Fullscreen HTML5Med Res (??MB)HTML4

Fig.1: the temperature, pressure and humidity sensor readings as they appear on a web page. You can browse to these readings over your local network and via the internet. RPi-based temperature, humidity & pressure sen Getting our Raspberry Pi working with the Sense HAT sensor module was only the first step. This month, we show you how to install the system in a clear acrylic case and stream the sensor readings to a web-server so that you can easily access them over the internet (and on your local network) via a web browser. L AST MONTH, we got our Raspberry Pi up and running, connected it to a local WiFi network, plugged in the Sense HAT module and ran some simple programs to measure temperature, pressure & humidity. We also showed you how to stream the RPi’s desktop to another computer on the network, so that it can be run “headless” (ie, without a keyboard, monitor and mouse). One problem we ran into was that the temperature readings were skewed by heat from the Raspberry Pi module. The Sense HAT module was plugged directly into the RPi’s I/O connector, which meant that it sat directly above the RPi’s ARM Cortex A7 CPU which typically runs with a core temperature of about 45°C (in 23°C ambient). We corrected for this by introducing a compensation factor into our Python temperature 54  Silicon Chip measuring software but this was only valid over a fairly narrow temperature range. The obvious answer was to separate the two modules by plugging the Sense HAT into the RPi via stackable headers. In addition, by mounting the RPi in a case, the underside of the Sense HAT module would be partially shielded from the heat generated by the RPi’s ARM processor and any other on-board parts, such as the GPU. So that’s what we’ve done. We chose to fit the RPi module in a clear acrylic case from Core Electronics (Cat. 018-RASP-PI+CASE1). It costs just $8.50 (plus p&p) and comes as a flat pack; you just clip it together to assemble it. This case has a cut-out slot along one edge of the lid immediately above the RPi’s I/O header, so that external modules can be plugged in via stackable headers. siliconchip.com.au Pt.2: By Greg Swain Additional Parts Required 1 acrylic case, Core Electronics SKU: 018-RASPPI+CASE1 (for Raspberry Pi B+)* 1 Stackable female header with spacers, Core Electronics SKU: POLOLU-2749* 1 stackable header, Core Electronics SKU: POLOLU-2748* 2 M3 x 12mm tapped Nylon spacers 2 M3 x 8mm tapped Nylon spacers 2 M3 x 15mm machine screws * www.core-electronics.com.au for case and header parts sor Above: the Raspberry Pi module is housed in a clear acrylic case, while the Sense HAT module rests above the case lid. It plugs into the RPi via two stackable headers. It also has a slot in the lid above the camera interface connector and another slot at one end above the display interface connector. Before clipping the case together, it’s necessary to cover the slot for the camera interface connector (the one adjacent to the HDMI connector) to prevent warm air from the RPi reaching the underside of the Sense HAT module. We used a 25 x 20mm piece a clear acrylic with 3mm-diameter holes drilled on either side. A couple of matching holes were then drilled in the lid and the cover secured in place using M3 x 10mm machine screws, nuts and washers. The case we obtained had no hole in the lid for a fan. However, the case shown on Core Electronic’s website now includes a hole for a 40mm fan and if your case has this cut-out, then this will have to be covered as well. In fact, it would be best to cut a single piece of acrylic sheet to cover both the fan cut-out and the slot for the camera interface. One minor problem we found with the case was that the hole for the micro-USB power connector wasn’t quite large enough. In practice, it blocked the insulated body at the end of the connector, preventing it from being pushed home far enough into the RPi’s power socket to stop it falling out. That problem was solved by siliconchip.com.au carefully enlarging the hole using a small file set. There’s a useful trick when doing this. First, trace the side piece, including its cut-outs, onto a piece of paper, then carefully measure your micro-USB power connector and enlarge the traced outline for this connector accordingly. The side piece can then be carefully filed until the cut-out matches the paper template. Depending on your HDMI cable, you may also have to do the same for its socket cut-out. Once you’ve done this work, the case can be assembled but take your time to figure out how it goes together. In particular, the lid must be fitted before the second side piece is installed (see core-electronics.com.au/ ultimate-case-box-enclosure-combo-for-raspberry-pi-b. html). The end piece with the cut-outs for the ethernet and USB sockets can be fitted last, just after the RPi module is slid into position. Make sure that this end piece is attached the right way around, otherwise you will not be able to access all the USB sockets. If you do make a mistake, it’s easy to pull the case apart – just lift up the clips at the bottom on either side of an end piece and slip the piece off. The other end piece can then be removed in the same manner. Stackable headers Two stackable headers are used to lift the Sense HAT module clear of the RPi and these are listed in the The slot in the lid is fitted with a cover made from scrap acrylic sheet, to help shield the underside of the Sense HAT PCB from the heat generated by the RPi’s ARM7 processor. February 2016  55 This view shows the completed RPi assembly before the Sense HAT module is fitted. The holes in the side of the case for the power and HDMI sockets were enlarged using a file set. Take care with the case assembly – see text. accompanying parts list. They can be fitted to the RPi in either order, although it’s probably best to have the tall unit on top. The standard unit has longer exposed pins when everything is plugged in and these are best contained inside the case. Before connecting the Sense HAT, it’s necessary to attach Nylon spacers to the two mounting holes on the side opposite the header. Two spacers are required in each position, one M3 x 12mm and the other M3 x 9mm, and these are attached to the Sense HAT using M3 x 15mm machine screws. There’s really no need to attach the spacers to the case lid; they can simply rest on the lid when the Sense HAT is plugged into the header. Alternatively, if you’re fussy, you can drill a couple of holes in the lid and attach the 12mm spacers using M3 x 9mm machine screws. The M3 x 9mm spacers can then be drilled out (to remove the thread) and the assembly then secured at each corner using M3 x 15mm machine screws. Better accuracy By enclosing the RPi module in the case, its heat no longer has such a large affect on the temperature readings. There is still some degree of warming around the unit though, and the Sense HAT unit itself also slightly contributes to this, but the result is that the readings are more accurate than before. At switch on from cold (23°C ambient), our unit’s temperature readings were about 0.3°C high without compensation but this increased to about 4.3°C after the unit had been on some time and had reached a stable operating temperature. They were previously around 10°C or more too high, so that’s quite an improvement. This means that a much lower compensation value is now required to correct the temperature reading. Whereas previously a compensation value of around 0.8 was required, a value somewhere around 0.35 will now give reasonably accurate readings for temperatures in the range of ~20-30°C. The compensation factor not only corrects for local warming around the unit but also helps correct for any inaccuracy in the sensor itself. You can insert this new compensation value into the Environment2.py program listed in Pt.1 by changing: ta = round((t-(ct-t)*0.8),1) to ta = round((t-(ct-t)*0.3),1) 56  Silicon Chip Another benefit of enclosing the RPi in a case is that this gives more stable temperature readings. Successive readings now typically vary by just 0.1°C as opposed to variations of up to 0.4°C with the previous arrangement (no doubt due to hot air rising from the RPi and circulating under the Sense HAT module). Apache web server In order to access the Sense HAT’s readings over the internet, we need to install the Apache2 Web Server and the mod_python module. Mod_python is simply a module that embeds the Python interpreter within the Apache2 server and allows the two to work together. First, make sure that the system is completely up-todate: sudo apt-get update sudo apt-get upgrade sudo reboot You can now install the web server and Python module and get it running. That’s done by opening a Terminal window and entering the following: Step 1 sudo apt-get install apache2 sudo apt-get install libapache2-mod-python Step 2 sudo nano /etc/apache2/sites-available/000-default.conf and add the following lines under the DocumentRoot line (be sure to insert tabs as shown): AddHandler mod_python .py <Directory /var/www/html> DirectoryIndex index.py PythonHandler mod_python.publisher PythonDebug on </Directory> Once these lines have been added, hit Ctrl-o to save the file and Ctrl-x to exit Nano. Note: if you don’t feel comfortable using the Nano text editor, then run sudo leafpad from the Terminal, then open and edit the file using the Leafpad GUI text editor. Step 3 Now add the same lines to /etc/apache2/sites-available/default-ssl.conf for SSL (Secure Socket Layer) support. Connecting using https://<address> instead of http://<address> will give secure communications between your browser and the Apache2 server. Step 4 We now need to give Apache2 access to the I2C sensiliconchip.com.au sors on the Sense HAT. To do this, enter the command sudo nano /etc/group and change the line i2c:x:998:pi to i2c:x:998:pi,www-data Then change video:x:44:pi to video:x:44:pi,www-data Step 5 Next, create a hidden configuration folder for the sensor data: sudo mkdir /var/www/.config sudo chown www-data /var/www/.config Step 6 We now enable SSL support by running: sudo a2ensite default-ssl sudo a2enmod ssl Note that this will use a self-signed certificate which will require you to add an exception to your browser when you first visit the site. Step7 Restart the Apache2 service for the changes to take effect: sudo service apache2 restart If it fails to restart and gives an error indicating a problem with the Python module, check that the entries you added in sites-available/000-default.conf and sites-available/default-ssl.conf are correct. If so, then run: sudo a2enmod python and then run the command to restart the Apache2 service again. Note: the Python module should be enabled when it is installed but if not, the above command will enable it. Step 8 Check that the Apache2 web server is working. To do that, simply browse to the RPi’s IP address (ie, http://<ipaddress>), either from another computer on the network or on the RPi itself. If you see the default web page as shown in Fig.1, that means it’s working. Step 9 The next step is to get Apache2 working with the Py- Fig.1: the default page for the Apache2 web-server. If you see this, then Apache2 is working correctly. thon module to display the Sense HAT readings. That’s done using a program called index.py. You have to download this file (embedded in index.py.zip) from the SILICON CHIP website, unzip it and move it into the RPi’s /var/www/html folder. The easiest way to do this is to first download the file using the RPi’s web browser. Browse to www. siliconchip.com.au, then click Shop, select Software from the drop-list and left-click the index.py.zip file. The file will immediately download into the /pi/Downloads folder. Navigate to this folder, then right click the zip file to extract its content. Index.py can now be moved to the required folder as follows: sudo mv /pi/Downloads/index.py /var/www/html That’s it! – it should now work. Using a computer on the local network (or the RPi itself), browse to http://<ipaddress> (or optionally use https://<ipaddress> assuming SSL support is enabled, as described above). Temperature, pressure & humidity readings should immediately begin appearing on the web page, as shown on page 54. By default, the program has a compensation factor of 0.3, updates the reading every five seconds (5s) and displays a maximum of 10 messages at any one time (the message scroll up the screen). However, you can easily 䤀匀䌀伀唀一吀 唀匀䔀 吀䠀䔀 䐀 刀䄀匀倀䈀䔀刀刀夀 倀䤀 ㈀ 䴀伀䐀䔀䰀 䈀 ␀㔀㐀⸀㤀㔀 吀栀攀 挀爀攀搀椀琀ⴀ挀愀爀搀 猀椀稀攀搀 挀漀洀瀀甀琀攀爀 椀猀 挀愀瀀愀戀氀攀 漀昀 洀愀渀礀 漀昀 琀栀攀 琀栀椀渀最猀 琀栀愀琀 礀漀甀爀 搀攀猀欀琀漀瀀 倀䌀 搀漀攀猀Ⰰ 氀椀欀攀 猀瀀爀攀愀搀猀栀攀攀琀猀Ⰰ 眀漀爀搀ⴀ瀀爀漀挀攀猀猀椀渀最 愀渀搀 瀀氀愀礀椀渀最 栀椀最栀ⴀ搀攀昀椀渀椀琀椀漀渀 瘀椀搀攀漀 愀渀搀 最愀洀攀猀⸀ 匀䬀唀 䌀䔀 ㌀㐀 ␀㌀㄀ ᠠ匀䤀䰀 䴀䤀一䤀䄀吀唀刀䔀 圀䤀䘀䤀 䴀伀䐀唀䰀䔀 吀愀欀攀 愀搀瘀愀渀琀愀最攀 漀昀 琀栀攀 刀愀猀瀀戀攀爀爀礀 倀椀 唀匀䈀 瀀漀爀琀 琀漀 愀搀搀 愀 氀漀眀 挀漀猀琀Ⰰ 戀甀琀 栀椀最栀ⴀ爀攀氀椀愀戀椀氀椀琀礀 眀椀爀攀氀攀猀猀 氀椀渀欀⸀ ␀㄀㜀⸀㜀㘀 匀䬀唀 䰀伀䜀䤀䌀㠀 伀䘀䘀℀ 䘀伀倀刀䤀刀䔀㔀匀─ ㌀ 䄀倀刀㄀㘀 䔀堀 匀䬀唀 䄀䐀䄀㠀㄀㐀 唀匀䈀 吀伀 吀吀䰀 匀䔀刀䤀䄀䰀 䌀䄀䈀䰀䔀 匀䄀䰀䔀䄀䔀 䰀伀䜀䤀䌀 䄀一䄀䰀夀匀䔀刀 䤀昀 礀漀甀ᤠ爀攀 氀漀漀欀椀渀最 昀漀爀 愀 氀漀最椀挀 愀渀愀氀礀猀攀爀 眀椀琀栀 愀 戀椀琀 ᰠ洀漀爀攀ᴠ 椀渀 愀 琀椀渀礀 瀀愀挀欀愀最攀 琀栀攀渀 匀愀氀攀愀攀ᤠ猀 䰀漀最椀挀㠀 椀猀 椀琀⸀ 匀椀洀瀀氀礀 挀漀渀渀攀挀琀 瘀椀愀 唀匀䈀Ⰰ 椀渀猀琀愀氀氀 猀漀昀琀眀愀爀攀 愀渀搀 㠀 挀栀愀渀渀攀氀猀 愀爀攀 樀甀猀琀 琀栀攀 戀攀最椀渀渀椀渀最℀ 䌀伀䐀䔀 ᤠ 䤀䌀伀一䌀䠀䤀倀 ␀㄀㐀⸀㠀 吀栀攀 挀愀戀氀攀 椀猀 攀愀猀椀攀猀琀 眀愀礀 琀漀 挀漀渀渀攀挀琀 琀漀 礀漀甀爀 刀愀猀瀀戀攀爀爀礀 倀椀 䤀渀猀椀搀攀 琀栀攀 戀椀最 唀匀䈀 瀀氀甀最 椀猀 愀 唀匀䈀㰀ⴀ㸀匀攀爀椀愀氀 挀漀渀瘀攀爀猀椀漀渀 挀栀椀瀀 愀渀搀 愀琀 琀栀攀 攀渀搀 漀昀 琀栀攀 ㌀㘀∀ 挀愀戀氀攀 愀爀攀 昀漀甀爀 眀椀爀攀猀 ⠀瀀眀爀Ⰰ 最渀搀Ⰰ 爀砀 ☀ 琀砀⤀ 匀䬀唀 䄀䐀䄀㤀㔀㐀 圀圀圀⸀䌀伀刀䔀ⴀ䔀䰀䔀䌀吀刀伀一䤀䌀匀⸀䌀伀䴀⸀䄀唀 siliconchip.com.au February 2016  57 Keeping The Baddies Out Because it sits behind your router’s hardware firewall (and the software firewall, if enabled), your RPi should be reasonably secure. However, opening port 443 on the router (to enable internet access to the web-server) does provide a potential security problem. That’s why it’s important to choose a strong password for the Apache2 authentication log-in. Fail2Ban Despite this, the web-server’s log-in prompt will soon attract brute force attempts to gain access by people running password dictionaries. There’s an easy way to defeat such attacks, though: limit the number of log-in attempts by using an intrusion detection software utility called “Fail2Ban”. Fail2Ban works by monitoring the logs generated by various services (such as Apache2). If there are too many failed log-in attempts, it then temporarily (or even permanently) bans the offending IP from making further attempts. For example, it can be configured to allow three log-in attempts and, if all are unsuccessful, ban the offending IP for 20 minutes, depending on the settings in the configuration file. In practice, Fail2Ban sets up a few simple iptable firewall rules (iptables is the utility used to configure Linux fire- walls). It then automatically alters these rules after the preset number of failed log-in attempts. By default, it monitors SSH (port 22) only but it’s just a matter of altering its configuration file to include other protocols such as HTTP (port 80) and HTTPS (port 443), as used by Apache2. An excellent guide on installing and configuring Fail2Ban can be found at www.digitalocean.com/ community/tutorials/how-to-protectan-apache-server-with-fail2banon-ubuntu-14-04 It’s just a matter of following this guide to configure it so that, as well as SSH, it also monitors the RPi’s Apache2 server. Important points Note that you have to copy the default configuration file to /etc/fail2ban/jail. local. You then edit this new file (it overrides the original configuration file) to set the “bantime”, the maximum number of tries (“maxretry”) and the “findtime” (the time period over which the retries are counted). The default bantime is 600 seconds but you can increase this (eg, to 1800 seconds) or enter a negative number to ban the offending IP forever. Note that it’s particularly important to scroll down to the [apache] jail and change to line enabled = false to enabled alter these parameters, either in the index.py program itself or by adding switches to the website address, eg: http://<ipaddress>/?max_msgs=5 http://<ipaddress>/?interval=60 http://<ipaddress>/?compensate=0.4 You can also string these switches together, eg, https:// <ipaddress>/?compensate=0.4&max_msgs=5&interval=60 applies a compensation factor of 0.4, shows a maximum of five messages on the screen and updates the readings every 60 seconds. Step 10 If you plan on making the RPi’s website accessible via the internet, then it’s a good idea to require password access. To do this, run: sudo apt-get install apache2-utils sudo a2enmod authn_dbm sudo htdbm -TSDBM -c /etc/apache2/dbmpasswd <username> <enter password> sudo chown www-data /etc/apache2/dbmpasswd.pag Be sure to choose a strong password. It should be a mixture of upper case and lower case letters, numbers and alphanumeric symbols. That done, go to the two Apache2 configuration files 58  Silicon Chip = true. Fail2Ban will then cover both http and https. Installing a firewall Unless you’ve opened up myriad ports on your router, a separate firewall on the RPi (apart from the Fail2Ban rules) isn’t really necessary. However, if you’re a “belts’n’braces” type or you just want to experiment, consider installing Uncomplicated Firewall (UFW) which is an easy-to-use iptables configuration utility. The following website has the basics on UFW’s installation and usage: www. digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufwon-ubuntu-14-04 Of course, all bets are off if you decide to add the RPi to your router’s DMZ (demilitarised zone). Placing it in the DMZ means that it cannot contact other devices on your internal LAN in the event that it’s compromised (it’s added to the DMZ by logging into your router and going to the DMZ set-up page). The downside is that all ports on the router will then be forwarded to the RPi, so it’s wide open. As a result, a firewall is then an absolute must. In practice, you would set up the firewall to initially block all incoming ports. You then create rules to open port 443 (for https) and port 22 (or whatever you change it to; see the panel “Connecting Via SSH & VNC”) if you want connect via SSH (secure shell). (ie, 000-default.conf and default-ssl.conf) and add the following lines under the lines you added in Steps 2 & 3: AuthType basic AuthName "private area" AuthBasicProvider dbm AuthDBMType SDBM AuthDBMUserFile /etc/apache2/dbmpasswd Require valid-user Then do: sudo service apache2 restart If you are using passwords, you should also use SSL (ie, set up as per above) and use https:// to access the site, otherwise your password could be intercepted. Now, whenever you attempt to browse to the RPi’s web server, you will initially be greeted by a dialog box asking you to enter your user-name and password. Accessing it via the internet In order to access the RPi’s web server over the internet, you have to do the following: (1) assign a fixed IP address to the RPi (by default, it has a dynamic IP that’s assigned by the router’s DHCP server); siliconchip.com.au (2) set up a port forward on your router; and (3) determine your public IP address. The easiest way to fix the RPi’s IP address to to assign an IP to its MAC address (or “Hwaddr”) in the router. A MAC address is simply a unique code consisting of 12 hexadecimal characters that’s assigned to every network device, such as a WiFi dongle. To discover the MAC address of your RPi’s WiPi dongle, run ifconfig in a Terminal window; the address consists of the 12 characters immediately following “Hwaddr” under wlan0. That done, log into your router and look for the DHCP set-up page, LAN IP page or similar. You can then enter the Wi-Pi’s MAC address and assign it an IP. The router’s DHCP server will then always hand out that IP to the RPi (ie, it will remain fixed). Fig.2 shows the set-up on a Netgear cable modem/ Fig.2: you can fix the RPi’s IP address by entering it against its MAC router. address in your router. Running the ifconfig command on the RPi gives The next step is to set up port forwarding. you the MAC address. Basically, a firewall is built into the modem/ router. In order to make a connection to the RPi’s web server, you have to open up (or forward) the relevant port in this firewall so that data can pass through. By default, Apache2 uses port 443 for https (port 80 for http) and this must be forwarded to the RPi’s fixed IP address. To do this, navigate to the router’s port forwarding set-up page, enter the relevant port number and IP details and click “Add” (or similar). Fig.3 shows the set-up for a Netgear cable modem/router. As can be seen, port 443 has been forwarded for https, the RPi’s fixed IP address is 192.168.1.20 (yours may be different) and TCP is used for the protocol. Other routers will have similar menus. Similarly, port 9630 has been forward for SSH (secure shell) access (see panel: ConFig.3: you also have to set-up port forwarding in the router to provide internet access to the RPi’s web-server and the SSH service (see text). necting Via SSH & VNC). Once you’ve configured the router, save the set-up and logout. You may also have to restart the your WAN (wide area network) IP address is likely to router for the settings to take effect. change over time. And if it does change, you will not The last step is to obtain your public IP address. be able to log onto the RPi over the internet until you That’s easy – browse to www.whatismyip.com/ and check the new address from your local network. your public IP will be displayed. In many cases, that’s not likely to be much of an inIf you now enter https://<yourpublicIPaddress> in a web convenience. Provided you leave your modem/router browser on your PC, the login diaglog for your RPi on, your WAN (or public) IP may stay the same for should immediately appear. Enter your user-name and weeks, months or even years. However, inevitably, it password (ie, for the Apache2 server), and the Sense will change. The modem/router may pick up a new IP HAT readings should immediately begin scrolling down when it’s restarted after being switched off for some the page. time or when it comes back online after a blackout, for Note, however, that some home routers don’t support example. “loopback”, whereby you can use your WAN IP to conThe way around this is to sign up to a DDNS service. nect to a computer on your local network. If that’s the DDNS stands for “Dynamic Domain Name Server” and case, try logging in using a computer that’s outside your it allows you to log onto your home network without LAN or switch off the WiFi on your smartphone and try knowing its WAN IP. Instead, the DDNS automatically connecting via its browser. keeps track of your WAN IP (even when it changes) and allows you to connect using a domain name. A domain Dynamic DNS (DDNS) name also has the advantage of being much easier to One weakness of the above scheme is that, unless remember than a WAN IP. you’ve been issued with a static address by your ISP, The way in which DDNS works is straightforward; siliconchip.com.au February 2016  59 Fig.4: Duck DNS is a free dynamic DNS provider. You simply sign in using your Google (or other) account and choose a hostname. You can then access the RPi’s server over the internet using https://hostname.duckdns.org Fig.5: once you have your hostname, open the Install page, click the “pi” button and follow the instructions to create the duck.sh script file and the Cron job (see text). either your router or a computer on your network periodically checks the WAN IP (eg, every five minutes) and updates the DDNS service. So if your WAN IP changes, the DDNS will quickly be informed of the new address and you will be able to log onto your home network without too much delay (provided, of course, it’s not down due to a blackout). DuckDNS Two of most popular free DDNS services in the past have been DynDNS and No-IP. You can still use these but note that DynDNS is no longer free, while No-IP nags you to confirm your hostname every 30 days (unless you sign up for a paid version). These two DDNS services are supported by many routers, although many older Netgear routers only support DynDNS. If your router supports your preferred 60  Silicon Chip Fig.6: setting up the Cron job on the RPi. Once set-up is complete, it runs the script file every five minutes to update the Duck DNS server with your WAN IP address. DDNS service, then you can use the router itself to update the DDNS. That can be an advantage because you don’t need to leave a computer running on the network to do the job. A great free DDNS alternative is Duck DNS at www. duckdns.org In most cases, it won’t be supported by your router but there’s an easy answer to that problem – use the RPi itself to run a script to update the Duck DNS server. To set up Duck DNS, sign in on their home page using your Google, Twitter, Facebook (or other) account (Fig.4), then give Duck DNS permission to discover your email address and WAN IP. You then enter your desired hostname into a dialog box and if it hasn’t already been taken, it’s yours and you will also be assigned a “token”. You should now be able to connect to your RPi using the domain name, ie https://yourhostname.duckdns.org Next, you need to configure the Raspberry Pi so that it periodically contacts the Duck DNS server to update the WAN IP. That’s done using what’s known as a “Cron job” (Cron is name given to a software-based job scheduler that’s used in Linux). Duck DNS makes this easy: (1) click the “install” menu at the top of their webpage; (2) click the “pi” button under Operating Systems; (3) select your given hostname under “first step – choose a domain”; and (4) follow the instructions to create the necessary script file and the Cron job (see Fig.5 & Fig.6). Note that if you are working directly on the RPi, there’s no need to run the ssh command line – just open a Terminal window and kick off with mkdir duckdns (do not use sudo). This will create a /duckdns folder under your /pi user folder. You may be more comfortable using Nano or even the Leafpad GUI text editor rather than the vi text editor to create the duck.sh file (eg, nano duck.sh instead of vi duck.sh). In addition, note that you don’t have to run the last command listed (sudo service cron start) for the Raspbian operating system. Provided it returned “OK” when you ran cat duck.log as instructed, your RPi will now update the DuckDNS server with your WAN IP every five minutes. What’s siliconchip.com.au Connecting Via SSH & VNC If you want to control your RPi over the internet, it’s best to log-in via SSH (secure shell). This gives a secure command line interface, provided you’ve chosen a secure user password for your RPi. SSH is enabled by default when Raspbian is installed but can be disabled (or enabled again) using raspi-config. You can stick with SSH’s port 22 default if you like but we recommend that you change it to something else. If port 22 is forwarded on the router, it will quickly be found and bombarded by hackers making repeated attempts to SSH their way in using brute-force methods. While Fail2Ban will quickly deal with this, changing the port number will drastically reduce the number of unauthorised log-in attempts in the first place, simply because the default SSH port is not being used. It’s best to choose a high port number, eg, 9321, 9630 or 10101, or similar. That’s done by editing the sshd_config configuration file: sudo nano /etc/ssh/sshd_config Change the Port 22 line to the new port number (eg, Port 9321). Then do: sudo service ssh restart You can then log-in to your router and forward the port so provide SSH access into the RPi over the internet. Mac and Linux machines both natively support SSH but a Windows PC will require the installation of an SSH client such as PuTTY. Download the putty.exe file from www.putty.org/, then rightclick the file and drag a shortcut onto the desktop. You’re now set to SSH into the RPi: launch PuTTY, enter either your host name (eg, yourhostname.duckdns. org) or your WAN IP address, then enter the port number and click the Open button. This will bring up a terminal window and it’s then just a matter of logging in with your RPi’s user name and password (see Fig.7). From there, you can control the RPi by entering commands, just as if you were directly using the RPi’s terminal. Entering exit or Ctrl-D closes the connection and the terminal window. Using VNC Over the Internet Directly accessing the RPi over the internet using VNC can be a security risk since all traffic apart from the password (which is limited to just eight characters) is unencrypted. You would also have to open up port 5901 on the router and again that’s bound to attract brute-force authentication attempts. The way around this is to tunnel the VNC connection via an SSH log-in. SSH ensures that all data is encrypted and, as a bonus, you don’t have to open up additional ports on the router. Setting it up and connecting is a breeze: (1) Launch PuTTY, enter in your host name (or WAN IP address) and the port number (Fig.7); (2) Enter a session name in Saved Sessions; (3) In the lefthand panel, expand the entries under SSH and select Tunnels. (4) In the resulting dialog, enter 5901 in Source port and localhost:5901 in Destination, then click Add. These entries will then be loaded into Forwarded ports (Fig.8). (5) In the left-hand pane, click Session, then click the Save button. That’s it! – double-click the Saved Session in PuTTY (or select it and click Load, Open) and log in. You can now securely connect to the RPi’s VNC server via the SSH tunnel by launching TightVNC and entering localhost:1 in the VNC Server field (Fig.9). more, you will now be able to log into your RPi over the internet using your domain name rather than a cumbersome and easy-to-forget WAN IP address. How secure is it? So how secure is the whole set-up? The answer is about as secure as the strength of your password unless you lock it down. Fortunately, there are a few simple steps you can take to secure your RPi down, so that you don’t get hacked. Take a look at the accompanying panels: “Keeping The Baddies Out” and “Connecting Via SSH & VNC”. siliconchip.com.au Fig.7: setting up a saved session in PuTTY, the Windows SSH client. Note that the RPi’s SSH port number was changed from 22 (the default) to 9630. Fig.8: here’s how to set up an SSH tunnel in PuTTY for a VNC connection. Fig.9: you can now connect to the RPi via SSH, then connect via TightVNC by entering localhost:1 for the Remote Host. Browsing Confined To A LAN If you’re going to be browsing to your RPi’s web-server over your local network (LAN) only, then there’s no need for password authentication. In that case, you can leave out all of Step 10 and simply browse to the server using http://<ipaddress> Confining access to the local network also means that there’s no need to open up the relevant port on your router. In fact, you should leave that port closed if you don’t require external access. SC February 2016  61