car as your phone is equipped with GPS and will give you directions including verbal directions. I recommend you read my article Take full advantage of your Smartphone for minimum cost for more information and to ensure you don’t unnecessarily use Cellular data which could cause additional cost.

Another excellent App is “translate”. Once again I used what came with my phone, Google Translate. You can either type things in, or you can speak to your phone but it is recommended that you prepare things while online with WiFi and download the appropriate language dictionary for offline use.

There are usually Apps for local transport so try and find out what they are and install them on your phone. I did quite a bit of travelling by Taxi and used Taxi hailing Apps similar to Uber. The App called Yandex worked well for me in Russia, and an App called Grab was also good in SE Asia. You can at least use the Apps to  get a good idea what the cost of a journey is if you want to try and catch a cab on the Street.

One final tip, make sure you fully understand the difference between cellular data and WiFi data. Cellular data can cost a lot, whereas WiFi is usually free nowadays. If you only have a limitted Cellular data package then I recommend you only switch Cellular/Mobile data on when you need it (on my phone I go to “Settings/Network & Interet/Mobile network” and switch off “Mobile data” and “Roaming”, and only switch it on when required).

Happy Holidays! 🙂

Posted on

Take full advantage of your Smartphone for minimum cost

If you are like me, I’m always looking at how to reduce my costs and still get everything I really want. In this article I’m going to cover how to cut your Smartphone costs close to zero.

If you have a Smartphone that you need for business, or are a person that needs, or likes, to make a lot of voice calls for a lot of hours at anytime you want, or can’t wait to surf the net, then this article is probably not for you although it might contain some information that you might find useful.

Seeing as you are still reading I assume you are interested in cutting your mobile costs. Ask yourself “what do I generally do with my Smartphone?”. If you are like me, I use my Smartphone as a Pocket Computer. I generally use my Smartphone to consume information, access social media, to text, and to make the occasional call. Now let’s move onto what most probably interests you about this article – “how do I cut my costs close to zero?”.

Start by going with a minimum contract, or better still prepay. Now you need to understand what your Smartphone has, and how it communicates with the outside world. You have a mobile network (generally referred to as G3, G4 networks), Wifi, Bluetooth, and GPS (used for maps and localising where you are). The part that is costing you the money is the use of the G3, G4 mobile networks, so start by switching of “Mobile data”, or setting it to zero megabytes. NOTE VERY WELL: You don’t need “Mobile data” to make a call, receive a call, or to send an SMS, but do for MMS (does anyone send MMS’s nowadays?)!!! Another way of looking at it is that your Smartphone now has all the functionality of those fine Nokia phones of Yesteryear plus Wifi, Bluetooth and GPS. Wifi and GPS is what I need to make my phone “smart”! Always have Wifi and GPS turned on. A small tip, if you’re buying a new phone, try and get one that supports the latest Wifi protocols. For the big cost saving Wifi is the key, so let’s now talk about Wifi.

Most people have Internet at home and one can connect to the Internet via Wifi. There are now more and more public Wifi hotspots to connect to, and many bars, shops, restaurants, airports etc. have Wifi hotspots to connect to for free for their customers. With a Wifi connection you can now use your favourite Apps to make a call or send a text or make a call for free (WhatsApp, Facebook, Facetime, Skype etc.), although there is the limitation that you’re friends need to be online within that App. In a separate article I have written how to use your “home phone” number on your Smartphone by using a VOIP provider – Landline/Festnetz Telephony (VOIP). Making landline calls are generally a lot cheaper than making mobile calls in most lands.

If you are traveling do look at what your provider charges you. I find it an absolute cheek that you often get charged a lot for incoming calls by many providers and the cost is often quite significant. I recently deactivated my Sim on a trip abroad as my provider was charging far too much for outgoing and incoming calls. In this instance I used Apps liked those mentioned above and my “home phone” number to make calls using a VOIP App – read the article Landline/Festnetz Telephony (VOIP). You might find it in your interest to buy a local pre-pay Sim card, or even buy a package from your service provider, when abroad. Personally, I would go with a local pre-pay Sim card.

Something I find very useful, especially when abroad in unfamiliar territory is the App “Maps”.  “Maps” needs GPS so you generally don’t need mobile data or Wifi. You will need Wifi to initially plan your route. I would suggest planning your route and then downloading it for offline use. I find offline maps extremely useful when abroad and trying to find my way “home”.  To download an offline map search for an area, for example London, and not a specific address. This short video shows how:

To repeat, offline maps are perfect when no Wifi is available and you don’t want to use data connectivity (especially if you’re abroad!). Following on from the example above we can know plan a route within London as shown here:

I generally use an offline map to go from “my location” to somewhere I want to go to and just follow the blue dot. The blue dot shows your current location. Also note that the beam on the blue dot shows the direction you are facing if you are holding your phone in the same direction.

To summarise for absolute minimum costs:

  1. Go prepay
  2. Understand the difference between “Mobile data” and Wifi
  3. Utilise Wifi whenever possible
  4. Control that urge to quickly use Facebook, Twitter, WhatsApp when no Wifi is available
  5. Switch off “Mobile data” or make sure it’s set to zero Megabytes
  6. Switch off “Roaming”

You can still keep your costs low even if you buy and use a mobile data plan. Just remember to maximise Wifi data connectivity and ensure that your Apps don’t unnecessarily use Cellular data connectivity. Good practice is to just switch on “Mobile data” (Cellular data connectivity) when you need it, then switch it off when not using the phone or have Wifi.

Hope you have enjoyed this article. Make a comment if you have a tip you’d like to pass on.

 

Posted on

How to make your own NAS

I like to avoid all those companies that lure you with cloud storage and then want money after you have used up a certain amount of Gigabytes. I also do not want to share my data with them, although they give you guarantees of keeping your data private. Nevertheless, for the majority of individuals it makes sense to either have cloud storage, local portable storage (e.g. USB stick, SD card, portable SSD disk etc.), or NAS storage. I have my own servers running at home (actually Virtual Machines running on a Workstation) and I decided to add external USB storage for one of the servers (NOTE: I would’ve used a partition on internal storage if I had enough available).

By using the functionality of the Secure Shell Daemon (SSHD) on my server, I can backup the data on my mobile phone, my tablet, and my laptop using a Secure File Transfer Protocol (SFTP) client. By backing up to my server I am basically creating my own Network Attached Storage (NAS)

Now that I’ve explained that my goal is to use storage on a server on my network using an SFTP App/application on your client device (e.g. Smartphone, laptop etc.) and the SSHD  on your server, let’s get started on how to achieve this. I always use Linux so will only explain how I achieved my goal using Linux. This article assumes you know how to install a Linux server distribution and the SSH Daemon (SSHD), or that you already have it installed. For those of you who are impatient, and/or have good Linux know how here is the step-by-step guide using existing internal storage.

  1. Create a group with an meaningful name – groupadd sftp
  2. Create a directory for all user who will be using your network storage – mkdir /ftpusers
  3. Change the SSH configuration file /etc/ssh/sshd_config as follows:
    Comment out “Subsystem sftp /usr/lib/openssh/sftp-server” and add the following lines at the end of the configuration file.
    Subsystem  sftp  internal-sftp
    Match Group sftp
      ChrootDirectory /ftpusers
      ForceCommand internal-sftp
    AllowTcpForwarding no
  4. Restart the SSH daemon – service sshd restart
  5. Ensure the user and group root own the directory /ftpusers – chown root:root /ftpusers
  6. Ensure the read, write, execute permissions are correct – chmod 751 /ftpusers
  7. Create the individual user directories (let’s assume we will have a user called “smith”) – mkdir /ftpusers/smith
  8. Create users who will use this service (using the user “smith”) – useradd -g sftp -d /smith -s /sbin/nologin smith
  9. Give the user a password – passwd smith
  10. Change the ownership for the directory /ftpusers/smith – chown smith:root /ftpusers/smith
  11. Change the read, write, execute permissions on directory /ftpusers/smith – chmod 770 /ftpusers/smith

Following the above steps you should now be able to use your sftp client and login to your chroot jail environment and upload files.

It’s always good to understand why things work rather than just blindly follow instructions, especially if you’re having troubles and things didn’t work for you for some reason. Here is an explanation of the points above.

In point 1 we have created a group called “sftp” mainly for the SFTP sub-system running under the SSH Daemon, and in point 2 we have created the root directory of our chroot jail.

Point 3 causes all users who are in the group we created in point 1 to be chroot’d/jailed to the directory /ftpusers, basically meaning they cannot escape from the /ftpusers environment. I was interested as to why I needed to change the subsystem configuration from “sftp-server” to “internal-sftp” and found the following if you are interested – https://serverfault.com/questions/660160/openssh-difference-between-internal-sftp-and-sftp-server#660325

Points 5 and 6 are very important to follow correctly. I had the idea that I would give myself, the system administrator, full permissions on the chroot directory (e.g. “chown root:admin /ftpusers”, “chmod 771 /ftpusers”). DO NOT DO THIS! Always ensure the permission are 751 (I assume 750 is also fine).  I was inquisitive to know why I couldn’t give a group write permissions and found this explanation from a SSHD developer – “We ban this because allowing a user write access to a chroot target is dangerously similar to equivalence with allowing write access to the root of a filesystem”. If you allow someone other than root write access you will get an error by login. I also strongly recommend not giving “world” write access (e.g. “chmod 771 /ftpusers”). If you do this User A will be able to see and access User B’s directory structure.

Point 8 is creating an SFTP user login for a user called “smith” who will be in the group “sftp and have the home directory “/ftpusers/smith”.  Note the connection with the SSHD configuration in point 3! The user “smith” is in the group “sftp” so will be matched with the “Match Group” setting in the SSHD config file. As a result the user will be logged into a home home directory of “/ftpusers” as specified in the SSHD configuration plus “/smith” as specified in the “useradd” -d option in command useradd -g sftp -d /smith -s /sbin/nologin smith. Finally the -s /sbin/nologin is ensuring that the user cannot make any sort of shell login but only and SFTP login.

Further useful information

Data Redundancy

You may want to go that bit further put in some redundancy by making a backup of your backups in case your disk crashes. I have achieved this using the rsync command and making it a root cron task. The manual command would be something like this:

rsync -a /ftpusers/ /AnotherDisk/AnotherPartition/ftpusers-backup
or
rsync -a –delete /ftpusers/ /AnotherDisk/AnotherPartition/ftpusers-backup (which will remove any files at the destination that were removed at the source)

NOTE: I am recommending that your destination is not on the same device as your source. Obvious as to the reason why, isn’t it?

External Access

If you want to allow Internet access you will have to allow SSH, port 22, access through your firewall. If you are a typical home user with a DHCP IP address you’ll either have to access using the IP address of your router, or setup your own domain and Dynamic DNS service.

SFTP Clients

There are plenty out but I have used Easy FTP on Apple IOS devices which has a nice uncomplicated interface. WinSCP would be my choice for Windows and on Linux I use either use CLI commands or Nautilus

Conclusion

Well, that is it unless you want to backup your files directly to external storage. If you are wanting to put your users files on external storage then please read on.

Using External Storage for your SFTP users (or a newly installed disk)

The first thing to note is that if you do use external storage it is not expected that you remove the device and move it from PC to Laptop to Tablet etc. It will probably become obvious as to why as you read through this section. The main reason for using external storage is that you do not have enough internal storage, or want to save it for something else.

First of all ensure your external storage device is formatted using the ext2, ext3 or ext4 file system. The reason you want ext2, ext3 or ext4 is so that one can set directory ownership and permissions. You cannot set ownership and permissions on a ntfs, vfat formatted device (have you now figured out why your device is no longer really portable to another PC/Laptop/Tablet? I know Windows OS won’t recognise ext formatted devices, and I believe IOS also. Also the ownership on another Linux device may well be irrelevant).

Once your disk is formatted create a mount point (directory) where your device can be mounted. If you read all of the above we would want to mount things on /ftpusers, therefore you can create the mount point (directory) as described above (e.g. “mkdir /ftpusers”, “chown root:root /ftpusers”, “chmod 751 /ftpusers”). I would recommend not using “chmod 751 /ftpusers” as if your external storage is umounted for any reason then potentially root has the rights to write to your hard disk and fill it up. In this case I would go with “chmod 551 /ftpusers” and add extra security with the chattr command – “chattr +i /ftpusers” (It’s worth fully understanding this command). Note that the rights on the /ftpuser directory will be changed when your external storage is mounted! The mount command looks at the /etc/fstab file to see how your external storage should be mounted. This is described below.

Next find out the device. I find the easiest way is to do fdisk -l . To be really sure remove the external storage and do fdisk -l again and you should see that the device is missing. It’s a good chance that your device will be /dev/sdb1 (Disk /dev/sdb with the partition /dev/sdb1). Now ensure you can mount and umount the device (e.g mount /dev/sdb1 /ftpuser, umount /ftpusers).

You will need to modify the file system, /etc/fstab, so that the storage device mounts automatically after reboot. It’s also good to define things here, as the mount command get the information it needs /etc/fstab meaning you don’t have to remember all the options when mounting manually. You will need to find out the Universally Unique Identifier, UUID, of your device by entering the command blkid /dev/sdb1 (NOTE: I’ve assumed /dev/sdb1 is the partion, it could be different in your case). After finding the UUID add a line like this at the end of your /etc/fstab – UUID=123456ab-89ef-1234-9876-11a2b039f7c0 /ftpusers auto rw,nofail 0 0 – where the UUID value is the value you looked up with the command  blkid /dev/sdb1

I hope you have found this article of interest. Please feel free to comment.

Posted on

Landline/Festnetz Telephony (VOIP)

Telephony over the Internet (VOIP, which stands for Voice Over Internet Protocol) is nothing new, and is what your telephone service provider will have been doing for quite a while. Only the line from your home to your telephone service provider isn’t, or hasn’t been, via the Internet but via telephone cables. A lot of you will still have your analogue or ISDN connection to your telephone service provider, and most telephone service providers are making easy money by charging you a monthly connection charge, or a flat monthly fee for “free calls” within your land. Why pay a monthly connection charge, monthly fee? When I moved over to VOIP several years ago it proved to be a major money saver. I had Cable for the Internet and ISDN lines for telephones, and I was paying plenty of money just for the ISDN connection. I cancelled my contract with the telephone provider and set up VOIP (e.g telephony over the Internet).

There are probably many of you asking why do I need a landline when I have a mobile subscription? My answer is that you are probably wasting too much money on your mobile subscription, or on making calls.

There are many VOIP providers out there that will provide you with a typical local landline number, or maybe you’d like a telephone number that is in another part of the world. Generally one can also port their existing phone number to their new VOIP provider if one wishes to keep their existing number. NOTE VERY WELL, there are plenty of VOIP providers that just provide a service to make calls. Find a VOIP provider that will give you the full service of incoming and outgoing calls with a geographical number.

The advantage of going with a VOIP provider is that you can take your number with you wherever you are in the world. You can set up your handsets in your house, or you can set up your Smartphone, laptop, or tablet by installing a SIP client (An App/Client Application to make your smartphone, laptop, tablet work like a landline phone). If you don’t have handsets, or don’t want to purchase handsets, just use your Smartphone (or an old Smartphone) and connect over a good Wifi connection. I’ll first go through the benefits of using it as your typical static landline phone, and then I’ll tell you how to also use it as your cheap mobile solution.

Nowadays there is a high chance that your ISP (Internet Service Provider) offers you Internet + phone but they always charge you extra for the phone part. It’s generally a good option especially but I haven’t taken this option from my ISP as I’m only a casual phone user and don’t want to pay that extra cost a month when local calls are just 2 or 3 Euro cents a minute. If the monthly fee option is good for you, you just need to plug your existing ISDN or Analogue phone into a special port on the Modem/Router provided by your ISP. I have taken a different approach which works out cheaper and more comfortable for me. As I like to have static phones about the house I bought IP phone equipment specifically for VOIP (be careful, most stores selling handsets and base stations are still mainly selling Analogue, ISDN equipment. I strongly recommend VOIP phone equipment).  In my case I have a Siemens Gigaset with a couple of handsets. The base station of the Siemens Gigaset I connect to a LAN socket on my Router. NOTE VERY WELL: You don’t need to do any of this setup if you are fine with just using your Smartphone as a typical static phone as well as a mobile which is explained below.

People are realising that they save a bundle of money by using VOIP over their Smartphone without knowing it’s VOIP. Apps like Facetime, WhatsApp, Skype, and many more VOIP apps but a bit restrictive at the moment (e.g. the recipient of your call has to have a Smartphone and/or the same App installed on their device).  Wouldn’t it be nice to just call regular phone numbers and receive calls on your landline number while on the move? Just think of the cost savings if you were to be in far away lands and you want to call friends and family back home who don’t necessarily have a Smartphone, or those Apps like Facetime, WhatsApp, Facebook. If only you could take your home (landline) number with you. Well this is easy using a VOIP provider. I live in Switzerland and I use 2 VOIP providers (Sipcall and Phonestar) although only one is necessary. There is a lot of choice out there so look around and make sure it’s good for incoming calls as well (e.g. they provided you with a number, or they will port your landline number). All you need to do is to install a SIP client on your Smartphone (make a search for “sip”. There are many, but I can tell you that I use “VoIP by Antisip” and “Zoiper” on my Android Smartphone). Configure the SIP client to connect to your VOIP provider and you’re ready to go. Your VOIP provider will give you instructions on how to connect to their service. NOTE VERY WELL, that I strongly recommend that you configure your SIP client to connect over Wifi only. If you allow it to connect over your 3G, 4G mobile network then you will be using mobile data which will be very expensive if travelling. To have good voice quality you will need a decent Wifi connection of course.

Have fun and please comment if you have any tips, recommendations.

Posted on

Make your own media player (TV box)

I make my own media player using a Raspberry Pi 3 and OSMC. For those of you who are beginners, Raspberry Pi is a cheap Single Board Computer (SBC) which costs somewhere near to 40 Swiss Francs. OSMC stand for Open Source Media Centre. It is a Debian based Linux distribution with Kodi installed. Kodi is the package that provides the media player functionality.

With my Media Player/TV box, I have turned my “not so smart” TV into a Smart TV. What I like about my TV box is that I have full control over it unlike an Apple TV or Android TV box.

The essential parts are:
Raspberry Pi 3
Micro 8GB SD card (Class 10)
An HDMI cable (ensure it is not a really old one)
Micro USB power supply

I assume one wants a presentable media player then I additionally recommend:
Heat Syncs
A housing case

Before you go out and buy I recommend that you read up on the Raspberry Pi and OSMC by going to their official pages – https://www.raspberrypi.org/
https://osmc.tv/

Here is a Raspberry Pi 3 OSMC media player that I have built for less than 70 Swiss Francs.

RPI Media Player