[arm-allstar] Node Remote, was Re: Editing Control Pannel?

Doug Crompton wa3dsp at gmail.com
Thu Feb 27 00:55:57 EST 2020 

I had a discussion with Dave about this and we both want to make it clear
that if you are using the AMI remotely ( changing the manager to 0,0,0,0
from local 127.0.0.1 and port forwarding the AMI port 5038 default ) you
are opening yourself up to possible hacking. This is clearly pointed out in
the supermon docs and even noted in the manager.conf file. The supermon
docs have a firewall example that can be used that limits access to remote
AMI's to ONLY the IP address that has access. Whenever using supermon
management remotely (AMI) a firewall should be part of the equation,

Note this does not apply to supermon itself using http but the Asterisk
manager interface port 5038. So you could have supermon itself running
remotely being access by multiple users and that supermon could be managing
multiple nodes remotely using AMI. It is the AMI that needs protection.

Also keep in mind that when using firewall parameters IP addresses can
change. Using the new  NODE.ip.hamvoip.org  URL where NODE is the node
number of the source IP address for the firewall will always return the
correct IP address. Here is an example from the supermon docs using the
firewall and this method -

#!/bin/bash

# Script to block a port based on IP address

# This script should be run by cron. It detects changes in the remote IP
address

# and updates IP tables. Run at least once a day or as often as once every
10 minutes.

# This depends on how often your IP address is likely to change. Depending
on

# your situation BOTH the end you are controlling and your end need to do
this and

# you also need to change manager.conf to the 0.0.0.0 address.


IPT=/sbin/iptables

PORT=5038 # if you use a different port change this


### Flush any existing rules, preparing to reload...

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F # ignore error here if mangle module isn't loaded

$IPT -X # deletes every non-built-in chain in the table


# Must have localhost:

$IPT -A INPUT -p tcp -s 127.0.0.1 --dport $PORT -j ACCEPT


# Following examples should be uncommented and configured for your
application as needed.


# Local LAN - covers all on designated LAN

#$IPT -A INPUT -p tcp -s 192.168.1.0/16 --dport $PORT -j ACCEPT


# Example A specific machine on your LAN:

# If you were using the all LAN example you would not need this.

#$IPT -A INPUT -p tcp -s 192.168.0.6 --dport $PORT -j ACCEPT


# Example a distant node out on the Internet:

# The distant node would also need port forwarding and filtering

#IP=$(getent hosts somedomain.com |awk '{ print $1 }')

#if [ "$IP" != "" ]; then

# $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT

#fi


# Example using Hamvoip IP lookup - set NODE = source node#

#IP =$(getent hosts  NODE.ip.hamvoip.org |awk '{ print $1 }')

#if [ "$IP" != "" ]; then

# $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT

#fi


# Another out on the Internet example using the hamvoip dns-query

#IP=`dns-query 417600 | awk -F',' '{print $2}'`

#if [ "$IP" != "" ]; then

# $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT

#fi


# Another Example Using IRLP node lookup from the Internet:

#IP=$(getent hosts stn3787.ip.irlp.net |awk '{ print $1 }')

#if [ "$IP" != "" ]; then

# $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT

#fi


$IPT -A INPUT -p tcp --dport $PORT -j DROP


# Use this statement at the Linux prompt to view results

# iptables -L

# END SCRIPT


Note that this same method could be used to block other ports like sip to
just those you authorize.


*73 Doug*

*WA3DSP*

*http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*







On Wed, Feb 26, 2020 at 11:21 PM "Patrick Perdue via ARM-allstar" <
arm-allstar at hamvoip.org> wrote:

> Edit /etc/asterisk/manager.conf. Change the following:
>
> bindaddr = 127.0.0.1
>
> to
>
> bindaddr = 0.0.0.0
>
> Take note of the stanza for a username and it's secret in this file, if
> it's already configured, which should be the case if your supermon
> works. This should be at the bottom of the file.
>
> In node remote, plug in your node's IP address, and that username and
> password.
>
> Note for voiceover users, there are some unlabeled buttons in this app,
> but there are only a few of them. I found it pretty easy to figure out
> what they did and label them myself. It's really too bad voiceover
> doesn't allow you to share app labels.
>
>
> On 2/26/2020 7:03 PM, "Chris Smart via ARM-allstar" wrote:
> > Hi Patrick.
> > And sorry folks... I asumed that would be part of Hamvoip itself.
> >
> > About Node Remote for iOS, what do I need to do to my G7RPG MicroHub
> > to use it with that app?
> >
> > Thanks
> >
> > Chris
> >
> >
> > At 04:24 PM 2/26/2020, you wrote:
> >> FWIW, this is not a default HamVoIP thing. G7RPG put that on his
> >> microhub image. Still unpacking, but if someone else doesn't get to
> >> it in a day or two, I'll look. That's a feature I've never used,
> >> since I use the NodeRemote iOS app. On 2/26/2020 12:34 PM, "Chris
> >> Smart via ARM-allstar" wrote: > Hmm ok. That might be it. I'm talking
> >> about the page that comes up > when I point my PC's web browser to my
> >> node's local IP (instead of  a > URL) > > At 11:56 AM 2/26/2020, you
> >> wrote: >> Chris, >> >> Â I am not sure what you are referring to?
> >> Supermon? or the main menu? >> Supermon has a favorites option that
> >> allows you to add connections. >> >> >> *73 Doug* >> >> *WA3DSP* >>
> >> >> *http://www.crompton.com/hamradio
> >> <http://www.crompton.com/hamradio>* >> >> On Wed, Feb 26, 2020 at
> >> 1:49 AM "Chris Smart via ARM-allstar" < >> arm-allstar at hamvoip.org>
> >> wrote: >> >> > Folks, >> > >> > Is the control pannel I get when I
> >> point my web browser at my node's >> > IP just an HTML file
> >> somewhere? Can I edit it to add more nodes and >> > hubs to connect
> >> to? >> > >> > Thanks >> > >> > Chris >> > >> > >> >
> >> ---------------------------------------- >> > Check out The Making
> >> Better podcast, interviewing some of the world's >> > finest
> >> thinkers, discussing an optimistic vision of the future. >> >
> >> https://www.makingbetterpod.com/ >> > >> >
> >> _______________________________________________ > > > >> >
> >> ARM-allstar mailing list >> > ARM-allstar at hamvoip.org >> >
> >> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar >> > >>
> >> > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org >> > >>
> >> _______________________________________________ > > >> ARM-allstar
> >> mailing list >> ARM-allstar at hamvoip.org >>
> >> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar >> >>
> >> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org > >
> >> _______________________________________________ >  > ARM-allstar
> >> mailing list > ARM-allstar at hamvoip.org >
> >> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar > >
> >> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >> _______________________________________________ ARM-allstar mailing
> >> list ARM-allstar at hamvoip.org
> >> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar Visit
> >> the BBB and RPi2/3/4 web page - http://hamvoip.org
> >
> > _______________________________________________
> >
> > ARM-allstar mailing list
> > ARM-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> _______________________________________________
>
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org

More information about the ARM-allstar mailing list