astlinux-users — AstLinux Users Mailing List

Re: [Astlinux-users] after a hard power-down by unplugging the power cord and the pbx won't boot

[Michael K. <li...@mk...>]

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div style="display: block;" class=""><div style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;" class="apple-rich-link" draggable="true" role="link" data-url="https://www.cyberciti.biz/faq/unix-linux-apple-osx-bsd-screen-set-baud-rate/"><a style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:228px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;" class="lp-rich-link" rel="nofollow" href="https://www.cyberciti.biz/faq/unix-linux-apple-osx-bsd-screen-set-baud-rate/" dir="ltr" role="button" draggable="false" width="228"><table style="table-layout:fixed;border-collapse:collapse;width:228px;background-color:#DFDFE1;font-family:-apple-system, Helvetica, Arial, sans-serif;" class="lp-rich-link-emailBaseTable" cellpadding="0" cellspacing="0" border="0" width="228"><tbody><tr><td vertical-align="center" align="center"><img style="width:228px;filter:brightness(0.97);height:285px;" width="228" height="285" draggable="false" class="lp-rich-link-mediaImage" alt="screen-baud-rate-output.png" src="cid:CF9B07A9-0BE4-4422-87C2-FD35EB00417D"></td></tr><tr><td vertical-align="center"><table bgcolor="#DFDFE1" cellpadding="0" cellspacing="0" width="228" style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(223, 223, 225, 1);" class="lp-rich-link-captionBar"><tbody><tr><td style="padding:8px 0px 8px 0px;" class="lp-rich-link-captionBar-textStackItem"><div style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;" class="lp-rich-link-captionBar-textStack"><div style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-topCaption-leading"><a rel="nofollow" href="https://www.cyberciti.biz/faq/unix-linux-apple-osx-bsd-screen-set-baud-rate/" style="text-decoration: none" draggable="false"><font color="#000000" style="color: rgba(0, 0, 0, 1);">Screen command set baud rate for terminal communication</font></a></div><div style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-bottomCaption-leading"><a rel="nofollow" href="https://www.cyberciti.biz/faq/unix-linux-apple-osx-bsd-screen-set-baud-rate/" style="text-decoration: none" draggable="false"><font color="#A2A2A9" style="color: rgba(60, 60, 67, 0.6);">cyberciti.biz</font></a></div></div></td></tr></tbody></table></td></tr></tbody></table></a></div></div><br>19200 8N1 is the right baudrate for Alix on the 1.2.10 ISO.<div><br></div><div><div style="display: block;" class=""><div style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;" class="apple-rich-link" draggable="true" role="link" data-url="http://doc.astlinux-project.org/userdoc:legacy-installer-iso"><a style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;" class="lp-rich-link" rel="nofollow" href="http://doc.astlinux-project.org/userdoc:legacy-installer-iso" dir="ltr" role="button" draggable="false" width="300"><table style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#DFDFE1;font-family:-apple-system, Helvetica, Arial, sans-serif;" class="lp-rich-link-emailBaseTable" cellpadding="0" cellspacing="0" border="0" width="300"><tbody><tr><td vertical-align="center"><table bgcolor="#DFDFE1" cellpadding="0" cellspacing="0" width="300" style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(223, 223, 225, 1);" class="lp-rich-link-captionBar"><tbody><tr><td style="padding:8px 0px 8px 0px;" class="lp-rich-link-captionBar-textStackItem"><div style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;" class="lp-rich-link-captionBar-textStack"><div style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-topCaption-leading"><a rel="nofollow" href="http://doc.astlinux-project.org/userdoc:legacy-installer-iso" style="text-decoration: none" draggable="false"><font color="#000000" style="color: rgba(0, 0, 0, 1);">userdoc:legacy-installer-iso [AstLinux Documentation]</font></a></div><div style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-bottomCaption-leading"><a rel="nofollow" href="http://doc.astlinux-project.org/userdoc:legacy-installer-iso" style="text-decoration: none" draggable="false"><font color="#A2A2A9" style="color: rgba(60, 60, 67, 0.6);">doc.astlinux-project.org</font></a></div></div></td><td style="padding:6px 12px 6px 0px;" class="lp-rich-link-captionBar-rightIconItem" width="36"><a rel="nofollow" href="http://doc.astlinux-project.org/userdoc:legacy-installer-iso" draggable="false"><img style="pointer-events:none !important;display:inline-block;width:36px;height:36px;border-radius:3px;" width="36" height="36" draggable="false" class="lp-rich-link-captionBar-rightIcon" alt="apple-touch-icon.png" src="cid:C6011457-AEE3-4F40-B4A5-643C4C38B9E1"></a></td></tr></tbody></table></td></tr></tbody></table></a></div><br></div><div><br><div dir="ltr">Sent from a mobile device.<div><br></div><div>Michael Keuter</div></div><div dir="ltr"><br><blockquote type="cite">Am 26.09.2023 um 21:33 schrieb nedi &lt;ne...@gm...&gt;:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Hello Michael,</span><br><span></span><br><span>I've tried everything, but I can't seem to read the USB stick.</span><br><span></span><br><span>I have two Alix devices with 3 LAN ports and a serial connection (Alix2e13). I'm interested in migrating all the settings to the same AstLinux version. Is this possible?</span><br><span></span><br><span>I attempted to use the AstLinux 1.2.10 serial ISO with a serial terminal, but I'm only getting strange characters when trying to access AstLinux via a serial connection on my Mac using both the "serial" app and the Mac Terminal.</span><br><span></span><br><span>I have a USB-to-serial adapter and I've tried the following commands:</span><br><span></span><br><span> &nbsp; &nbsp;• screen /dev/cu.usbserial 19200</span><br><span> &nbsp; &nbsp;• screen /dev/cu.usbserial 19200,cs8</span><br><span> &nbsp; &nbsp;• screen /dev/cu.usbserial 19200n8</span><br><span> &nbsp; &nbsp;• screen /dev/cu.usbserial 115200</span><br><span>Is this the correct ISO for the Alix2e13? Also, is it possible to restore the last backup on this new installation?</span><br><span></span><br><span>Best regards, Nedi</span><br><blockquote type="cite"><span>Am 26.09.2023 um 11:23 schrieb Michael Keuter &lt;li...@mk...&gt;:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>Am 26.09.2023 um 10:53 schrieb nedi &lt;ne...@gm...&gt;:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Hello,</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>I have an Astlinux installation using the old astlinux astlinux-1.2.8 i586 - Asterisk 1.8.32.3 and alix board. </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>Astlinus is on Kingston USB stick. The customer do a hard power-down by unplugging the power cord and the pbx won't boot. has anyone the soulution to fix that. </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>on boot I &nbsp;get errors</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>squashfs error &nbsp;unable to read dpage ,block xxxx</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>and read on /mnt/root/bzimage failed :input output error</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>I hope someone can help me to fix that without new install</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>regards nedi </span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>In the Syslinux bootloader you can select "shell" (instead of the default "runnix") to skip booting into AstLinux and try to repair the filesystem with "fsck":</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>https://doc.astlinux-project.org/userdoc:system-boot-process</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Michael</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>http://www.mksolutions.info</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>Astlinux-users mailing list</span><br></blockquote><blockquote type="cite"><span>Ast...@li...</span><br></blockquote><blockquote type="cite"><span>https://lists.sourceforge.net/lists/listinfo/astlinux-users</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....</span><br></blockquote><span></span><br><span></span><br><span></span><br><span>_______________________________________________</span><br><span>Astlinux-users mailing list</span><br><span>Ast...@li...</span><br><span>https://lists.sourceforge.net/lists/listinfo/astlinux-users</span><br><span></span><br><span>Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....</span></div></blockquote></div></div></body></html>

Re: [Astlinux-users] after a hard power-down by unplugging the power cord and the pbx won't boot

[nedi <ne...@gm...>]

Hello Michael,

I've tried everything, but I can't seem to read the USB stick.

I have two Alix devices with 3 LAN ports and a serial connection (Alix2e13). I'm interested in migrating all the settings to the same AstLinux version. Is this possible?

I attempted to use the AstLinux 1.2.10 serial ISO with a serial terminal, but I'm only getting strange characters when trying to access AstLinux via a serial connection on my Mac using both the "serial" app and the Mac Terminal.

I have a USB-to-serial adapter and I've tried the following commands:

	• screen /dev/cu.usbserial 19200
	• screen /dev/cu.usbserial 19200,cs8
	• screen /dev/cu.usbserial 19200n8
	• screen /dev/cu.usbserial 115200
Is this the correct ISO for the Alix2e13? Also, is it possible to restore the last backup on this new installation?

Best regards, Nedi
> Am 26.09.2023 um 11:23 schrieb Michael Keuter <li...@mk...>:
> 
> 
>> Am 26.09.2023 um 10:53 schrieb nedi <ne...@gm...>:
>> 
>> Hello,
>> 
>> I have an Astlinux installation using the old astlinux astlinux-1.2.8 i586 - Asterisk 1.8.32.3 and alix board. 
>> Astlinus is on Kingston USB stick. The customer do a hard power-down by unplugging the power cord and the pbx won't boot. has anyone the soulution to fix that. 
>> on boot I  get errors
>> squashfs error  unable to read dpage ,block xxxx
>> and read on /mnt/root/bzimage failed :input output error
>> 
>> I hope someone can help me to fix that without new install
>> regards nedi 
> 
> 
> In the Syslinux bootloader you can select "shell" (instead of the default "runnix") to skip booting into AstLinux and try to repair the filesystem with "fsck":
> 
> https://doc.astlinux-project.org/userdoc:system-boot-process
> 
> Michael
> 
> http://www.mksolutions.info
> 
> 
> 
> 
> 
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

Re: [Astlinux-users] after a hard power-down by unplugging the power cord and the pbx won't boot

[Michael K. <li...@mk...>]

> Am 26.09.2023 um 10:53 schrieb nedi <ne...@gm...>:
> 
> Hello,
> 
> I have an Astlinux installation using the old astlinux astlinux-1.2.8 i586 - Asterisk 1.8.32.3 and alix board. 
> Astlinus is on Kingston USB stick. The customer do a hard power-down by unplugging the power cord and the pbx won't boot. has anyone the soulution to fix that. 
> on boot I  get errors
> squashfs error  unable to read dpage ,block xxxx
> and read on /mnt/root/bzimage failed :input output error
> 
> I hope someone can help me to fix that without new install
> regards nedi 


In the Syslinux bootloader you can select "shell" (instead of the default "runnix") to skip booting into AstLinux and try to repair the filesystem with "fsck":

https://doc.astlinux-project.org/userdoc:system-boot-process

Michael

http://www.mksolutions.info

[Astlinux-users] after a hard power-down by unplugging the power cord and the pbx won't boot

[nedi <ne...@gm...>]

Hello,

I have an Astlinux installation using the old astlinux astlinux-1.2.8 i586 - Asterisk 1.8.32.3 and alix board. 
Astlinus is on Kingston USB stick. The customer do a hard power-down by unplugging the power cord and the pbx won't boot. has anyone the soulution to fix that. 
on boot I  get errors
squashfs error  unable to read dpage ,block xxxx
and read on /mnt/root/bzimage failed :input output error

I hope someone can help me to fix that without new install
regards nedi 

Re: [Astlinux-users] Syslogd to remote

[Lonnie A. <li...@lo...>]

Try looking via:
--
grep -rs 'SYSLOGHOST=' /etc/

grep -rs 'SYSLOGHOST=' /mnt/kd/

grep -rs 'SYSLOGHOST=' /mnt/asturw/
--

Lonnie


> On Sep 20, 2023, at 11:56 AM, Ionel Chila via Astlinux-users <ast...@li...> wrote:
> 
> Thanks Lonnie and that is where I am going crazy LOL.  In my rc.conf I have nothing defined for SYSLOGHOST=
> 
> Not sure if I plugged that value somewhere else? Or I have a startup script  I know is running and sending logs to my .77 :)
> 
> 
> 
>> On Sep 20, 2023, at 11:43 AM, Lonnie Abelbeck <li...@lo...> wrote:
>> 
>> 
>> 
>>> On Sep 20, 2023, at 10:37 AM, Ionel Chila via Astlinux-users <ast...@li...> wrote:
>>> 
>>> For the love of my life I can't find the settings from my syslog that is currently sending logs to an external server. Can't find the config file nor anyweher in the web gui menu? Am I going crazy here?
>>> I know I am sending stuff out :)
>>> 
>>> HOME-PBX init.d # ps -ef |grep syslog
>>> 310 root syslogd -s 1024 -b 2
>>> 935 root syslogd -R 192.168.0.77:514 -L -O /var/log/messages
>> 
>> Hi Ionel,
>> 
>> You have the SYSLOGHOST variable defined (ie. SYSLOGHOST="192.168.0.77:514")
>> 
>> For documentation reference look in /stat/etc/rc.conf [1]
>> 
>> Lonnie
>> 
>> [1] https://github.com/astlinux-project/astlinux/blob/0c813dffa5d59ffa34d39624eb6a63ae7662a535/project/astlinux/target_skeleton/stat/etc/rc.conf#L476
>> 
>> 
>> 
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>> 
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
> 
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

Re: [Astlinux-users] Syslogd to remote

[Ionel C. <ion...@me...>]

Thanks Lonnie and that is where I am going crazy LOL.  In my rc.conf I have nothing defined for SYSLOGHOST=Not sure if I plugged that value somewhere else? Or I have a startup script  I know is running and sending logs to my .77 :)On Sep 20, 2023, at 11:43 AM, Lonnie Abelbeck <li...@lo...> wrote:On Sep 20, 2023, at 10:37 AM, Ionel Chila via Astlinux-users <ast...@li...> wrote:For the love of my life I can't find the settings from my syslog that is currently sending logs to an external server. Can't find the config file nor anyweher in the web gui menu? Am I going crazy here?I know I am sending stuff out :)HOME-PBX init.d # ps -ef |grep syslog 310 root     syslogd -s 1024 -b 2 935 root     syslogd -R 192.168.0.77:514 -L -O /var/log/messagesHi Ionel,You have the SYSLOGHOST variable defined (ie. SYSLOGHOST="192.168.0.77:514")For documentation reference look in /stat/etc/rc.conf [1]Lonnie[1] https://github.com/astlinux-project/astlinux/blob/0c813dffa5d59ffa34d39624eb6a63ae7662a535/project/astlinux/target_skeleton/stat/etc/rc.conf#L476_______________________________________________Astlinux-users mailing lis...@li...://lists.sourceforge.net/lists/listinfo/astlinux-usersDonations to support AstLinux are graciously accepted via PayPal to pa...@kr....

Re: [Astlinux-users] Syslogd to remote

[Lonnie A. <li...@lo...>]

> On Sep 20, 2023, at 10:37 AM, Ionel Chila via Astlinux-users <ast...@li...> wrote:
> 
> For the love of my life I can't find the settings from my syslog that is currently sending logs to an external server. Can't find the config file nor anyweher in the web gui menu? Am I going crazy here?
> I know I am sending stuff out :)
> 
> HOME-PBX init.d # ps -ef |grep syslog
>   310 root     syslogd -s 1024 -b 2
>   935 root     syslogd -R 192.168.0.77:514 -L -O /var/log/messages
> 

Hi Ionel,

You have the SYSLOGHOST variable defined (ie. SYSLOGHOST="192.168.0.77:514")

For documentation reference look in /stat/etc/rc.conf [1]

Lonnie

[1] https://github.com/astlinux-project/astlinux/blob/0c813dffa5d59ffa34d39624eb6a63ae7662a535/project/astlinux/target_skeleton/stat/etc/rc.conf#L476

[Astlinux-users] Syslogd to remote

[Ionel C. <ion...@me...>]

For the love of my life I can't find the settings from my syslog that is currently sending logs to an external server. Can't find the config file nor anyweher in the web gui menu? Am I going crazy here?I know I am sending stuff out :)HOME-PBX init.d # ps -ef |grep syslog  310 root     syslogd -s 1024 -b 2  935 root     syslogd -R 192.168.0.77:514 -L -O /var/log/messages

[Astlinux-users] AstLinux Pre-Release: astlinux-1.5-5875-b12fc0

[Lonnie A. <li...@lo...>]

Announcing AstLinux Pre-Release: astlinux-1.5-5875-b12fc0

AstLinux Project -> Development
https://www.astlinux-project.org/dev.html

** IMPORTANT NOTICE

-- Changes to supported firmware builds:
	== Previous 'ast13se' and 'ast16' firmware branches are no longer updated.
	== New 'ast16se' firmware branch, Asterisk 16.x built --without-pjproject and --without-dahdi
	== Previous 'ast18' firmware branch, Asterisk 18.x built --with-pjproject and --with-dahdi
	== New 'ast20' firmware branch, Asterisk 20.x built --with-pjproject and --with-dahdi

** The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own.

-- Linux Kernel 5.10.191 (version bump), security and bug fixes

-- OpenSSL, version bump to 1.1.1v, security fixes: CVE-2023-3446, CVE-2023-3817

-- chrony, version bump to 4.4

-- libcurl (curl) version bump to 8.2.1, security fixes: CVE-2023-32001

-- libxml2, version bump to 2.11.5

-- msmtp, version bump to 1.8.24

-- netsnmp, version bump to 5.9.4

-- screen, version 4.9.1, security fix: CVE-2023-24626

-- tinyproxy, version 1.11.1, now included in the standard builds, but disabled by default

-- unixodbc, version bump to 2.3.12

-- upgrade-run-image, limit "noram" loop mount from being removed during upgrade.

-- vnStat, version bump to 2.11

-- zlib, version bump to 1.3

-- Asterisk 16.30.0 ('16se' version bump)
	Last Asterisk 16.x "Legacy" version, built --without-pjproject and --without-dahdi

-- Asterisk 18.19.0 (version bump) and 20.4.0 (new version)
	Built --with-pjproject and --with-dahdi

-- DAHDI, dahdi-linux 3.2.0 (no change) and dahdi-tools 3.2.0 (no change)
	Add build fix to include "astribank" utilities

-- Added rc.conf variable DAHDI_DISABLE, disable DAHDI when set to "yes", defaults to "no".

-- pjsip 2.13.1 (version bump)

-- libpri, version bump to 1.6.1

-- Complete Pre-Release ChangeLog:
https://astlinux-project.org/beta/astlinux-changelog/ChangeLog.txt

The "AstLinux Pre-Release ChangeLog" and "Pre-Release Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ...

AstLinux Project -> Development
https://www.astlinux-project.org/dev.html


AstLinux Team

Re: [Astlinux-users] Accessing devices behind Astlinux

[Michael K. <mic...@ip...>]

Phew spent most of the day thinking about this but have come up a plan moving forward.
I have decided that we will continue to use SSH and SOCKS as we have been successfully doing so with a couple of improvements:

  1.  OpenSSH supports ProxyJump which you can use in ~/.ssh/config or as a -J directive. This will automatically pass your SSH tunnel through a hardened proxy server which you can set up individual users and then restrict SSH access from your Astlinux servers to this Jump server only. It seems to work well from my limited testing and Astlinux can be a Jump server.
  2.  As Lonnie mentioned we will script the addition and removal of SSH keys from devices from a trusted device (my laptop probably)

Thanks guys for your help.

Regards
Michael Knill


From: Michael Keuter <li...@mk...>
Date: Saturday, 19 August 2023 at 2:20 am
To: AstLinux Users Mailing List <ast...@li...>
Subject: Re: [Astlinux-users] Accessing devices behind Astlinux
Here is also an interesting video regarding jump servers:

https://www.youtube.com/watch?v=KIeBC7NIzj4

Michael

http://www.mksolutions.info

> Am 18.08.2023 um 17:44 schrieb Michael Keuter <li...@mk...>:
>
> Nice video, very interesting.
>
> BTW: on macOS you can install Proxychain via Homebrew with:
>
> brew install proxychains-ng
>
> and call it with "proxychain4 firefox".
>
>> Am 18.08.2023 um 17:02 schrieb Lonnie Abelbeck <li...@lo...>:
>>
>> Hi Michael,
>>
>> I don't have any personal experience to share, but Tom Lawrence has a related video [1]
>>
>> Youtube: SSH Jump Server Access and How To Pivot Using OpenVPN & Proxychains
>>
>> I suspect this could all be done with SSH+SOCKS (Proxychains) and no OpenVPN tunnel as his example does.
>>
>> Key takeaways are to encrypt the Jump Server's drive (and backup), keep it local and secure from the internet, limit remote AstLinux SSH access via its firewall and Jump Server ssh key.
>>
>>
>> Alternatively, some sort of automation to keep the remote AstLinux SSH keys updated from one hardened location.
>>
>> Lonnie
>>
>> [1] https://www.youtube.com/watch?v=jqudlmfG0zA
>>
>>
>>
>>> On Aug 18, 2023, at 2:17 AM, Michael Knill <mic...@ip...> wrote:
>>>
>>> Hi All
>>>
>>> Here is the issue:
>>> We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. It works well however it is becoming increasingly difficult in managing local authentication to do this such as using SSH Keys.
>>> We are going to be bringing on additional staff and I don’t want to have to go into every system to add credentials or keys every time we bring on a new staffmember.
>>>
>>> Just wondering if there are any options for external authentication of SSH rather than local on Astlinux e.g. using RADIUS
>>> Could there be any other options e.g. HTTPS proxy?
>>>
>>> Regards
>>>
>>> Michael Knill
>>> Managing Director



_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

Re: [Astlinux-users] Accessing devices behind Astlinux

[Michael K. <mic...@ip...>]

Thanks guys. Very interesting info.

We are already using SSH Key only and SOCKS to access devices behind Astlinux which works well.
I didn’t know about proxychains though which will be MUCH better than having to keep changing the proxy config on Firefox.

I have considered using a jump server in our management network but there was always the concern that if it was compromised then attackers are a step closer to being able to access all our systems and possibly the devices behind them.
There are certainly a few things that you can do however to mitigate this including encrypting drives (and backups) and having multiple layers of security.

Certainly some more ideas to think about.

Thanks again.

Regards
Michael Knill


From: Michael Keuter <li...@mk...>
Date: Saturday, 19 August 2023 at 2:20 am
To: AstLinux Users Mailing List <ast...@li...>
Subject: Re: [Astlinux-users] Accessing devices behind Astlinux
Here is also an interesting video regarding jump servers:

https://www.youtube.com/watch?v=KIeBC7NIzj4

Michael

http://www.mksolutions.info

> Am 18.08.2023 um 17:44 schrieb Michael Keuter <li...@mk...>:
>
> Nice video, very interesting.
>
> BTW: on macOS you can install Proxychain via Homebrew with:
>
> brew install proxychains-ng
>
> and call it with "proxychain4 firefox".
>
>> Am 18.08.2023 um 17:02 schrieb Lonnie Abelbeck <li...@lo...>:
>>
>> Hi Michael,
>>
>> I don't have any personal experience to share, but Tom Lawrence has a related video [1]
>>
>> Youtube: SSH Jump Server Access and How To Pivot Using OpenVPN & Proxychains
>>
>> I suspect this could all be done with SSH+SOCKS (Proxychains) and no OpenVPN tunnel as his example does.
>>
>> Key takeaways are to encrypt the Jump Server's drive (and backup), keep it local and secure from the internet, limit remote AstLinux SSH access via its firewall and Jump Server ssh key.
>>
>>
>> Alternatively, some sort of automation to keep the remote AstLinux SSH keys updated from one hardened location.
>>
>> Lonnie
>>
>> [1] https://www.youtube.com/watch?v=jqudlmfG0zA
>>
>>
>>
>>> On Aug 18, 2023, at 2:17 AM, Michael Knill <mic...@ip...> wrote:
>>>
>>> Hi All
>>>
>>> Here is the issue:
>>> We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. It works well however it is becoming increasingly difficult in managing local authentication to do this such as using SSH Keys.
>>> We are going to be bringing on additional staff and I don’t want to have to go into every system to add credentials or keys every time we bring on a new staffmember.
>>>
>>> Just wondering if there are any options for external authentication of SSH rather than local on Astlinux e.g. using RADIUS
>>> Could there be any other options e.g. HTTPS proxy?
>>>
>>> Regards
>>>
>>> Michael Knill
>>> Managing Director



_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

Re: [Astlinux-users] Accessing devices behind Astlinux

[Michael K. <li...@mk...>]

Here is also an interesting video regarding jump servers:

https://www.youtube.com/watch?v=KIeBC7NIzj4

Michael

http://www.mksolutions.info

> Am 18.08.2023 um 17:44 schrieb Michael Keuter <li...@mk...>:
> 
> Nice video, very interesting.
> 
> BTW: on macOS you can install Proxychain via Homebrew with:
> 
> brew install proxychains-ng
> 
> and call it with "proxychain4 firefox".
> 
>> Am 18.08.2023 um 17:02 schrieb Lonnie Abelbeck <li...@lo...>:
>> 
>> Hi Michael,
>> 
>> I don't have any personal experience to share, but Tom Lawrence has a related video [1]
>> 
>> Youtube: SSH Jump Server Access and How To Pivot Using OpenVPN & Proxychains
>> 
>> I suspect this could all be done with SSH+SOCKS (Proxychains) and no OpenVPN tunnel as his example does.
>> 
>> Key takeaways are to encrypt the Jump Server's drive (and backup), keep it local and secure from the internet, limit remote AstLinux SSH access via its firewall and Jump Server ssh key.
>> 
>> 
>> Alternatively, some sort of automation to keep the remote AstLinux SSH keys updated from one hardened location.
>> 
>> Lonnie
>> 
>> [1] https://www.youtube.com/watch?v=jqudlmfG0zA
>> 
>> 
>> 
>>> On Aug 18, 2023, at 2:17 AM, Michael Knill <mic...@ip...> wrote:
>>> 
>>> Hi All
>>> 
>>> Here is the issue:
>>> We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. It works well however it is becoming increasingly difficult in managing local authentication to do this such as using SSH Keys.
>>> We are going to be bringing on additional staff and I don’t want to have to go into every system to add credentials or keys every time we bring on a new staffmember.
>>> 
>>> Just wondering if there are any options for external authentication of SSH rather than local on Astlinux e.g. using RADIUS
>>> Could there be any other options e.g. HTTPS proxy?
>>> 
>>> Regards
>>> 
>>> Michael Knill
>>> Managing Director

Re: [Astlinux-users] Accessing devices behind Astlinux

[Michael K. <li...@mk...>]

Nice video, very interesting.

BTW: on macOS you can install Proxychain via Homebrew with:

brew install proxychains-ng

and call it with "proxychain4 firefox".

> Am 18.08.2023 um 17:02 schrieb Lonnie Abelbeck <li...@lo...>:
> 
> Hi Michael,
> 
> I don't have any personal experience to share, but Tom Lawrence has a related video [1]
> 
> Youtube: SSH Jump Server Access and How To Pivot Using OpenVPN & Proxychains
> 
> I suspect this could all be done with SSH+SOCKS (Proxychains) and no OpenVPN tunnel as his example does.
> 
> Key takeaways are to encrypt the Jump Server's drive (and backup), keep it local and secure from the internet, limit remote AstLinux SSH access via its firewall and Jump Server ssh key.
> 
> 
> Alternatively, some sort of automation to keep the remote AstLinux SSH keys updated from one hardened location.
> 
> Lonnie
> 
> [1] https://www.youtube.com/watch?v=jqudlmfG0zA
> 
> 
> 
>> On Aug 18, 2023, at 2:17 AM, Michael Knill <mic...@ip...> wrote:
>> 
>> Hi All
>> 
>> Here is the issue:
>> We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. It works well however it is becoming increasingly difficult in managing local authentication to do this such as using SSH Keys.
>> We are going to be bringing on additional staff and I don’t want to have to go into every system to add credentials or keys every time we bring on a new staffmember.
>> 
>> Just wondering if there are any options for external authentication of SSH rather than local on Astlinux e.g. using RADIUS
>> Could there be any other options e.g. HTTPS proxy?
>> 
>> Regards
>> 
>> Michael Knill
>> Managing Director
>> 
>> D: +61 2 6189 1360
>> P: +61 2 6140 4656
>> E: mic...@ip...
>> W: ipcsolutions.com.au
>> 
>> <image001.png>
>> Smarter Business Communications
>> 
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>> 
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
> 
> 
> 
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....



Michael

http://www.mksolutions.info

Re: [Astlinux-users] Accessing devices behind Astlinux

[Lonnie A. <li...@lo...>]

Hi Michael,

I don't have any personal experience to share, but Tom Lawrence has a related video [1]

Youtube: SSH Jump Server Access and How To Pivot Using OpenVPN & Proxychains

I suspect this could all be done with SSH+SOCKS (Proxychains) and no OpenVPN tunnel as his example does.

Key takeaways are to encrypt the Jump Server's drive (and backup), keep it local and secure from the internet, limit remote AstLinux SSH access via its firewall and Jump Server ssh key.


Alternatively, some sort of automation to keep the remote AstLinux SSH keys updated from one hardened location.

Lonnie

[1] https://www.youtube.com/watch?v=jqudlmfG0zA



> On Aug 18, 2023, at 2:17 AM, Michael Knill <mic...@ip...> wrote:
> 
> Hi All
>  
> Here is the issue:
> We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. It works well however it is becoming increasingly difficult in managing local authentication to do this such as using SSH Keys.
> We are going to be bringing on additional staff and I don’t want to have to go into every system to add credentials or keys every time we bring on a new staffmember.
>  
> Just wondering if there are any options for external authentication of SSH rather than local on Astlinux e.g. using RADIUS
> Could there be any other options e.g. HTTPS proxy?
>  
> Regards
>  
> Michael Knill
> Managing Director
>  
> D: +61 2 6189 1360
> P: +61 2 6140 4656
> E: mic...@ip...
> W: ipcsolutions.com.au
>  
>  <image001.png>
> Smarter Business Communications
>  
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

[Astlinux-users] Accessing devices behind Astlinux

[Michael K. <mic...@ip...>]

Hi All

Here is the issue:
We access devices behind Astlinux currently using SSH Tunnelling and SOCKS. It works well however it is becoming increasingly difficult in managing local authentication to do this such as using SSH Keys.
We are going to be bringing on additional staff and I don’t want to have to go into every system to add credentials or keys every time we bring on a new staffmember.

Just wondering if there are any options for external authentication of SSH rather than local on Astlinux e.g. using RADIUS
Could there be any other options e.g. HTTPS proxy?

Regards

Michael Knill
Managing Director

D: +61 2 6189 1360<tel:+61261891360>
P: +61 2 6140 4656<tel:+61261404656>
E: mic...@ip...<mailto:mic...@ip...>
W: ipcsolutions.com.au<https://ipcsolutions.com.au/>

 [Icon  Description automatically generated]
Smarter Business Communications

Re: [Astlinux-users] Looking to implement DNS-TLS

[Michael K. <mic...@ip...>]

Thanks 😊

Regards
Michael Knill


From: Lonnie Abelbeck <li...@lo...>
Date: Friday, 11 August 2023 at 10:19 am
To: AstLinux Users Mailing List <ast...@li...>
Subject: Re: [Astlinux-users] Looking to implement DNS-TLS
Sounds like you have a use case to implement the the /mnt/kd/dnsmasq.static trick/workaround.

Lonnie


> On Aug 10, 2023, at 6:38 PM, Michael Knill <mic...@ip...> wrote:
>
> Hi Lonnie
>
> Whoops sorry for assuming you are psychic. It’s the dyndns-host-open plugin for the firewall.
> You mentioned with the /mnt/kd/dnsmasq.static trick (I called it workaround) that it should only be implemented if it was not working. But DNS not working would be a bad thing and although I have a static entry for access in the firewall it would prevent access for all other addresses and ports using the dyndns-host-open plugin.
>
> Yes I suspect it would be rare but the impact would be high if it happened.
>
> Regards
> Michael Knill
>
>
> From: Lonnie Abelbeck <li...@lo...>
> Date: Thursday, 10 August 2023 at 11:26 pm
> To: AstLinux Users Mailing List <ast...@li...>
> Subject: Re: [Astlinux-users] Looking to implement DNS-TLS
>
> Hi Michael,
>
> Not sure what you mean by "dyn-dns plugin"?  Plugin to what?
>
> In this day and age, certificates that depend on the system to have a valid time are quite common.
>
> If you are using Network tab -> "Dynamic DNS Update:", the update will use HTTPS (via curl) to secure your credentials, which will require a valid system time.  Note the "Dynamic DNS Update:" (set external DNS record) has nothing to do with "DNS-TLS" (retrieve DNS).
>
> The AstLinux system clock is maintained via one or more of:
>
> 1) CMOS flash with battery RTC (bare metal)
>
> 2) Virtual Machine host provides date/time (VM)
>
> 3) Time is set on startup using chrony using Network tab -> "Network Time Settings:"
>
>
> While I have not had any practical issues over the years using "DNS-TLS", you can either use a manual IPv4 address in "Network Time Settings:" or use the /mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the clock is valid at startup.
>
> Lonnie
>
> [1] https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues
>
>
>
>
> > On Aug 10, 2023, at 1:28 AM, Michael Knill <mic...@ip...> wrote:
> >
> > Hi Group
> >
> > I’m currently using the dyn-dns plugin and wanting to extend it for additional Astlinux access.
> > I’m concerned that DNS traffic is currently not being encrypted so I want to use DNS-TLS.
> >
> > I have two questions:
> >        • As you have mentioned in the notes, as it relies on reasonably correct time which needs DNS to be set correctly, I am concerned that we will not be able to access the system with dyn-dns if this occurs. Should I implement the workaround for this in /mnt/kd/dnsmasq.static always?
> >        • I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I assume this is not possible with the DNS Proxy and DNSSEC? I do realise that Anycast DNS is very close to 100% uptime but I’m just cautious.
> >
> > Regards
> >
> > Michael Knill
> > Managing Director
> >
> > D: +61 2 6189 1360
> > P: +61 2 6140 4656
> > E: mic...@ip...
> > W: ipcsolutions.com.au
> >
> >  <image001.png>
> > Smarter Business Communications
> >
> > _______________________________________________
> > Astlinux-users mailing list
> > Ast...@li...
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....



_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

Re: [Astlinux-users] Looking to implement DNS-TLS

[Lonnie A. <li...@lo...>]

Sounds like you have a use case to implement the the /mnt/kd/dnsmasq.static trick/workaround.

Lonnie


> On Aug 10, 2023, at 6:38 PM, Michael Knill <mic...@ip...> wrote:
> 
> Hi Lonnie
>  
> Whoops sorry for assuming you are psychic. It’s the dyndns-host-open plugin for the firewall.
> You mentioned with the /mnt/kd/dnsmasq.static trick (I called it workaround) that it should only be implemented if it was not working. But DNS not working would be a bad thing and although I have a static entry for access in the firewall it would prevent access for all other addresses and ports using the dyndns-host-open plugin.
>  
> Yes I suspect it would be rare but the impact would be high if it happened.
>  
> Regards
> Michael Knill
>  
>  
> From: Lonnie Abelbeck <li...@lo...>
> Date: Thursday, 10 August 2023 at 11:26 pm
> To: AstLinux Users Mailing List <ast...@li...>
> Subject: Re: [Astlinux-users] Looking to implement DNS-TLS
> 
> Hi Michael,
> 
> Not sure what you mean by "dyn-dns plugin"?  Plugin to what?
> 
> In this day and age, certificates that depend on the system to have a valid time are quite common.
> 
> If you are using Network tab -> "Dynamic DNS Update:", the update will use HTTPS (via curl) to secure your credentials, which will require a valid system time.  Note the "Dynamic DNS Update:" (set external DNS record) has nothing to do with "DNS-TLS" (retrieve DNS).
> 
> The AstLinux system clock is maintained via one or more of:
> 
> 1) CMOS flash with battery RTC (bare metal)
> 
> 2) Virtual Machine host provides date/time (VM)
> 
> 3) Time is set on startup using chrony using Network tab -> "Network Time Settings:"
> 
> 
> While I have not had any practical issues over the years using "DNS-TLS", you can either use a manual IPv4 address in "Network Time Settings:" or use the /mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the clock is valid at startup.
> 
> Lonnie
> 
> [1] https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues
> 
> 
> 
> 
> > On Aug 10, 2023, at 1:28 AM, Michael Knill <mic...@ip...> wrote:
> > 
> > Hi Group
> >  
> > I’m currently using the dyn-dns plugin and wanting to extend it for additional Astlinux access.
> > I’m concerned that DNS traffic is currently not being encrypted so I want to use DNS-TLS.
> >  
> > I have two questions:
> >        • As you have mentioned in the notes, as it relies on reasonably correct time which needs DNS to be set correctly, I am concerned that we will not be able to access the system with dyn-dns if this occurs. Should I implement the workaround for this in /mnt/kd/dnsmasq.static always?
> >        • I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I assume this is not possible with the DNS Proxy and DNSSEC? I do realise that Anycast DNS is very close to 100% uptime but I’m just cautious.
> >  
> > Regards
> >  
> > Michael Knill
> > Managing Director
> >  
> > D: +61 2 6189 1360
> > P: +61 2 6140 4656
> > E: mic...@ip...
> > W: ipcsolutions.com.au
> >  
> >  <image001.png>
> > Smarter Business Communications
> >  
> > _______________________________________________
> > Astlinux-users mailing list
> > Ast...@li...
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> > 
> > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
> 
> 
> 
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

Re: [Astlinux-users] Looking to implement DNS-TLS

[Michael K. <mic...@ip...>]

Hi Lonnie

Whoops sorry for assuming you are psychic. It’s the dyndns-host-open plugin for the firewall.
You mentioned with the /mnt/kd/dnsmasq.static trick (I called it workaround) that it should only be implemented if it was not working. But DNS not working would be a bad thing and although I have a static entry for access in the firewall it would prevent access for all other addresses and ports using the dyndns-host-open plugin.

Yes I suspect it would be rare but the impact would be high if it happened.

Regards
Michael Knill


From: Lonnie Abelbeck <li...@lo...>
Date: Thursday, 10 August 2023 at 11:26 pm
To: AstLinux Users Mailing List <ast...@li...>
Subject: Re: [Astlinux-users] Looking to implement DNS-TLS
Hi Michael,

Not sure what you mean by "dyn-dns plugin"?  Plugin to what?

In this day and age, certificates that depend on the system to have a valid time are quite common.

If you are using Network tab -> "Dynamic DNS Update:", the update will use HTTPS (via curl) to secure your credentials, which will require a valid system time.  Note the "Dynamic DNS Update:" (set external DNS record) has nothing to do with "DNS-TLS" (retrieve DNS).

The AstLinux system clock is maintained via one or more of:

1) CMOS flash with battery RTC (bare metal)

2) Virtual Machine host provides date/time (VM)

3) Time is set on startup using chrony using Network tab -> "Network Time Settings:"


While I have not had any practical issues over the years using "DNS-TLS", you can either use a manual IPv4 address in "Network Time Settings:" or use the /mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the clock is valid at startup.

Lonnie

[1] https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues




> On Aug 10, 2023, at 1:28 AM, Michael Knill <mic...@ip...> wrote:
>
> Hi Group
>
> I’m currently using the dyn-dns plugin and wanting to extend it for additional Astlinux access.
> I’m concerned that DNS traffic is currently not being encrypted so I want to use DNS-TLS.
>
> I have two questions:
>        • As you have mentioned in the notes, as it relies on reasonably correct time which needs DNS to be set correctly, I am concerned that we will not be able to access the system with dyn-dns if this occurs. Should I implement the workaround for this in /mnt/kd/dnsmasq.static always?
>        • I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I assume this is not possible with the DNS Proxy and DNSSEC? I do realise that Anycast DNS is very close to 100% uptime but I’m just cautious.
>
> Regards
>
> Michael Knill
> Managing Director
>
> D: +61 2 6189 1360
> P: +61 2 6140 4656
> E: mic...@ip...
> W: ipcsolutions.com.au
>
>  <image001.png>
> Smarter Business Communications
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....



_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

Re: [Astlinux-users] Looking to implement DNS-TLS

[Lonnie A. <li...@lo...>]

Hi Michael,

Not sure what you mean by "dyn-dns plugin"?  Plugin to what?

In this day and age, certificates that depend on the system to have a valid time are quite common.

If you are using Network tab -> "Dynamic DNS Update:", the update will use HTTPS (via curl) to secure your credentials, which will require a valid system time.  Note the "Dynamic DNS Update:" (set external DNS record) has nothing to do with "DNS-TLS" (retrieve DNS).

The AstLinux system clock is maintained via one or more of:

1) CMOS flash with battery RTC (bare metal)

2) Virtual Machine host provides date/time (VM)

3) Time is set on startup using chrony using Network tab -> "Network Time Settings:"


While I have not had any practical issues over the years using "DNS-TLS", you can either use a manual IPv4 address in "Network Time Settings:" or use the /mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the clock is valid at startup.

Lonnie

[1] https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues




> On Aug 10, 2023, at 1:28 AM, Michael Knill <mic...@ip...> wrote:
> 
> Hi Group
>  
> I’m currently using the dyn-dns plugin and wanting to extend it for additional Astlinux access.
> I’m concerned that DNS traffic is currently not being encrypted so I want to use DNS-TLS.
>  
> I have two questions:
> 	• As you have mentioned in the notes, as it relies on reasonably correct time which needs DNS to be set correctly, I am concerned that we will not be able to access the system with dyn-dns if this occurs. Should I implement the workaround for this in /mnt/kd/dnsmasq.static always?
> 	• I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I assume this is not possible with the DNS Proxy and DNSSEC? I do realise that Anycast DNS is very close to 100% uptime but I’m just cautious.
>  
> Regards
>  
> Michael Knill
> Managing Director
>  
> D: +61 2 6189 1360
> P: +61 2 6140 4656
> E: mic...@ip...
> W: ipcsolutions.com.au
>  
>  <image001.png>
> Smarter Business Communications
>  
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

[Astlinux-users] Looking to implement DNS-TLS

[Michael K. <mic...@ip...>]

Hi Group

I’m currently using the dyn-dns plugin and wanting to extend it for additional Astlinux access.
I’m concerned that DNS traffic is currently not being encrypted so I want to use DNS-TLS.

I have two questions:

  1.  As you have mentioned in the notes, as it relies on reasonably correct time which needs DNS to be set correctly, I am concerned that we will not be able to access the system with dyn-dns if this occurs. Should I implement the workaround for this in /mnt/kd/dnsmasq.static always?
  2.  I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I assume this is not possible with the DNS Proxy and DNSSEC? I do realise that Anycast DNS is very close to 100% uptime but I’m just cautious.

Regards

Michael Knill
Managing Director

D: +61 2 6189 1360<tel:+61261891360>
P: +61 2 6140 4656<tel:+61261404656>
E: mic...@ip...<mailto:mic...@ip...>
W: ipcsolutions.com.au<https://ipcsolutions.com.au/>

 [Icon  Description automatically generated]
Smarter Business Communications

Re: [Astlinux-users] What is .wh.__dir_opaque

[Michael K. <mic...@ip...>]

Thanks Lonnie. I will remove to keep things clean.

Regards
Michael Knill


From: Lonnie Abelbeck <li...@lo...>
Date: Thursday, 3 August 2023 at 10:42 pm
To: AstLinux Users Mailing List <ast...@li...>
Subject: Re: [Astlinux-users] What is .wh.__dir_opaque
Hi Michael,

AstLinux version 1.3.8 and older used a unionfs driver (kernel based) that used "whiteout" files added to the filesystem (ex. .wh.__dir_opaque) to note added/removed directories, among other things.

AstLinux version 1.3.10 and newer uses a different unionfs driver (FUSE based), so the old whiteout files (ex. .wh.__dir_opaque) are no longer used/needed.

These whiteout files are of zero size, so the simplest is to ignore them.  If you want to remove the old whiteout files, you can.

Lonnie




> On Aug 3, 2023, at 4:59 AM, Michael Knill <mic...@ip...> wrote:
>
> Hi Group
>
> Im getting ‘.wh.__dir_opaque’ files in a number of directories on an old Astlinux system that I have recently upgraded.
> Just wondering what they are and whether I should delete them?
>
> Regards
>
> Michael Knill
> Managing Director
>
> D: +61 2 6189 1360
> P: +61 2 6140 4656
> E: mic...@ip...
> W: ipcsolutions.com.au
>
>  <image001.png>
> Smarter Business Communications
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....



_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

Re: [Astlinux-users] What is .wh.__dir_opaque

[Lonnie A. <li...@lo...>]

Hi Michael,

AstLinux version 1.3.8 and older used a unionfs driver (kernel based) that used "whiteout" files added to the filesystem (ex. .wh.__dir_opaque) to note added/removed directories, among other things.

AstLinux version 1.3.10 and newer uses a different unionfs driver (FUSE based), so the old whiteout files (ex. .wh.__dir_opaque) are no longer used/needed.

These whiteout files are of zero size, so the simplest is to ignore them.  If you want to remove the old whiteout files, you can.

Lonnie




> On Aug 3, 2023, at 4:59 AM, Michael Knill <mic...@ip...> wrote:
> 
> Hi Group
>  
> Im getting ‘.wh.__dir_opaque’ files in a number of directories on an old Astlinux system that I have recently upgraded.
> Just wondering what they are and whether I should delete them?
>  
> Regards
>  
> Michael Knill
> Managing Director
>  
> D: +61 2 6189 1360
> P: +61 2 6140 4656
> E: mic...@ip...
> W: ipcsolutions.com.au
>  
>  <image001.png>
> Smarter Business Communications
>  
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

[Astlinux-users] What is .wh.__dir_opaque

[Michael K. <mic...@ip...>]

Hi Group

Im getting ‘.wh.__dir_opaque’ files in a number of directories on an old Astlinux system that I have recently upgraded.
Just wondering what they are and whether I should delete them?

Regards

Michael Knill
Managing Director

D: +61 2 6189 1360<tel:+61261891360>
P: +61 2 6140 4656<tel:+61261404656>
E: mic...@ip...<mailto:mic...@ip...>
W: ipcsolutions.com.au<https://ipcsolutions.com.au/>

 [Icon  Description automatically generated]
Smarter Business Communications

[Astlinux-users] Announcing AstLinux Release: 1.5.1

[Lonnie A. <li...@lo...>]

Announcing AstLinux Release: 1.5.1

More Info: AstLinux Project
https://www.astlinux-project.org/

AstLinux 1.5.1 Highlights:
* Asterisk Versions: 13.38.3, 16.30.0, 18.18.0

* Linux Kernel 5.10.179, security and bug fixes
* RUNNIX, version bump to runnix-0.6.15
* OpenSSL, version bump to 1.1.1u, security fixes: CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-2650
* libcurl (curl) version bump to 8.1.2, security fixes: CVE-2023-27537, CVE-2023-27536, CVE-2023-27535, CVE-2023-27534, CVE-2023-27533, CVE-2023-28319, CVE-2023-28320, * CVE-2023-28321, CVE-2023-28322
* libcap, version bump to 2.69, security fixes: CVE-2023-2602, CVE-2023-2603
* libpcap, version bump to 1.10.4
* libxml2, version bump to 2.10.4, security fixes: CVE-2023-29469, CVE-2023-28484
* dnsmasq, version 2.84, security fix: CVE-2023-28450
* Fossil, (major) version bump to 2.22
* ncurses, version bump to 6.4, security fix: CVE-2023-29491
* pjsip version bump to 2.13
* sngrep, version bump to 1.7.0
* sqlite, version bump to 3.42.0
* tiff, version bump to 4.5.1
* tcpdump, version bump to 4.99.4
* udev (eudev), version bump to 3.2.12
* zabbix, version bump to 4.0.47, security fix: CVE-2023-29456
* Asterisk '13se' (stable edition) version 13.38.3 is the last Asterisk 13.x "Legacy" version, built --without-pjproject
* Package upgrades providing important security and bug fixes

Full ChangeLog:
https://raw.githubusercontent.com/astlinux-project/astlinux/1.5.1/docs/ChangeLog.txt

All users are encouraged to upgrade, read the ChangeLog for the details.

AstLinux Team

Re: [Astlinux-users] Opus codec for home assitant

[Lonnie A. <li...@lo...>]

Hi Sándor,

> I can hear the beep of Home Assistant, and after I say something, it happily announces, that he couldn't understand that :)

Excellent!  Great to hear.

BTW, if needed there are OPUS CODEC custom config settings in Asterisk by editing /etc/asterisk/codecs.conf and at the end of the file "OPUS Examples", commented-out by default.

As for attribution, no personal credit is needed, but mentioning the AstLinux Project would be fine.  Be sure to mention the Asterisk OPUS CODEC "Usage Tracking" as some may be uncomfortable with that.

For the record, I have no experience with Home Assistant, but I found this "Support for other codecs in VOIP integration" [1] which describes your issue here.

Even if Home Assistant supported ulaw/alaw in the future, having an Asterisk PBX managing the voice calls could be generally useful.  The AstLinux Project provides a small footprint solution for those willing to do some CLI asterisk configuration.

Lonnie

[1] https://community.home-assistant.io/t/support-for-other-codecs-in-voip-integration/568580



> On Jun 28, 2023, at 11:49 PM, Sándor Balázs <bal...@ho...> wrote:
> 
> Hi Lonnie,
> 
> Thank you for your quick, and very accurate response!
> This was everything I needed. I can hear the beep of Home Assistant, and after I say something, it happily announces, that he couldn't understand that :)
> (this is most likely a voice recognition issue, I didn't finished configuring that yet)
> So thank you very much again!
> 
> I'm planning to create a tutorial about how to get Home Assistant working with older cisco phones for voice control.
> Can I use your description for this purpose? If so, then do you have a contact information you would like to be used in the attribution?
> 
> Sándor
> ________________________________________
> Feladó: Lonnie Abelbeck <li...@lo...>
> Elküldve: 2023. június 28., szerda 22:27
> Címzett: AstLinux Users Mailing List
> Tárgy: Re: [Astlinux-users] Opus codec for home assitant
> 
> Hi Sándor,
> 
> Thanks for giving AstLinux a spin.
> 
> First, answer your Status page question.  Asterisk supports either the older chan_sip or newer chan_pjsip SIP drivers.  Asterisk 18's default config only loads chan_pjsip and not chan_sip, so the 'sip show registry' and 'sip show peers' CLI commands are not supported by chan_pjsip.  The web interface Prefs tab can be used to uncheck "Show SIP Trunk Registrations" and "Show SIP Peer Status" if you decide to not use chan_sip.
> 
> AstLinux does not include the OPUS CODEC as part of the standard build.  Two reasons...
> 
> 1) While it may seem the OPUS CODEC is free to use [1], patent issues may still exist.  Perform proper due diligence.
> 
> 2) Asterisk/Digium/Sangoma have built in a "Usage Tracking" feature [2].  Both codec_opus.so and format_ogg_opus.so modules are linked with libcurl.so to provide the "Usage Tracking" feature.
> 
> 
> OK, with that out of the way, I took your challenge to add the OPUS CODEC to AstLinux.  I used Asterisk 18 as you did.  Proceeded to install in a VM.
> =-=-=
> 
> == First, in order to write to /usr/lib/asterisk/modules/ you must set an advanced configuration option.  Using the web interface:
> Network tab -> Advanced Configuration -> User System Variables: { Edit User Variables }
> 
> add the line...
> 
> ASTERISK_RW_MODULES_DIR="yes"
> 
> click { Save Changes } followed by clicking  { Reload/Restart } [ Apply user.conf variables ] - x Confirm
> 
> == Using the AstLinux CLI, restart asterisk
> 
> pbx ~ # service asterisk stop
> Stopping Asterisk...
> pbx ~ # service asterisk init
> Starting Asterisk...
> 
> == Now download and add the codec_opus modules from Digium.
> 
> pbx ~ # mkdir /mnt/kd/opus
> 
> pbx ~ # cd /mnt/kd/opus
> 
> pbx opus # curl -O https://downloads.digium.com/pub/telephony/codec_opus/asterisk-18.0/x86-64/codec_opus-18.0_1.3.0-x86_64.tar.gz
> 
> pbx opus # tar xzvf codec_opus-18.0_1.3.0-x86_64.tar.gz
> 
> pbx opus # cd codec_opus-18.0_1.3.0-x86_64
> 
> pbx codec_opus-18.0_1.3.0-x86_64 # cp *_opus.so /usr/lib/asterisk/modules/
> 
> == The codec_opus_config-en_US.xml file needs to be copied (AstLinux specific location)
> 
> pbx codec_opus-18.0_1.3.0-x86_64 # cp codec_opus_config-en_US.xml /stat/var/lib/asterisk/documentation/thirdparty/
> 
> == As a quick sanity check, use the AstLinux "show-union" command, it should look like...
> 
> pbx codec_opus-18.0_1.3.0-x86_64 # show-union
> /mnt/asturw/usr/lib/asterisk/modules/codec_opus.so
> /mnt/asturw/usr/lib/asterisk/modules/format_ogg_opus.so
> /mnt/asturw/etc/shadow-
> /mnt/asturw/etc/passwd
> /mnt/asturw/etc/passwd-
> /mnt/asturw/etc/shadow
> /mnt/asturw/stat/var/lib/asterisk/documentation/thirdparty/codec_opus_config-en_US.xml
> /mnt/asturw/stat/var/www/admin/.htpasswd
> 
> == Finally, restart asterisk to use the new modules
> 
> pbx codec_opus-18.0_1.3.0-x86_64 # service asterisk stop
> Stopping Asterisk...
> pbx codec_opus-18.0_1.3.0-x86_64 # service asterisk init
> Starting Asterisk...
> 
> =-=-=
> 
> I hope this gets you started.
> 
> Be aware that there is some Asterisk knowledge required to perform the CODEC translation task you desire.
> 
> Lonnie
> 
> 
> [1] https://opus-codec.org/license/
> 
> [2] Opus Software Codec for Asterisk README: "Usage Tracking" The codec_opus module will periodically attempt to send usage statistics to an Asterisk community server. The statistics are sent at most every 24 hours.
> 
> 
> 
> 
>> On Jun 28, 2023, at 9:39 AM, Sándor Balázs <bal...@ho...> wrote:
>> 
>> I have some older cisco phones with SIP and alaw/ulaw support. And I want to connect to home assistant.
>> The direct IP call thing failed for some reason and not knowing what the reason might be, I turned to asterisk. I didn't want to install linux for this... but of course this thing is linux only...
>> So I happily found this project, and got my VM working in a few minutes. astlinux-1.5.0 x86_64 - Asterisk 18.16.0
>> 
>> I want to note here, that on the Status page these messages appear instead of the content of the div...
>> SIP Trunk Registrations: No such command 'sip show registry' (type 'core show help sip show' for other possible commands)
>> SIP Peer Status: No such command 'sip show peers' (type 'core show help sip show' for other possible commands)
>> 
>> So after some experimenting I noticed, that microsip can only communicate with home assistant only if the opus codec is enabled.
>> so home assitant supposedly uses opus. My phones do not support opus, and there is no way I can get CISCO to create a firmware that does.
>> 
>> So of course I googled it. And asterisk can translate between codecs. I found a maillist thread that said, that version 13 is the first version containing OPUS. I use version 18 so it's not a problem. Itried to enable it in astlinux, but after a few attempts I came to the conclusion, that I might miss the "codec_opus.so" in "/usr/lib/asterisk/modules/".
>> Firstly it said, that it is read only... so I remounted it as read-write but then it complains about not enought space, as it is 100% utilised...
>> 
>> So my question is:
>> Where can I download the version that contains support for opus?
>> If for some reason there isn't any, then how can I manually add it without recompiling the whole thing? (I do not want to use linux after all)
>