Good day at the museum. There was a grand opening today for the wireless operators' exhibit down the hall from us, so we have a lot of visitors. Around 20 total of all ages spread over several hours. Bill Dudley stopped by around 4pm. We began the process of transferring the kiosk system from a hidden directory on vcfed.org to an internal server (on a Raspberry Pi!) in the museum. We're going to need a static IP service for remote access to the kiosk server and our IP security cameras.
We can setup internal static IP addresses on the router, and setup port forwarding so that they are accessible from the internet. No outside service necessary. I can do it next time I'm in. On Sat, Apr 15, 2017 at 11:52 PM Evan Koblentz via vcf-midatlantic < vcf-midatlantic@lists.vintagecomputerfederation.org> wrote:
Good day at the museum. There was a grand opening today for the wireless operators' exhibit down the hall from us, so we have a lot of visitors. Around 20 total of all ages spread over several hours.
Bill Dudley stopped by around 4pm. We began the process of transferring the kiosk system from a hidden directory on vcfed.org to an internal server (on a Raspberry Pi!) in the museum.
We're going to need a static IP service for remote access to the kiosk server and our IP security cameras.
We can setup internal static IP addresses on the router, and setup port forwarding so that they are accessible from the internet. No outside service necessary.
That's what Bill did, but there were issues related to the router's IP changing, various ports being blocked (we think), and the router itself misbehaving.
If the routers external IP address changes you need some kind of external service to find it. I use a dynamic DNS service from www.mythic-beasts.com. There is a scheduled task on my windows PC that updates the address. Dave
-----Original Message----- From: vcf-midatlantic [mailto:vcf-midatlantic- bounces@lists.vintagecomputerfederation.org] On Behalf Of Evan Koblentz via vcf-midatlantic Sent: 16 April 2017 07:12 To: Vcf <vcf-midatlantic@lists.vintagecomputerfederation.org> Cc: Evan Koblentz <evan@vcfed.org> Subject: Re: [vcf-midatlantic] Museum report
We can setup internal static IP addresses on the router, and setup port forwarding so that they are accessible from the internet. No outside service necessary.
That's what Bill did, but there were issues related to the router's IP changing, various ports being blocked (we think), and the router itself misbehaving.
Thanks. I think our service let's us reserve one public IP. I'll work directly with Bill. On Sun, Apr 16, 2017 at 3:44 AM dave.g4ugm--- via vcf-midatlantic < vcf-midatlantic@lists.vintagecomputerfederation.org> wrote:
If the routers external IP address changes you need some kind of external service to find it. I use a dynamic DNS service from www.mythic-beasts.com. There is a scheduled task on my windows PC that updates the address.
Dave
-----Original Message----- From: vcf-midatlantic [mailto:vcf-midatlantic- bounces@lists.vintagecomputerfederation.org] On Behalf Of Evan Koblentz via vcf-midatlantic Sent: 16 April 2017 07:12 To: Vcf <vcf-midatlantic@lists.vintagecomputerfederation.org> Cc: Evan Koblentz <evan@vcfed.org> Subject: Re: [vcf-midatlantic] Museum report
We can setup internal static IP addresses on the router, and setup port forwarding so that they are accessible from the internet. No outside service necessary.
That's what Bill did, but there were issues related to the router's IP changing, various ports being blocked (we think), and the router itself misbehaving.
The Sprint-supplied router has no mechanism to work with dyndns.org or equivalent. I think the Sprint service blocks incoming traffic on port 80, but I can work around that by using port 8090 as the external access http port. I have the apache on the pi listening on both 80 and 8090. Sprint does allow incoming on port 22 (ssh), so I've been able to do some administration from home. The static ip is just so we can find the pi web server (on 8090) from outside, for administrative purposes. There won't be a lot of traffic, and only Evan and select few others will be using that, to allow updating the museum kiosk content from home. The next job that needs to be done is to delete the (useless) port forward for port 80 to the pi, and add a port forward to port 8090 on the pi. The pi is now static at 192.168.0.5. I was able to set that up in the Sprint router (mac address -> fixed IP address). Long term, I may move the listen port for ssh from 22 to something less obvious (security by obscurity), OR change the pi's ssh to only use public/private key authentication. Because our external IP is in a block usually used by cell phones, that means that it won't normally be a target for hackers, as they don't expect open ssh ports on cell phones. Any questions, don't hesitate to contact me. Bill Dudley This email is free of malware because I run Linux. On Sun, Apr 16, 2017 at 8:05 AM, Dean Notarnicola via vcf-midatlantic < vcf-midatlantic@lists.vintagecomputerfederation.org> wrote:
Thanks. I think our service let's us reserve one public IP. I'll work directly with Bill.
On Sun, Apr 16, 2017 at 3:44 AM dave.g4ugm--- via vcf-midatlantic < vcf-midatlantic@lists.vintagecomputerfederation.org> wrote:
If the routers external IP address changes you need some kind of external service to find it. I use a dynamic DNS service from www.mythic-beasts.com. There is a scheduled task on my windows PC that updates the address.
Dave
-----Original Message----- From: vcf-midatlantic [mailto:vcf-midatlantic- bounces@lists.vintagecomputerfederation.org] On Behalf Of Evan Koblentz via vcf-midatlantic Sent: 16 April 2017 07:12 To: Vcf <vcf-midatlantic@lists.vintagecomputerfederation.org> Cc: Evan Koblentz <evan@vcfed.org> Subject: Re: [vcf-midatlantic] Museum report
We can setup internal static IP addresses on the router, and setup port forwarding so that they are accessible from the internet. No outside service necessary.
That's what Bill did, but there were issues related to the router's IP changing, various ports being blocked (we think), and the router itself misbehaving.
Bill, Nice, thanks, I agree. I'll see what we can do about getting a fixed external IP for that router. I would definitely recommend changing the ssh port. I've seen mobile exploits that look for any vulnerability, especially on Android. I agree that they don't usually do full port scans; waste of time on most mobiles. Dean On Sun, Apr 16, 2017 at 8:50 AM William Dudley <wfdudley@gmail.com> wrote:
The Sprint-supplied router has no mechanism to work with dyndns.org or equivalent.
I think the Sprint service blocks incoming traffic on port 80, but I can work around that by using port 8090 as the external access http port. I have the apache on the pi listening on both 80 and 8090. Sprint does allow incoming on port 22 (ssh), so I've been able to do some administration from home.
The static ip is just so we can find the pi web server (on 8090) from outside, for administrative purposes. There won't be a lot of traffic, and only Evan and select few others will be using that, to allow updating the museum kiosk content from home.
The next job that needs to be done is to delete the (useless) port forward for port 80 to the pi, and add a port forward to port 8090 on the pi. The pi is now static at 192.168.0.5. I was able to set that up in the Sprint router (mac address -> fixed IP address).
Long term, I may move the listen port for ssh from 22 to something less obvious (security by obscurity), OR change the pi's ssh to only use public/private key authentication. Because our external IP is in a block usually used by cell phones, that means that it won't normally be a target for hackers, as they don't expect open ssh ports on cell phones.
Any questions, don't hesitate to contact me.
Bill Dudley
This email is free of malware because I run Linux.
On Sun, Apr 16, 2017 at 8:05 AM, Dean Notarnicola via vcf-midatlantic < vcf-midatlantic@lists.vintagecomputerfederation.org> wrote:
Thanks. I think our service let's us reserve one public IP. I'll work directly with Bill.
On Sun, Apr 16, 2017 at 3:44 AM dave.g4ugm--- via vcf-midatlantic < vcf-midatlantic@lists.vintagecomputerfederation.org> wrote:
If the routers external IP address changes you need some kind of external service to find it. I use a dynamic DNS service from www.mythic-beasts.com. There is a scheduled task on my windows PC that updates the address.
Dave
-----Original Message----- From: vcf-midatlantic [mailto:vcf-midatlantic- bounces@lists.vintagecomputerfederation.org] On Behalf Of Evan Koblentz via vcf-midatlantic Sent: 16 April 2017 07:12 To: Vcf <vcf-midatlantic@lists.vintagecomputerfederation.org> Cc: Evan Koblentz <evan@vcfed.org> Subject: Re: [vcf-midatlantic] Museum report
We can setup internal static IP addresses on the router, and setup port forwarding so that they are accessible from the internet. No outside service necessary.
That's what Bill did, but there were issues related to the router's IP changing, various ports being blocked (we think), and the router itself misbehaving.
participants (5)
-
dave.g4ugm@gmail.com -
Dean Notarnicola -
Evan Koblentz -
Evan Koblentz -
William Dudley