I have set up a LAMP server on a Raspberry Pi on my home network. I would like to expose the pi to the internet by opening up ports 22 and 80 on my router so i can ssh into it as well as use any web services i set up on it.
This is a little pet project I'm using to learn more about networking, server setup and linux in general - with only a cheap RPi which i can wipe and start again easily anything goes wrong. I do plan to put it on a separate subnet to the other devices on the home network, just in case.
(Yes, i know this is a little much for a raspberry pi - this is just a learning exercise and a proof of concept before i throw money at this to build a rig for it)
My understanding is that SSH is already secure, so i don't have to worry about my username and password being seen across the web when i want a terminal session.
My concern is that if i send anything to a web service (such as a wordpress or phpmyadmin password) it'll be clear to see on the web. How can i stop this?
My plan was SSL, but from what I've read, an SSL certificate needs a domain name for a certificate to be issued by most places. When all I'll be doing is pointing to a static IP from my ISP on the devices I'll be using.
The other use i have planned for it is as a mysql server for my kodi boxes to use for the library data so my devices can share data (the videos live on another server running windows). So other devices on a local network need to be allowed access to mysql easily without the silly level of security the internet-side requires. I assume this will be easily possable alongside my other use cases as I'd not be opening the port for it on the router and the only things that would access msql are local network devices, and services on the mysql host itself
Are any of my assumptions or conclusions wrong?
Are there any better ways to achieve what I'm after than what I'm describing?
Is there a preferred way to interact with the Pi if i just wanted it to set off a specific script? (say send a wake-on-lan packet to a specific computer)
Is there a way for me to have the web server onllly communicate with specific devices that i have the appropriate keys/certificates loaded onto so that i can be certain that I'm the only one with access?
Are any of my assumptions or conclusions wrong?
Using a username/password combo for SSH is probably secure enough, but it's generally more secure to use a public/private SSH key pair.
Your assumptions about MySQL seem sound. Just make sure to have some authentication on the server just in case you have a nosey houseguest on your WiFi. :)
Are there any better ways to achieve what I'm after than what I'm
describing?
A couple options that come to mind:
You could generate a self-signed certificate for the web server and then manually copy that onto your client devices. I think this would allow you to get around the requirement for a domain name.
You could set up a secure VPN into your home network. This way you wouldn't have to expose your web/SSH servers to the world.
Is there a way for me to have the web server only communicate with
specific devices that i have the appropriate keys/certificates loaded
onto so that i can be certain that I'm the only one with access?
The VPN option mentioned earlier would allow you to do this.
You could restrict access to the Apache server to only devices with specific client certificates: https://stackoverflow.com/a/24543642/2384183
Related
I am going to a highly Internet censorship country which blocked Youtube or Gmail or twitter. So I decide to setup a shadowsocks proxy server, on a Raspberry PI and give it to my friend who live in a low censorship area. I use her internet to visit my Gmail. Unfortunately my friend is totally computer illiterate, and she often move house. That means I need to automatic every network config of the pi.
That means the Raspi should automatically recognize new network and initialize the server. So here is my plan:
Every time power up the Raspi, auto recognize IP and auto send to my safe email.
The Raspi is probably under a local area network. NaT(Network Address Translation) or frp ( fast reverse proxy) should expose Raspi to public internet. Then I can find my Raspi.
Setup shadowshocks server on my Raspi, and it can change the server configuration automatically.
Then Raspi would automate deploy to the new network. I only visit my safe email and change my shadowsocks client config.
1. Is this a feasible plan?
2. I fininshed step 1, and blocked at step 2. I need help to solve step 2,3. Please give me some course or plan
Thank you for your time and any comment will be welcome.
A problem I see in your plan is in step 2:
Normally it requires setting up NAT on the wifi router to make the Shadowsocks user port open to the WLAN side. And this could be difficult to be automated on the raspberry pi, especially the wifi routers may be unpredictable various.
About step 3, it shouldn't be a problem, the service should listen on a private IP address which has nothing to do with your client setting, and the port could be fixed, all you want to do is to supervise your service to make sure it stays strong.
I would recommend setting up VPN services in a cloud environment if the costs are not a big problem. AWS has a one-year free tier plan that may be useful. Take a look at this project, aws-cfn-vpn, it should provide you a solution and keep your hands clean as much as possible.
Mixpanel is using "SoftLayer" which blocks all the request from IPs coming from Iran. Is there a workaround to redirect these request to IPs in another country to be able to bypass their filter and send the data to Mixpanel?
There are multiple ways depending on your configuration and platform
what is your hosting? If its shared then your options are limited but if you deployed your application on a dedicated server or VPS you can route your traffic via transparent proxies or through a vpn tunnel. And there are many services for that either!
for example Squid is a well-documented and easy to use service for that! But keep in mind that it works better on linux! you can read these articles for configuring a transparent proxy with squid: On Ubuntu, On CentOS
But given the circumstances I recommend using an open-source analytical system such as:
Matomo (formerly known as Piwik)
Open Web Analytics
Heap (a famous iranian event site (Evand) was using Heap)
You can connect through a VPN tunnel. It works the way that you connect to a computer somewhere else (in your case in another country) and then you connect from that computer to the rest of the internet. So from the rest of the internet it looks like you're somewhere else.
You can check out ProtonVPN, they have VPN tunnels through a bunch of countries.
WebRTC signalling is driving me crazy. My use-case is quite simple: a bidirectional audio intercom between a kiosk and to a control room webapp. Both computers are on the same network. Neither has internet access, all machines have known static IPs.
Everything I read wants me to use STUN/TURN/ICE servers. The acronyms for this is endless, contributing to my migraine but if this were a standard application, I'd just open a port, tell the other client about it (I can do this via the webapp if I need to) and have the other connect.
Can I do this with WebRTC? Without running a dozen signalling servers?
For the sake of examples, how would you connect a browser running on 192.168.0.101 to one running on 192.168.0.102?
STUN/TURN is different from signaling.
STUN/TURN in WebRTC are used to gather ICE candidates. Signaling is used to transmit between these two PCs the session description (offer and answer).
You can use free STUN server (like stun.l.google.com or stun.services.mozilla.org). There are also free TURN servers, but not too many (these are resource expensive). One is numb.vigenie.ca.
Now there's no signaling server, because these are custom and can be done in many ways. Here's an article that I wrote. I ended up using Stomp now on client side and Spring on server side.
I guess you can tamper with SDP and inject the ICE candidates statically, but you'll still need to exchange SDP (and that's dinamycally generated each session) between these two PCs somehow. Even though, taking into account that the configuration will not change, I guess you can exchange it once (through the means of copy-paste :) ), stored it somewhere and use it every time.
If your end-points have static IPs then you can ignore STUN, TURN and ICE, which are just power-tools to drill holes in firewalls. Most people aren't that lucky.
Due to how WebRTC is structured, end-points do need a way to exchange call setup information (SDP) like media ports and key information ahead of time. How you get that information from A to B and back to A, is entirely up to you ("signaling server" is just a fancy word for this), but most people use something like a web socket server, the tic-tac-toe of client-initiated communication.
I think the simplest way to make this work on a private network without an internet connection is to install a basic web socket server on one of the machines.
As an example I recommend the very simple https://github.com/emannion/webrtc-web-socket which worked on my private network without an internet connection.
Follow the instructions to install the web socket server on e.g. 192.168.1.101, then have both end-points connect to 192.168.0.101:1337 with Chrome or Firefox. Share camera on both ends in the basic demo web UI, and hit Connect and you should be good to go.
If you need to do this entirely without any server, then this answer to a related question at least highlights the information you'd need to send across (in a cut'n'paste demo).
I want to install a number of raspberry pis at remote locations and be able to log in to them remotely. (Will begin with 30-40 boxes and hopefully grow to 1000 individual raspberry pis soon.)
I need to be able to remotely manage these boxes. Going the easier route, forwarding a port on the router and setting a DHCP reservation, requires either IT support from the company we'll be doing the install for (many of which don't have IT), or it will require one of our IT people physically installing each box.
My tentative solution is to have each box create a reverse SSH tunnel to our server. My question is: How feasible would this be? How easy would it be to manage that many connections? Would it be an issue for a small local server to have 1000+ concurrent SSH connections? Is there an easier solution to this problem?
My end goal is to be able to ship someone a box, have them plug it in, and be able to access it.
Thanks,
w
An alternate solution would be to:
Install OpenVPN server on your server machine. How to install OpenVPN Server on the PI. Additionally, add firewall rules that block everything but traffic directed for the client's ssh and other services ports (if desired), from administrating machine(s).
Run OpenVPN clients on your Raspberry PI client machines. They will connect back to your VPN server. On a side note, the VPN server and administrating machine(s) need not be the same machine if resources are limited on the VPN server. How to install OpenVPN on the client Raspberry PIs.
SSH from administrating machine(s) to each client machine. Optionally, you could use RSA authentication to simplify authentication.
Benefits include encryption for the tunnel including ssh encryption for administrating, as well as being able to monitor other services on their respective ports.
I made a WebApp to manage this exact same setting in about 60 minutes with my java web template. All I can share are some scripts that I use to list the connection and info about them. You can use those to build your own app, it is really simple to display this in some fancy way in a fast web.
Take a look at my scripts: https://unix.stackexchange.com/a/625771/332669
Those will allow you to get the listening port, as well as the public IPs they're binded from. With that you can easilly plan a system where everything is easilly identificable with a simple BBDD.
You might find this docker container useful https://hub.docker.com/r/logicethos/revssh/
i have following scenario and can't seem to find anything on the net, or maybe i am looking for the wrong thing:
i am working on a webbased data storage system. there are different users and different places and only certain users are allowed to access certain parts of the system. now, we do not want them to connect to these parts from at home or with a different computer than they are using at their work-place (there are different reasons for that).
now my question is: if there is a way to have the work-place-pc identify itself to the server in some way over the browser, how can i do that?
oh and yes, it is supposed to be webbased.
i hope i explained it so everyone understands.
thnx for your replies in advance.
... dg
I agree with Lenni... IP address is a possible solution if they are static or the DHCP server consistently assigns the same IP address to the same machine.
Alternatively, you might also consider authentication via "personal certificates" ... that's what they are referred to in Firefox, don't know it that's the standard name or not. (Obviously I haven't worked with these before.)
Basically they are SSL or PKI certificates that are installed on the client (user's) machine that identify that machine as being the machine it says it is -- that is, if the user tries to connect from a machine that doesn't have a certificate or doesn't have a certificate that you allow, you would deny them.
I don't know the issues around this ... it might be relatively easy for the same user to take the certificate off one computer and install it on another one with the correct password (i.e. it authenticates the user), or it might be keyed specifically to that machine somehow (i.e. it authenticates the machine). And a quick google search didn't turn up any obvious "how to" instructions on how it all works, but it might be worth looking into.
---Lawrence
Since you're going web based you can:
Examine the remote host's IP Address (compare it against known internal subnets, etc)
During the authentication process, you can ping the remote IP and take a look at the TTL on the returned packets, if it's too low, then the computer can't be from the local network. (of course this can be broken, but it's just 1 more thing)
If you're doing it over IIS, then you can integrate into SSO (probably the best if you can do it)
If it's supposed to be web-based (and by that I mean that the web server should be able to uniquely identify the user's machine), then you choices are limited: per se, there's nothing you can obtain from the browser's headers or request body that allows you to identify the machine. I suppose this is by design, due to the obvious privacy implications.
There are choices though, none of which pain-free: you could use an ActiveX control, which however only runs on Windows (and not on all browsers I think) and requires elevated privileges. You could think of a Firefox plug-in (obviously Firefox only). At any rate, a plain-vanilla browser will otherwise escape identification.
There are only a few of REAL solutions to this. Here are a couple:
Use domain authentication, and disallow users who are connecting over a VPN.
Use known IP ranges to allow or disallow access.
IP address. Not bombproof security but a start.