Detecting Failed AD2USB to Raspberry Pi Connections

0

One of my ongoing home automation frustrations is the interface between my Ademco Alarm Panel and the Raspberry Pi I use to monitor the panel’s bus traffic. The problem that I have is a termination of the USB connection between the AD2USB (AlarmDecoder) that taps into the Ademco panel and the Pi itself. This always happens during a lightning storm and seems to be the USB port on the Raspberry Pi shutting down in response to voltage fluctuations coming from the AD2USB. Rebooting the Raspberry fixes the issue, but it usually takes a couple of days before I realize I’m not getting notifications from my HA system at which point I take steps to reset the Raspberry Pi.

I think I can resolve this issue once and for all by putting a USB Isolator between the AD2USB and the Raspberry Pi. To test this theory, I’ve ordered a unit from Circuits@Home which I hope to have in place within a few days.

USB Isolator

USB Isolator

I expect the isolator will greatly improve the reliability of the communications between the AD2USB and my HA system, but I also wanted to implement a monitoring system to notify me if messages stop coming from the AD2USB. Following is a simple python script that runs on the Raspberry Pi. If no messages are received within a five minute timeframe then a variable is set on my Indigo server which I then use to notify me of the failure.

import time
from alarmdecoder import AlarmDecoder
from alarmdecoder.devices import SocketDevice
import urllib2
import logging

# Configuration values
logging.basicConfig(filename='ad2socket.log',format='%(asctime)s %(message)s',level=logging.DEBUG)
HOSTNAME = '127.0.0.1'
PORT = 10000
FAIL_URL = "http://indigo:8176/variables/ser2sockMon?_method=put&value=FAIL"
PASS_URL = "http://indigo:8176/variables/ser2sockMon?_method=put&value=PASS"
ALARM_COUNTER = 0

def main():
    """
    monitor socket communications if they stop sending data send an alert.
    """
    try:
        # Retrieve an AD2 device that has been exposed with ser2sock on localhost:10000.
        device = AlarmDecoder(SocketDevice(interface=(HOSTNAME, PORT)))

        # Set up an event handler and open the device
        device.on_message += handle_message
        with device.open():
            global ALARM_COUNTER
            while True:
                time.sleep(1)
                ALARM_COUNTER+=1;
                if ALARM_COUNTER > 300:
                    logging.info('FAIL')
                    ALARM_COUNTER=0
                    try:
                        response = urllib2.urlopen(FAIL_URL)
                    except Exception, ex:
                        logging.warning('Exception opening url ', ex)

    except Exception, ex:
        logging.warning('Exception: ', ex)

def handle_message(sender, message):
    """
    reset our alarm counter on every message
    """
    global ALARM_COUNTER

    try:
        response = urllib2.urlopen(PASS_URL)
    except Exception, ex:
        logging.warning('Exception opening url ', ex)
    ALARM_COUNTER=0

if __name__ == '__main__':
    main()

One helpful note to anyone wanting to mimic what I’ve done here is that there can be extended periods of time with little to no traffic on the alarm panel bus. In order to force traffic, I’ve set up a job on my Indigo server to send a panel message consisting of a single pound symbol (#) every five minutes. This always results in an updated alarm-state message being sent across the bus.

Until next time – GEEK OUT!

~GT~

   

EC2, UFW and Broken SSH Access

0

I’m a big fan of Amazon’s EC2 platform and long ago migrated all of my servers to its “cloud”. I’m also a realist when it comes to security and take all of the reasonable precautions I can to limit my risks. One such precaution is two-factor authentication for SSH (see my article “Two-Factor Authentication System for Apache and SSH”, Linux Journal – Issue 239, March 2014). Another is to take full advantage of a firewall to limit access to services.

When leveraging the EC2 Platform there are two firewall options that can be leveraged. One is the EC2 firewall (e.g. Security Groups) and the other is the firewall running on the server instance itself. I tend to use both, with the EC2 firewall for broad configurations (e.g. shared security group across multiple machines) and the local firewall for refined server specific configurations.

All of my Linux servers are Ubuntu and when configuring the local firewall I use its UFW tool to build simple iptables rules to refine access controls. The challenge I ran into was that I had limited SSH (port 22) to two specific IP addresses, one for home and the other for the office. All was fine until I moved my office and moved into a new house both within a month of each other. Here I am nine or ten weeks later and I need to SSH to my server to do some maintenance and, as you might have guessed, I can’t access the SSH service. Normally one would work around this issue by going directly to the console, logging in and resolving the issue. As that was not an option in this case, I thought about my problem for a minute and quickly realized that it would be fairly easy to work around my seemingly insurmountable problem. Here are the steps I took:

Note: Most of the steps outlined below are executed via the EC2 Dashboard. All others steps are specifically called out and must be executed at the command line.

  • Launch another EC2 server instance
  • The best way to accomplish this is use EC2’s “Launch More Like This” feature. This will ensure that the OS type, security group and other attributes are the same thus saving a bit of setup time.

    EC2 Instance Management

    EC2 Instance Management

  • Stop the problem instance
  • Detach volume from problem instance
  • Attach volume to new instance
  • Note: Newer Linux kernels may rename your devices to /dev/xvdf through /dev/xvdp internally, even when the device name entered is /dev/sdf through /dev/sdp.

  • Mount the volume
  • cd ~
    mkdir lnx1
    sudo mount /dev/xvdf ./lnx1
    
  • Disable UFW
  • cd lnx1
    sudo vim ufw.conf
    

    Now find ENABLED=yes and change it to ENABLED=no.

  • Detach volume
  • Be sure to unmount the volume first:

    sudo umount ./lnx1/
    
  • Reattach the volume to /dev/sda1 on our problem instance
  • Boot problem instance
  • Reassign elastic IP address if necessary
  • Delete the temporary instance and its associated volume

Voilà – I have SSH access to my server again. Now I need to modify my UFW rules and I’m good to go.

Until next time – GEEK OUT!

~GT~

   

Guest Wireless VLAN Via Airport Express

0

Wireless networks have become ubiquitous. We use them at home, work, mall, airport, coffee shop and just about everywhere else we go. When setting up a wireless network, it’s wise to spend some quality time considering how you plan to use that network. One important question to consider, is will guests be allowed to have network access. If your answer is yes, the next question to consider is how are you going to protect yourself. It’s not very wise to allow unfettered guest access to your production network where one can poke around and, with a little bit of ingenuity, gain access to data and resources that they shouldn’t have access to.

I recently set up a new office and as part of that process wanted to make provision for guest internet access, but I didn’t want to set up separate access points for employees and guests. I knew Apple had functionality to allow for the creation of guest networks via their Airport products but was a bit skeptical that it would work for me because Apple assumes you are using an Airport Extreme as your primary router. I would never use such a device as my primary router but, as always, where there’s a will, there is a way. Airport Expresses are cheap so I figured I would buy one and give it a shot.

Windows Airport Utility Issue

After receiving my Airport Express (I really bought three) I set it up and then downloaded the latest Airport Utility for Windows (5.6.1) so I could start my configuration.

Airport Utility for Windows - ABOUT

Airport Utility for Windows – ABOUT

As I looked through the interface I couldn’t find anything related to setting up a guest network. I knew I had seen these configuration options before while configuring an Airport Extreme. Their absence here made me question whether guest network support existed on the Airport Express products.

Wireless Tab on Airport Utility for Windows

Wireless Tab on Airport Utility for Windows

Before giving up I decided to try the Mac version of the Airport Utility. I pulled out my Macbook, ran the utility and Voilà; I could see the guest network settings that I had expected to find. Not a big deal, but it’s helpful to know that the Airport Utility for Windows is lacking in functionality and cannot be used to implement a guest wireless network on an Apple Airport Express.

Wireless Tab on Airport Utility for Mac

Wireless Tab on Airport Utility for Mac

How It Works

Now that we know how to define our network, we need to figure out how to make the guest network coexist with the rest of our configuration and how we can keep its traffic separate from our internal traffic. Since I have no interest in running an Airport Extreme as my router, I configured my Airport to operate in bridge mode, which means I’m using it as an access point only. I then plugged a patch-cord into the Airport’s WAN port and plugged the other end into my switch.

Airport Express Layout

Airport Express Layout

A quick test revealed that I could now access resources from both of my defined wireless networks. This begs the question, how can we differentiate the guest traffic from the non-guest traffic? Furthermore, how can we limit what guests can access. The answer lies in what Apple does to the packets that come in over the guest network. As you might have already speculated, there’s no magic here, Apple simply tags the packets with a VLAN id, which happens to be hard-coded to 1003.

Explaining how VLANs work is beyond the scope of this post, but suffice it to say that with VLAN tagging, we can manage our traffic more effectively even if that traffic is running across the same wire/network. In our case, that means I can use the same access point to allow employees access to the internal network and the internet while limiting guests to internet access only.

The Router

I love building routers and I regularly vacillate between a pfSense router and, my true love, a Linux based iptables router. In this instance, I’m using pfSense to manage my traffic. All I need to do is create a VLAN interface for our 1003 tag, setup DHCP for the interface, define my outbound firewall rules and I’m done.

pfSense VLAN Interface

pfSense VLAN Interface

I won’t cover it here, but I also recommend the use of a captive portal for your various networks. I use a portal for my LAN as well as my employee and guest wireless networks. This allows me to effectively throttle bandwidth usage while also limiting which devices have access to my network.

Until next time – GEEK OUT!

~GT~

   

Go to Top