EC2, UFW and Broken SSH Access

0

I’m a big fan of Amazon’s EC2 platform and long ago migrated all of my servers to its “cloud”. I’m also a realist when it comes to security and take all of the reasonable precautions I can to limit my risks. One such precaution is two-factor authentication for SSH (see my article “Two-Factor Authentication System for Apache and SSH”, Linux Journal – Issue 239, March 2014). Another is to take full advantage of a firewall to limit access to services.

When leveraging the EC2 Platform there are two firewall options that can be leveraged. One is the EC2 firewall (e.g. Security Groups) and the other is the firewall running on the server instance itself. I tend to use both, with the EC2 firewall for broad configurations (e.g. shared security group across multiple machines) and the local firewall for refined server specific configurations.

All of my Linux servers are Ubuntu and when configuring the local firewall I use its UFW tool to build simple iptables rules to refine access controls. The challenge I ran into was that I had limited SSH (port 22) to two specific IP addresses, one for home and the other for the office. All was fine until I moved my office and moved into a new house both within a month of each other. Here I am nine or ten weeks later and I need to SSH to my server to do some maintenance and, as you might have guessed, I can’t access the SSH service. Normally one would work around this issue by going directly to the console, logging in and resolving the issue. As that was not an option in this case, I thought about my problem for a minute and quickly realized that it would be fairly easy to work around my seemingly insurmountable problem. Here are the steps I took:

Note: Most of the steps outlined below are executed via the EC2 Dashboard. All others steps are specifically called out and must be executed at the command line.

  • Launch another EC2 server instance
  • The best way to accomplish this is use EC2’s “Launch More Like This” feature. This will ensure that the OS type, security group and other attributes are the same thus saving a bit of setup time.

    EC2 Instance Management

    EC2 Instance Management

  • Stop the problem instance
  • Detach volume from problem instance
  • Attach volume to new instance
  • Note: Newer Linux kernels may rename your devices to /dev/xvdf through /dev/xvdp internally, even when the device name entered is /dev/sdf through /dev/sdp.

  • Mount the volume
  • cd ~
    mkdir lnx1
    sudo mount /dev/xvdf ./lnx1
    
  • Disable UFW
  • cd lnx1
    sudo vim ufw.conf
    

    Now find ENABLED=yes and change it to ENABLED=no.

  • Detach volume
  • Be sure to unmount the volume first:

    sudo umount ./lnx1/
    
  • Reattach the volume to /dev/sda1 on our problem instance
  • Boot problem instance
  • Reassign elastic IP address if necessary
  • Delete the temporary instance and its associated volume

Voilà – I have SSH access to my server again. Now I need to modify my UFW rules and I’m good to go.

Until next time – GEEK OUT!

~GT~

   

Guest Wireless VLAN Via Airport Express

0

Wireless networks have become ubiquitous. We use them at home, work, mall, airport, coffee shop and just about everywhere else we go. When setting up a wireless network, it’s wise to spend some quality time considering how you plan to use that network. One important question to consider, is will guests be allowed to have network access. If your answer is yes, the next question to consider is how are you going to protect yourself. It’s not very wise to allow unfettered guest access to your production network where one can poke around and, with a little bit of ingenuity, gain access to data and resources that they shouldn’t have access to.

I recently set up a new office and as part of that process wanted to make provision for guest internet access, but I didn’t want to set up separate access points for employees and guests. I knew Apple had functionality to allow for the creation of guest networks via their Airport products but was a bit skeptical that it would work for me because Apple assumes you are using an Airport Extreme as your primary router. I would never use such a device as my primary router but, as always, where there’s a will, there is a way. Airport Expresses are cheap so I figured I would buy one and give it a shot.

Windows Airport Utility Issue

After receiving my Airport Express (I really bought three) I set it up and then downloaded the latest Airport Utility for Windows (5.6.1) so I could start my configuration.

Airport Utility for Windows - ABOUT

Airport Utility for Windows – ABOUT

As I looked through the interface I couldn’t find anything related to setting up a guest network. I knew I had seen these configuration options before while configuring an Airport Extreme. Their absence here made me question whether guest network support existed on the Airport Express products.

Wireless Tab on Airport Utility for Windows

Wireless Tab on Airport Utility for Windows

Before giving up I decided to try the Mac version of the Airport Utility. I pulled out my Macbook, ran the utility and Voilà; I could see the guest network settings that I had expected to find. Not a big deal, but it’s helpful to know that the Airport Utility for Windows is lacking in functionality and cannot be used to implement a guest wireless network on an Apple Airport Express.

Wireless Tab on Airport Utility for Mac

Wireless Tab on Airport Utility for Mac

How It Works

Now that we know how to define our network, we need to figure out how to make the guest network coexist with the rest of our configuration and how we can keep its traffic separate from our internal traffic. Since I have no interest in running an Airport Extreme as my router, I configured my Airport to operate in bridge mode, which means I’m using it as an access point only. I then plugged a patch-cord into the Airport’s WAN port and plugged the other end into my switch.

Airport Express Layout

Airport Express Layout

A quick test revealed that I could now access resources from both of my defined wireless networks. This begs the question, how can we differentiate the guest traffic from the non-guest traffic? Furthermore, how can we limit what guests can access. The answer lies in what Apple does to the packets that come in over the guest network. As you might have already speculated, there’s no magic here, Apple simply tags the packets with a VLAN id, which happens to be hard-coded to 1003.

Explaining how VLANs work is beyond the scope of this post, but suffice it to say that with VLAN tagging, we can manage our traffic more effectively even if that traffic is running across the same wire/network. In our case, that means I can use the same access point to allow employees access to the internal network and the internet while limiting guests to internet access only.

The Router

I love building routers and I regularly vacillate between a pfSense router and, my true love, a Linux based iptables router. In this instance, I’m using pfSense to manage my traffic. All I need to do is create a VLAN interface for our 1003 tag, setup DHCP for the interface, define my outbound firewall rules and I’m done.

pfSense VLAN Interface

pfSense VLAN Interface

I won’t cover it here, but I also recommend the use of a captive portal for your various networks. I use a portal for my LAN as well as my employee and guest wireless networks. This allows me to effectively throttle bandwidth usage while also limiting which devices have access to my network.

Until next time – GEEK OUT!

~GT~

   

Infinite Video Loops on a Raspberry Pi

0

script I recently upgraded my office by moving to a great new location. As part of the move I added a ton of new space to accommodate our rapid growth and even added a “play area” for the staff so they can burn off some of the frustrations of the “daily grind” with a bit of Ping Pong and, very soon, Xbox. I also added a very nice reception area with a TV where I could run a continuous loop of some of our marketing videos.

I decided to go with a Raspberry Pi to run the movies since it’s low cost, low power and very easy to hide behind the TV. I installed Raspbian and since there’s no GUI player that I could find to queue up the movies to run in a loop, I wrote a simple bash script to run a loop using omxplayer.

#!/bin/bash

# the path to the directory containing my videos
VIDEOPATH="/home/pi/Desktop/videos/"
SERVICE="omxplayer"

# the infinite loop!
while true; do
  for entry in $VIDEOPATH/*
    do
      omxplayer $entry > /dev/null
      sleep 1;
    done
done

This script seemed to work just fine but not long after I started it up, I ran into issues. The first problem was the gap in playback; it wasn’t seamless. While not a big issue, it looked ugly because I could see the desktop and the console window in the gap. To fix this I maximized the console and modified my script to turn off the cursor and set my text to black so all I could see was a black screen during the gap. Not the best solution, but I could live with it.

#!/bin/bash

cleanup()
# cleanup function
{
  setterm -cursor on
  setterm -foreground white -clear
  return $?
}

control_c()
# run if user hits control-c
{
  echo -en "\n*** Exiting! ***\n"
  cleanup
  exit $?
}

# trap keyboard interrupt (control-c)
trap control_c SIGINT

# main() loop
# get rid of the cursor so we don't see it when videos are running
setterm -cursor off
setterm -foreground black
setterm -clear

# the path to the directory containing my videos
VIDEOPATH="/home/pi/Desktop/videos/"
SERVICE="omxplayer"

# the infinite loop!
while true; do
  if ps ax | grep -v grep | grep $SERVICE > /dev/null
  then
    pkill omxplayer
    sleep 1;
else
    for entry in $VIDEOPATH/*
      do
        clear
        omxplayer $entry > /dev/null
        sleep 1;
      done
fi
done

Again, this seemed to work just fine but then I ran into my second issue. This time it was the screen going to sleep. A quick Google search reveals that this is a common problem and there are lots of suggestions for fixing it. I experimented with a few options and what worked for me was to modify the Light Display Manager configuration.

sudo nano /etc/lightdm/lightdm.conf

Now look for [SeatDefault] and insert this line below:

xserver-command=X -s 0 dpms

This modification absolutely resolved the sleep issue but then I ran into my third problem. For some reason the omxplayer process seems to hang. I see the desktop on the TV but no movie. When I look at my processes I see omxplayer running. There’s probably a more elegant fix, but I decided to take a brute force approach to resolving the issue. Rather than just play every video in my videos folder, this time I explicitly start each movie and use bash’s built-in control operator to fork processes. Doing this means my script keeps running even if the omxplayer process hangs. Then I sleep for the same duration as the video and issue a pkill command to nuke the omxplayer process just in case it’s hung.

#!/bin/bash

cleanup()
# example cleanup function
{
  setterm -cursor on
  setterm -foreground white -clear
  return $?
}

control_c()
# run if user hits control-c
{
  echo -en "\n*** Exiting! ***\n"
  cleanup
  exit $?
}

# trap keyboard interrupt (control-c)
trap control_c SIGINT

# main() loop
# get rid of the cursor so we don't see it when videos are running
setterm -cursor off
setterm -foreground black
setterm -clear

# the path to the directory containing my videos
VIDEOPATH="/home/pi/Desktop/videos/"
SERVICE="omxplayer.bin"

# the infinite loop!
while true; do
  if ps ax | grep -v grep | grep $SERVICE > /dev/null
  then
    pkill $SERVICE
    sleep 2;
  else
    omxplayer ${VIDEOPATH}movie1.mp4 > /dev/null &
    sleep 100;
    pkill $SERVICE >/dev/null >2&1
    omxplayer ${VIDEOPATH}movie2.mp4 > /dev/null &
    sleep 67
    pkill $SERVICE >/dev/null >2&1
  fi
done

My final version of the script has been working beautifully and has proven to be a solid solution for running movies in a continuous loop on the Raspberry Pi platform.

Until next time – GEEK OUT!

~GT~

   

Go to Top