[arm-allstar] Node Remote, was Re: Editing Control Pannel?

Dustin Perdue borrisinabox at gmail.com
Thu Feb 27 11:14:09 EST 2020 

This is why I manage all of my notes behind a VPN if I’m not physically where they live..

Sent from my iPhone

> On Feb 27, 2020, at 00:56, Doug Crompton via ARM-allstar <arm-allstar at hamvoip.org> wrote:
> 
> I had a discussion with Dave about this and we both want to make it clear
> that if you are using the AMI remotely ( changing the manager to 0,0,0,0
> from local 127.0.0.1 and port forwarding the AMI port 5038 default ) you
> are opening yourself up to possible hacking. This is clearly pointed out in
> the supermon docs and even noted in the manager.conf file. The supermon
> docs have a firewall example that can be used that limits access to remote
> AMI's to ONLY the IP address that has access. Whenever using supermon
> management remotely (AMI) a firewall should be part of the equation,
> 
> Note this does not apply to supermon itself using http but the Asterisk
> manager interface port 5038. So you could have supermon itself running
> remotely being access by multiple users and that supermon could be managing
> multiple nodes remotely using AMI. It is the AMI that needs protection.
> 
> Also keep in mind that when using firewall parameters IP addresses can
> change. Using the new  NODE.ip.hamvoip.org  URL where NODE is the node
> number of the source IP address for the firewall will always return the
> correct IP address. Here is an example from the supermon docs using the
> firewall and this method -
> 
> #!/bin/bash
> 
> # Script to block a port based on IP address
> 
> # This script should be run by cron. It detects changes in the remote IP
> address
> 
> # and updates IP tables. Run at least once a day or as often as once every
> 10 minutes.
> 
> # This depends on how often your IP address is likely to change. Depending
> on
> 
> # your situation BOTH the end you are controlling and your end need to do
> this and
> 
> # you also need to change manager.conf to the 0.0.0.0 address.
> 
> 
> IPT=/sbin/iptables
> 
> PORT=5038 # if you use a different port change this
> 
> 
> ### Flush any existing rules, preparing to reload...
> 
> $IPT -F
> 
> $IPT -t nat -F
> 
> $IPT -t mangle -F # ignore error here if mangle module isn't loaded
> 
> $IPT -X # deletes every non-built-in chain in the table
> 
> 
> # Must have localhost:
> 
> $IPT -A INPUT -p tcp -s 127.0.0.1 --dport $PORT -j ACCEPT
> 
> 
> # Following examples should be uncommented and configured for your
> application as needed.
> 
> 
> # Local LAN - covers all on designated LAN
> 
> #$IPT -A INPUT -p tcp -s 192.168.1.0/16 --dport $PORT -j ACCEPT
> 
> 
> # Example A specific machine on your LAN:
> 
> # If you were using the all LAN example you would not need this.
> 
> #$IPT -A INPUT -p tcp -s 192.168.0.6 --dport $PORT -j ACCEPT
> 
> 
> # Example a distant node out on the Internet:
> 
> # The distant node would also need port forwarding and filtering
> 
> #IP=$(getent hosts somedomain.com |awk '{ print $1 }')
> 
> #if [ "$IP" != "" ]; then
> 
> # $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT
> 
> #fi
> 
> 
> # Example using Hamvoip IP lookup - set NODE = source node#
> 
> #IP =$(getent hosts  NODE.ip.hamvoip.org |awk '{ print $1 }')
> 
> #if [ "$IP" != "" ]; then
> 
> # $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT
> 
> #fi
> 
> 
> # Another out on the Internet example using the hamvoip dns-query
> 
> #IP=`dns-query 417600 | awk -F',' '{print $2}'`
> 
> #if [ "$IP" != "" ]; then
> 
> # $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT
> 
> #fi
> 
> 
> # Another Example Using IRLP node lookup from the Internet:
> 
> #IP=$(getent hosts stn3787.ip.irlp.net |awk '{ print $1 }')
> 
> #if [ "$IP" != "" ]; then
> 
> # $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT
> 
> #fi
> 
> 
> $IPT -A INPUT -p tcp --dport $PORT -j DROP
> 
> 
> # Use this statement at the Linux prompt to view results
> 
> # iptables -L
> 
> # END SCRIPT
> 
> 
> Note that this same method could be used to block other ports like sip to
> just those you authorize.
> 
> 
> *73 Doug*
> 
> *WA3DSP*
> 
> *http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
> 
> 
> 
> 
> 
> 
> 
>> On Wed, Feb 26, 2020 at 11:21 PM "Patrick Perdue via ARM-allstar" <
>> arm-allstar at hamvoip.org> wrote:
>> 
>> Edit /etc/asterisk/manager.conf. Change the following:
>> 
>> bindaddr = 127.0.0.1
>> 
>> to
>> 
>> bindaddr = 0.0.0.0
>> 
>> Take note of the stanza for a username and it's secret in this file, if
>> it's already configured, which should be the case if your supermon
>> works. This should be at the bottom of the file.
>> 
>> In node remote, plug in your node's IP address, and that username and
>> password.
>> 
>> Note for voiceover users, there are some unlabeled buttons in this app,
>> but there are only a few of them. I found it pretty easy to figure out
>> what they did and label them myself. It's really too bad voiceover
>> doesn't allow you to share app labels.
>> 
>> 
>>> On 2/26/2020 7:03 PM, "Chris Smart via ARM-allstar" wrote:
>>> Hi Patrick.
>>> And sorry folks... I asumed that would be part of Hamvoip itself.
>>> 
>>> About Node Remote for iOS, what do I need to do to my G7RPG MicroHub
>>> to use it with that app?
>>> 
>>> Thanks
>>> 
>>> Chris
>>> 
>>> 
>>> At 04:24 PM 2/26/2020, you wrote:
>>>> FWIW, this is not a default HamVoIP thing. G7RPG put that on his
>>>> microhub image. Still unpacking, but if someone else doesn't get to
>>>> it in a day or two, I'll look. That's a feature I've never used,
>>>> since I use the NodeRemote iOS app. On 2/26/2020 12:34 PM, "Chris
>>>> Smart via ARM-allstar" wrote: > Hmm ok. That might be it. I'm talking
>>>> about the page that comes up > when I point my PC's web browser to my
>>>> node's local IP (instead of  a > URL) > > At 11:56 AM 2/26/2020, you
>>>> wrote: >> Chris, >> >> Â I am not sure what you are referring to?
>>>> Supermon? or the main menu? >> Supermon has a favorites option that
>>>> allows you to add connections. >> >> >> *73 Doug* >> >> *WA3DSP* >>
>>>>>> *http://www.crompton.com/hamradio
>>>> <http://www.crompton.com/hamradio>* >> >> On Wed, Feb 26, 2020 at
>>>> 1:49 AM "Chris Smart via ARM-allstar" < >> arm-allstar at hamvoip.org>
>>>> wrote: >> >> > Folks, >> > >> > Is the control pannel I get when I
>>>> point my web browser at my node's >> > IP just an HTML file
>>>> somewhere? Can I edit it to add more nodes and >> > hubs to connect
>>>> to? >> > >> > Thanks >> > >> > Chris >> > >> > >> >
>>>> ---------------------------------------- >> > Check out The Making
>>>> Better podcast, interviewing some of the world's >> > finest
>>>> thinkers, discussing an optimistic vision of the future. >> >
>>>> https://www.makingbetterpod.com/ >> > >> >
>>>> _______________________________________________ > > > >> >
>>>> ARM-allstar mailing list >> > ARM-allstar at hamvoip.org >> >
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar >> > >>
>>>>> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org >> > >>
>>>> _______________________________________________ > > >> ARM-allstar
>>>> mailing list >> ARM-allstar at hamvoip.org >>
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar >> >>
>>>> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org > >
>>>> _______________________________________________ >  > ARM-allstar
>>>> mailing list > ARM-allstar at hamvoip.org >
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar > >
>>>> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>>>> _______________________________________________ ARM-allstar mailing
>>>> list ARM-allstar at hamvoip.org
>>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar Visit
>>>> the BBB and RPi2/3/4 web page - http://hamvoip.org
>>> 
>>> _______________________________________________
>>> 
>>> ARM-allstar mailing list
>>> ARM-allstar at hamvoip.org
>>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>>> 
>>> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>> _______________________________________________
>> 
>> ARM-allstar mailing list
>> ARM-allstar at hamvoip.org
>> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>> 
>> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> _______________________________________________
> 
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org

More information about the ARM-allstar mailing list