My FREESCO page | A FREESCO is born | Remote administration

Remote administration

This tutorial describes how to set up remote administration so you can administrate your FREESCO without sitting in front of it. Instead you can use any computer on your LAN, or even a remote computer (such as work or school) to do the administration. As FREESCO can be run without screen or keyboard (if your BIOS allow this), you can hide the box behind your desk, in a wardrobe or wherever you want. You will still be able to administrate it!


Remote administration from within your LAN

There are two ways to do remote administration, using the Web Control Panel or using SSH. The control panel is a web page where you can modify many of the settings. The control panel is more user-friendly than the ordinary setup program but on the other hand you do not have quite the same power. While you can change anything in the setup program, you only have access to some of the settings in the control panel. By default this service is turned on, and if you followed the steps in Setting up FREESCO, it should be up and running.

SSH (Secure SHell) can also be used to do remote administration. When connecting to your FREESCO using SSH, you will end up at a prompt which will look and behave just as you were sitting next to your FREESCO. You have access to the setup program and can do any change you like to. The SSH server is not started by default, but if you followed the instructions in Setting up FREESCO, it should be running by now.

One note about security: the control panel is a web page accessible from your LAN. The username and password are sent unencrypted so if anybody is sniffing your LAN, they might find out how to access the web control panel. Finally, everybody on your LAN have access to the page where you log in to the control panel. This means that anybody in your LAN can access the log in page and start guessing a user name and a password. In other words, the control panel is NOT safe. If you do not trust the users on your LAN it might be a good idea to turn it off (using setting 45 'Control Panel and Time Server' and rebooting) and only use SSH. SSH is encrypted and much safer than the control panel.

[ Top ]

Control panel

The Web Control Panel is turned on by default. You configure it using setting 45 (Control Panel and Time Server) and this is also where you disable the service. By default the control panel uses port 82, but this can also be changed in the setup program. After doing changes to this setting, you should reboot your system, or at least do a

rc_httpd restart

to make the changes take effect. When accessing the control panel, you enter the IP of your FREESCO in the address field of your browser. As the control panel uses another port than regular web servers (they use port 80), you must also specify the port in the address field. Suppose your FREESCO is running as 192.168.0.1, then you should enter the following in the address field

http://192.168.0.1:82

If you are unsure about which IP your FREESCO is using, you can always look it up in the setup program. Setting 62 (Local Networks) will display the IP used for each network. Use this setting to look up the IP for network 0.

When accessing your FREESCO, you are also supposed to be able to use the host and domain that you specified when you set up the box. These settings are 611 and 612 and if you used the default values, your FREESCO should be reachable at

http://router.inet:82

There have been problems reported with using the host/domain to access the box, but they should be fixed in 035.

[ Top ]

SSH

SSH is a very nice way to access your FREESCO. First of all, the protocol is encrypted which means that it is virtually impossible to find out user names, passwords, etc by sniffing your network. Also, when you connect using SSH you end up in a shell which acts just as if you were sitting in front of your FREESCO. This gives you full access to the setup program and all its powers. The SSH server is not turned on by default, but if you have set up your box as described in Setting up FREESCO, SSH should be enabled.

To connect to your FREESCO using SSH you need a client. If you are a Linux user you already have a SSH client in your shell. For Windows users I strongly recommend PuTTY. It is a free SSH client which is very easy to use. From PuTTY's home page, find the download page and get the binary you want. It should be enought to get the putty.exe but if you want some support during installation, getting putty-0.xx-installer.exe (where xx is a version) might be a better choice.

When you start PuTTY, you are presented to a screen that looks something like this:

PuTTY startup screen

To connect to your FREESCO, just enter the IP of your FREESCO in the field "Host Name". Also ensure that the SSH Protocol is selected and that port is set to 22. Then click "Open". A window will pop up and notify you that the key of the server is not known to PuTTY. Just click "Yes" to accept that the key is stored on your computer. This will prevent the pop up from being displayed the next time you connect to your FREESCO. When the pop up has disappeared, a black box will be displayed. Here you enter the user and password of the user you want to log in as. If you enter the correct user/password, you should find yourself at a prompt which look just as if you were sitting right in front of your FREESCO!

To simplify the process of connecting to your FREESCO, you can save a session in PuTTY. With such a saved session, you do not need to enter the IP each time you want to connect to your FREESCO. Instead, it is enough to load and open a saved session. To create a session for your FREESCO, just follow these steps:

This is just one of the ways to use PuTTY. PuTTY is highly configurable and I really recommend taking a look at the FAQ and the manual (available on the home page) to find out more about this great application.

[ Top ]


Remote administration from the Internet

So far I have talked about administrating FREESCO from machines within your LAN. It is also possible to do this administration from a computer outside your LAN but connected to the Internet. Before you decide to enable this option you should realize that this is a security risk. It includes opening a port to the Internet and hackers might try to use this port to access your system. On the other hand, the possibility to administrate FREESCO over the Internet might be very useful. For example, I use SSH to administrate the FREESCO that my parents use. I see this as exchanging security for usability. There is a risk with open a port, yes, but I gain so much from it so I am willing to take that risk.

[ Top ]

SSH

The SSH server is already up and running, but it is not reachable from the Internet as it is configured to run in secure mode. To change this, log in to your FREESCO and start the setup program. From the Advanced Settings Menu, select setting 47 (SSH Server):

47 Enable SSH/SFTP server (y/s/n) [s]?

Change the "s" to a "y" which will enable the service to the "outside", then hit Enter.

471 SSH port [22]?

SSH uses port 22 as default, hence this port is often scanned by hackers, looking for a machine to attack. You can increase security a bit by running your SSH server on a different port. Ports below 1024 are reserved so select a port with a higher value, but use one below 42000. IANA holds a list of registered ports and using one of the unassigned ports on this list is preferable.

The rest of the settings for the SSH server can be kept as they are so just hit Enter until you are back in the menu. Save your changes and when you are back at the prompt, you should either reboot or run

rc_sshd restart

which will restart the SSH server.

Once you have changed the port that your SSH server runs on, you must also update the port specified in your PuTTY saved session (if you created one). If you forget to update the session, it will not be able to connect to your FREESCO as it still will use port 22.

Except running the service on a non-standard port, security can be increased by using a add-on package called knock. This package runs on your FREESCO and keep the SSH port closed until you "knock" a specific sequence of ports (done with a knock client). Then the port is opened and it is possible to connect to your machine. As the port is closed until you knock the correct ports in the correct sequence, the risk for trespassing is decreased.

[ Top ]

Control panel

As described above, the control panel is insecure and obviously the service should NOT be enabled worldwide (although setting 45 can be used to do this). But it is possible to use an SSH connection to "tunnel" a connection to the control server. With this setup it is possible to access the control panel in a secure way. Dingetje posted these instructions once. The post describes how to tunnel a connection to the control panel using an add-on package for SSH. Now that SSH is included in FREESCO the process is even simpler. Assuming you already have a PuTTY saved session for connecting to your FREESCO, the process for tunnelling a connection to the control panel is

The same can also be achieved using a command line ssh client using:

$ ssh -L 8080:127.0.0.1:82 user@your.public.ip -P ssh_server_port

Then you can point your browser to http://127.0.0.1:8080

[ Top ]


Getting a free domain name

If you have dynamic IP, remote administration from outside your LAN gets a bit tricky. As your IP is dynamic, it is hard to know which IP your FREESCO is assigned. With a dial-up connection, you will probably get a new IP each time FREESCO connects to the Internet. Thanks to free services such as DynDNS, DHS and zoneedit this can be solved pretty easy. What these services do is to connect a IP to a domain name, pretty much like "normal" domain names work. The main difference is that with these services you can update the IP linked to the domain name. Once you have created an account and configured your FREESCO, your box will keep updating the service with your current IP. As the service is updated everytime your FREESCO gets a new IP, your domain will keep working even if your IP changes. All it takes is to open an account by any of these services and then configure your FREESCO to use that information.

Start by opening an account on any of these services. I use DynDNS myself and it has been working very well. Then log in to FREESCO as super user and start the setup program. Open the Advanced Settings Menu and select setting 49 (DynDNS client).

        Dynamic DNS is a service that you can use to get an automatically
        updated hostname on the Internet for your external IP address.
        Then a hostname (something like http://I-love-Freesco.dyndns.org)
        will resolve to your IP address.
        Please visit www.dyndns.org, www.zoneedit.com, www.dhs.org,
        domain-dns.com, or www.loopia.se for more information and to
        create an account.

        NOTE: Other service providers can also be supported with the new
            'unsupported' configuration option.

49 Enable the DynDNS/ZoneEdit/dhs/domain-dns client (y/n) [n]?

By default this setting is off ("n") but you should change this to "y". Press Enter to continue.

49 Setup your Dynamic DNS client now (y/n) []?

Now you are asked if you want to setup the DynDNS client. Type "y" and press Enter to set up the client. The configuration file used for the DynDNS client is opened in an editor. The following should be edited:

Now the following text is displayed:

        NOTE: If you have a semi-permanent IP address and you are using a
        dynamic DNS account ,it must be updated at least once a month or
        the account will expire. If you enable "crond" there is a line
        that you can uncomment that will update your account automaticly.


 <ENTER> to continue

As the text says, if you have an IP which isn't changed very often, you must update your DynDNS account manually at least once a month or your account will terminate. The process of updating your account can be automatized using cron and I will show how to do this later on. For now, just press Enter and continue.

        If you want all of your internal machines to resolve the dyndns
        URL to the router ,then you need to enable the following option.

491 Enable local dyndns URL lookup (y/n) [y]?

Just accept the default value here by pressing Enter. When you are back in the setup menu, save your changes and exit the setup program. By now your configuration should be ok, but you haven't sent any information to DynDNS yet so you should not expect your domain to work. Verify this by typing

[root@Freesco] ping your.dyndns.domain

Nothing should happen. Press CTRL-C to kill the ping, and you should see a message like this:

--- your.dyndns.domain ping statistics ---
137 packets transmitted, 0 packets received, 100% packet loss

To update your account at DynDNS use the command

[root@Freesco] dyndns

This command sends data to DynDNS in order to update your account with your current IP. To check the result, take a look in the log:

[root@Freesco] cat /var/infolog

At the end of the log, there should be a line like this (where aaa.bbb.ccc.ddd is your IP):

Jan 16 05:34:27 - dyndns: dyndns updated 'aaa.bbb.ccc.ddd'

If you see this, you know that the update succeeded and you should be able to ping your own site:

[root@Freesco] ping your.dyndns.domain
PING your.dyndns.domain (aaa.bbb.ccc.ddd): 56 data bytes
64 bytes from aaa.bbb.ccc.ddd: icmp_seq=0 ttl=64 time=0.2 ms
64 bytes from aaa.bbb.ccc.ddd: icmp_seq=1 ttl=64 time=0.1 ms
64 bytes from aaa.bbb.ccc.ddd: icmp_seq=2 ttl=64 time=0.1 ms
64 bytes from aaa.bbb.ccc.ddd: icmp_seq=3 ttl=64 time=0.1 ms

Now you know that your DynDNS account is correctly configured. Press CTRL-C to kill the ping command. If you use the phone to connect to your ISP you are done by now. But if you have ADSL or cable, you probably have a semi permanent IP. This means that your IP is dynamic but it is rarely changed. DynDNS expect all clients to update their IP at least once a month, else the account will be terminated. With a semi permanent IP chances are good that your IP changes less frequently and hence your account will be terminated (although you will get a reminding e-mail first). However, you can configure cron to update your account twice a month. This is how you to this:

Now cron is enabled and it will update your DynDNS account twice a month!

[ Top ]


Page author: My email

Last modified: Tue Apr 15 22:37:19 CEST 2008

Valid HTML 4.01!