This is only a preview of the February 2016 issue of Silicon Chip. You can view 39 of the 96 pages in the full issue, including the advertisments. For full access, purchase the issue for $10.00 or subscribe for access to the latest issues. Items relevant to "Micromite LCD BackPack With Touch-Screen Display":
Items relevant to "Solar MPPT Charger & Lighting Controller, Pt.1":
Items relevant to "Raspberry Pi Temperature/Humidity/Pressure Monitor, Pt.2":
Items relevant to "Valve Stereo Preamplifier For HiFi Systems, Pt.2":
Purchase a printed copy of this issue for $10.00. |
Fig.1: the temperature, pressure and humidity sensor readings as they appear on a web
page. You can browse to these readings over your local network and via the internet.
RPi-based temperature,
humidity & pressure sen
Getting our Raspberry Pi working with the Sense HAT sensor
module was only the first step. This month, we show you how to
install the system in a clear acrylic case and stream the sensor
readings to a web-server so that you can easily access them over the
internet (and on your local network) via a web browser.
L
AST MONTH, we got our Raspberry Pi up and running, connected it to a local WiFi network, plugged
in the Sense HAT module and ran some simple programs to measure temperature, pressure & humidity.
We also showed you how to stream the RPi’s desktop
to another computer on the network, so that it can be
run “headless” (ie, without a keyboard, monitor and
mouse).
One problem we ran into was that the temperature
readings were skewed by heat from the Raspberry Pi
module. The Sense HAT module was plugged directly
into the RPi’s I/O connector, which meant that it sat
directly above the RPi’s ARM Cortex A7 CPU which
typically runs with a core temperature of about 45°C
(in 23°C ambient). We corrected for this by introducing a compensation factor into our Python temperature
54 Silicon Chip
measuring software but this was only valid over a fairly
narrow temperature range.
The obvious answer was to separate the two modules
by plugging the Sense HAT into the RPi via stackable
headers. In addition, by mounting the RPi in a case, the
underside of the Sense HAT module would be partially
shielded from the heat generated by the RPi’s ARM processor and any other on-board parts, such as the GPU.
So that’s what we’ve done. We chose to fit the RPi
module in a clear acrylic case from Core Electronics
(Cat. 018-RASP-PI+CASE1). It costs just $8.50 (plus
p&p) and comes as a flat pack; you just clip it together
to assemble it.
This case has a cut-out slot along one edge of the lid
immediately above the RPi’s I/O header, so that external modules can be plugged in via stackable headers.
siliconchip.com.au
Pt.2: By Greg Swain
Additional Parts Required
1 acrylic case, Core Electronics SKU: 018-RASPPI+CASE1 (for Raspberry Pi B+)*
1 Stackable female header with spacers, Core
Electronics SKU: POLOLU-2749*
1 stackable header, Core Electronics SKU:
POLOLU-2748*
2 M3 x 12mm tapped Nylon spacers
2 M3 x 8mm tapped Nylon spacers
2 M3 x 15mm machine screws
* www.core-electronics.com.au for case and
header parts
sor
Above: the Raspberry Pi module
is housed in a clear acrylic case,
while the Sense HAT module rests
above the case lid. It plugs into the
RPi via two stackable headers.
It also has a slot in the lid above the camera interface
connector and another slot at one end above the display
interface connector.
Before clipping the case together, it’s necessary to
cover the slot for the camera interface connector (the
one adjacent to the HDMI connector) to prevent warm
air from the RPi reaching the underside of the Sense
HAT module. We used a 25 x 20mm piece a clear
acrylic with 3mm-diameter holes drilled on either side.
A couple of matching holes were then drilled in the lid
and the cover secured in place using M3 x 10mm
machine screws, nuts and washers.
The case we obtained had no hole in the lid for a fan.
However, the case shown on Core Electronic’s website
now includes a hole for a 40mm fan and if your case
has this cut-out, then this will have to be covered as
well. In fact, it would be best to cut a single piece of
acrylic sheet to cover both the fan cut-out and the slot
for the camera interface.
One minor problem we found with the case was that
the hole for the micro-USB power connector wasn’t
quite large enough. In practice, it blocked the insulated
body at the end of the connector, preventing it from
being pushed home far enough into the RPi’s power
socket to stop it falling out. That problem was solved by
siliconchip.com.au
carefully enlarging the hole using a small file set.
There’s a useful trick when doing this. First, trace the
side piece, including its cut-outs, onto a piece of paper,
then carefully measure your micro-USB power connector and enlarge the traced outline for this connector
accordingly. The side piece can then be carefully filed
until the cut-out matches the paper template.
Depending on your HDMI cable, you may also have
to do the same for its socket cut-out.
Once you’ve done this work, the case can be assembled but take your time to figure out how it goes together. In particular, the lid must be fitted before the second
side piece is installed (see core-electronics.com.au/
ultimate-case-box-enclosure-combo-for-raspberry-pi-b.
html). The end piece with the cut-outs for the ethernet
and USB sockets can be fitted last, just after the RPi
module is slid into position. Make sure that this end
piece is attached the right way around, otherwise you
will not be able to access all the USB sockets.
If you do make a mistake, it’s easy to pull the case
apart – just lift up the clips at the bottom on either side
of an end piece and slip the piece off. The other end
piece can then be removed in the same manner.
Stackable headers
Two stackable headers are used to lift the Sense HAT
module clear of the RPi and these are listed in the
The slot in the lid is fitted with
a cover made from scrap acrylic
sheet, to help shield the underside
of the Sense HAT PCB from the
heat generated by the RPi’s ARM7
processor.
February 2016 55
This view shows the completed
RPi assembly before the Sense HAT
module is fitted. The holes in the side
of the case for the power and HDMI
sockets were enlarged using a file set.
Take care with the case assembly –
see text.
accompanying parts list. They can be fitted to the RPi
in either order, although it’s probably best to have the
tall unit on top. The standard unit has longer exposed
pins when everything is plugged in and these are best
contained inside the case.
Before connecting the Sense HAT, it’s necessary to
attach Nylon spacers to the two mounting holes on
the side opposite the header. Two spacers are required
in each position, one M3 x 12mm and the other M3 x
9mm, and these are attached to the Sense HAT using
M3 x 15mm machine screws.
There’s really no need to attach the spacers to the
case lid; they can simply rest on the lid when the Sense
HAT is plugged into the header.
Alternatively, if you’re fussy, you can drill a couple
of holes in the lid and attach the 12mm spacers using
M3 x 9mm machine screws. The M3 x 9mm spacers
can then be drilled out (to remove the thread) and the
assembly then secured at each corner using M3 x 15mm
machine screws.
Better accuracy
By enclosing the RPi module in the case, its heat no
longer has such a large affect on the temperature readings. There is still some degree of warming around the
unit though, and the Sense HAT unit itself also slightly
contributes to this, but the result is that the readings are
more accurate than before.
At switch on from cold (23°C ambient), our unit’s
temperature readings were about 0.3°C high without
compensation but this increased to about 4.3°C after the
unit had been on some time and had reached a stable
operating temperature. They were previously around
10°C or more too high, so that’s quite an improvement.
This means that a much lower compensation value
is now required to correct the temperature reading.
Whereas previously a compensation value of around
0.8 was required, a value somewhere around 0.35 will
now give reasonably accurate readings for temperatures
in the range of ~20-30°C. The compensation factor not
only corrects for local warming around the unit but also
helps correct for any inaccuracy in the sensor itself.
You can insert this new compensation value into the
Environment2.py program listed in Pt.1 by changing:
ta = round((t-(ct-t)*0.8),1) to
ta = round((t-(ct-t)*0.3),1)
56 Silicon Chip
Another benefit of enclosing the RPi in a case is that
this gives more stable temperature readings. Successive
readings now typically vary by just 0.1°C as opposed to
variations of up to 0.4°C with the previous arrangement
(no doubt due to hot air rising from the RPi and circulating under the Sense HAT module).
Apache web server
In order to access the Sense HAT’s readings over the
internet, we need to install the Apache2 Web Server
and the mod_python module. Mod_python is simply a
module that embeds the Python interpreter within the
Apache2 server and allows the two to work together.
First, make sure that the system is completely up-todate:
sudo apt-get update
sudo apt-get upgrade
sudo reboot
You can now install the web server and Python
module and get it running. That’s done by opening a
Terminal window and entering the following:
Step 1
sudo apt-get install apache2
sudo apt-get install libapache2-mod-python
Step 2
sudo nano /etc/apache2/sites-available/000-default.conf
and add the following lines under the DocumentRoot
line (be sure to insert tabs as shown):
AddHandler mod_python .py
<Directory /var/www/html>
DirectoryIndex index.py
PythonHandler mod_python.publisher
PythonDebug on
</Directory>
Once these lines have been added, hit Ctrl-o to save
the file and Ctrl-x to exit Nano. Note: if you don’t feel
comfortable using the Nano text editor, then run sudo
leafpad from the Terminal, then open and edit the file
using the Leafpad GUI text editor.
Step 3
Now add the same lines to /etc/apache2/sites-available/default-ssl.conf for SSL (Secure Socket Layer)
support. Connecting using https://<address> instead of
http://<address> will give secure communications between your browser and the Apache2 server.
Step 4
We now need to give Apache2 access to the I2C sensiliconchip.com.au
sors on the Sense HAT. To do this, enter the command
sudo nano /etc/group and change the line
i2c:x:998:pi to i2c:x:998:pi,www-data
Then change
video:x:44:pi to video:x:44:pi,www-data
Step 5
Next, create a hidden configuration folder for the
sensor data:
sudo mkdir /var/www/.config
sudo chown www-data /var/www/.config
Step 6
We now enable SSL support by running:
sudo a2ensite default-ssl
sudo a2enmod ssl
Note that this will use a self-signed certificate which
will require you to add an exception to your browser
when you first visit the site.
Step7
Restart the Apache2 service for the changes to take
effect:
sudo service apache2 restart
If it fails to restart and gives an error indicating a
problem with the Python module, check that the entries
you added in sites-available/000-default.conf and
sites-available/default-ssl.conf are correct. If so, then
run:
sudo a2enmod python
and then run the command to restart the Apache2 service again. Note: the Python module should be enabled
when it is installed but if not, the above command will
enable it.
Step 8
Check that the Apache2 web server is working. To
do that, simply browse to the RPi’s IP address (ie,
http://<ipaddress>), either from another computer on the
network or on the RPi itself. If you see the default web
page as shown in Fig.1, that means it’s working.
Step 9
The next step is to get Apache2 working with the Py-
Fig.1: the default page for the Apache2 web-server. If you
see this, then Apache2 is working correctly.
thon module to display the Sense HAT readings. That’s
done using a program called index.py. You have to
download this file (embedded in index.py.zip) from the
SILICON CHIP website, unzip it and move it into the RPi’s
/var/www/html folder.
The easiest way to do this is to first download the
file using the RPi’s web browser. Browse to www.
siliconchip.com.au, then click Shop, select Software
from the drop-list and left-click the index.py.zip file.
The file will immediately download into the /pi/Downloads folder. Navigate to this folder, then right click the
zip file to extract its content.
Index.py can now be moved to the required folder as
follows:
sudo mv /pi/Downloads/index.py /var/www/html
That’s it! – it should now work. Using a computer
on the local network (or the RPi itself), browse to
http://<ipaddress> (or optionally use https://<ipaddress>
assuming SSL support is enabled, as described above).
Temperature, pressure & humidity readings should immediately begin appearing on the web page, as shown
on page 54.
By default, the program has a compensation factor of
0.3, updates the reading every five seconds (5s) and displays a maximum of 10 messages at any one time (the
message scroll up the screen). However, you can easily
䤀匀䌀伀唀一吀
唀匀䔀 吀䠀䔀 䐀
刀䄀匀倀䈀䔀刀刀夀 倀䤀 ㈀ 䴀伀䐀䔀䰀 䈀
␀㔀㐀⸀㤀㔀
吀栀攀 挀爀攀搀椀琀ⴀ挀愀爀搀 猀椀稀攀搀 挀漀洀瀀甀琀攀爀 椀猀 挀愀瀀愀戀氀攀
漀昀 洀愀渀礀 漀昀 琀栀攀 琀栀椀渀最猀 琀栀愀琀 礀漀甀爀 搀攀猀欀琀漀瀀 倀䌀
搀漀攀猀Ⰰ 氀椀欀攀 猀瀀爀攀愀搀猀栀攀攀琀猀Ⰰ 眀漀爀搀ⴀ瀀爀漀挀攀猀猀椀渀最
愀渀搀 瀀氀愀礀椀渀最 栀椀最栀ⴀ搀攀昀椀渀椀琀椀漀渀 瘀椀搀攀漀 愀渀搀 最愀洀攀猀⸀
匀䬀唀 䌀䔀
㌀㐀
␀㌀
ᠠ匀䤀䰀
䴀䤀一䤀䄀吀唀刀䔀 圀䤀䘀䤀 䴀伀䐀唀䰀䔀
吀愀欀攀 愀搀瘀愀渀琀愀最攀 漀昀 琀栀攀 刀愀猀瀀戀攀爀爀礀 倀椀
唀匀䈀 瀀漀爀琀 琀漀 愀搀搀 愀 氀漀眀 挀漀猀琀Ⰰ 戀甀琀
栀椀最栀ⴀ爀攀氀椀愀戀椀氀椀琀礀 眀椀爀攀氀攀猀猀 氀椀渀欀⸀
␀㜀⸀㜀㘀
匀䬀唀 䰀伀䜀䤀䌀㠀
伀䘀䘀℀
䘀伀倀刀䤀刀䔀㔀匀─
㌀ 䄀倀刀㘀
䔀堀
匀䬀唀 䄀䐀䄀㠀㐀
唀匀䈀 吀伀 吀吀䰀 匀䔀刀䤀䄀䰀 䌀䄀䈀䰀䔀
匀䄀䰀䔀䄀䔀 䰀伀䜀䤀䌀 䄀一䄀䰀夀匀䔀刀
䤀昀 礀漀甀ᤠ爀攀 氀漀漀欀椀渀最 昀漀爀 愀 氀漀最椀挀 愀渀愀氀礀猀攀爀 眀椀琀栀 愀 戀椀琀
ᰠ洀漀爀攀ᴠ 椀渀 愀 琀椀渀礀 瀀愀挀欀愀最攀 琀栀攀渀 匀愀氀攀愀攀ᤠ猀 䰀漀最椀挀㠀
椀猀 椀琀⸀ 匀椀洀瀀氀礀 挀漀渀渀攀挀琀 瘀椀愀 唀匀䈀Ⰰ 椀渀猀琀愀氀氀 猀漀昀琀眀愀爀攀
愀渀搀 㠀 挀栀愀渀渀攀氀猀 愀爀攀 樀甀猀琀 琀栀攀 戀攀最椀渀渀椀渀最℀
䌀伀䐀䔀
ᤠ
䤀䌀伀一䌀䠀䤀倀
␀㐀⸀㠀
吀栀攀 挀愀戀氀攀 椀猀 攀愀猀椀攀猀琀 眀愀礀 琀漀 挀漀渀渀攀挀琀 琀漀 礀漀甀爀
刀愀猀瀀戀攀爀爀礀 倀椀 䤀渀猀椀搀攀 琀栀攀 戀椀最 唀匀䈀 瀀氀甀最 椀猀 愀
唀匀䈀㰀ⴀ㸀匀攀爀椀愀氀 挀漀渀瘀攀爀猀椀漀渀 挀栀椀瀀 愀渀搀 愀琀 琀栀攀 攀渀搀
漀昀 琀栀攀 ㌀㘀∀ 挀愀戀氀攀 愀爀攀 昀漀甀爀 眀椀爀攀猀 ⠀瀀眀爀Ⰰ 最渀搀Ⰰ 爀砀 ☀ 琀砀⤀
匀䬀唀 䄀䐀䄀㤀㔀㐀
圀圀圀⸀䌀伀刀䔀ⴀ䔀䰀䔀䌀吀刀伀一䤀䌀匀⸀䌀伀䴀⸀䄀唀
siliconchip.com.au
February 2016 57
Keeping The Baddies Out
Because it sits behind your router’s
hardware firewall (and the software
firewall, if enabled), your RPi should be
reasonably secure. However, opening
port 443 on the router (to enable internet
access to the web-server) does provide a
potential security problem. That’s why it’s
important to choose a strong password
for the Apache2 authentication log-in.
Fail2Ban
Despite this, the web-server’s log-in
prompt will soon attract brute force attempts to gain access by people running
password dictionaries. There’s an easy
way to defeat such attacks, though: limit
the number of log-in attempts by using
an intrusion detection software utility
called “Fail2Ban”.
Fail2Ban works by monitoring the logs
generated by various services (such as
Apache2). If there are too many failed
log-in attempts, it then temporarily (or
even permanently) bans the offending
IP from making further attempts. For
example, it can be configured to allow
three log-in attempts and, if all are unsuccessful, ban the offending IP for 20
minutes, depending on the settings in
the configuration file.
In practice, Fail2Ban sets up a few
simple iptable firewall rules (iptables is
the utility used to configure Linux fire-
walls). It then automatically alters these
rules after the preset number of failed
log-in attempts. By default, it monitors
SSH (port 22) only but it’s just a matter
of altering its configuration file to include
other protocols such as HTTP (port
80) and HTTPS (port 443), as used by
Apache2.
An excellent guide on installing
and configuring Fail2Ban can be
found at www.digitalocean.com/
community/tutorials/how-to-protectan-apache-server-with-fail2banon-ubuntu-14-04 It’s just a matter of
following this guide to configure it so
that, as well as SSH, it also monitors
the RPi’s Apache2 server.
Important points
Note that you have to copy the default
configuration file to /etc/fail2ban/jail.
local. You then edit this new file (it overrides the original configuration file) to set
the “bantime”, the maximum number of
tries (“maxretry”) and the “findtime” (the
time period over which the retries are
counted). The default bantime is 600
seconds but you can increase this (eg,
to 1800 seconds) or enter a negative
number to ban the offending IP forever.
Note that it’s particularly important
to scroll down to the [apache] jail and
change to line enabled = false to enabled
alter these parameters, either in the index.py program
itself or by adding switches to the website address, eg:
http://<ipaddress>/?max_msgs=5
http://<ipaddress>/?interval=60
http://<ipaddress>/?compensate=0.4
You can also string these switches together, eg, https://
<ipaddress>/?compensate=0.4&max_msgs=5&interval=60
applies a compensation factor of 0.4, shows a maximum
of five messages on the screen and updates the readings
every 60 seconds.
Step 10
If you plan on making the RPi’s website accessible via
the internet, then it’s a good idea to require password
access. To do this, run:
sudo apt-get install apache2-utils
sudo a2enmod authn_dbm
sudo htdbm -TSDBM -c /etc/apache2/dbmpasswd <username>
<enter password>
sudo chown www-data /etc/apache2/dbmpasswd.pag
Be sure to choose a strong password. It should be a
mixture of upper case and lower case letters, numbers
and alphanumeric symbols.
That done, go to the two Apache2 configuration files
58 Silicon Chip
= true. Fail2Ban will then cover both http
and https.
Installing a firewall
Unless you’ve opened up myriad ports
on your router, a separate firewall on
the RPi (apart from the Fail2Ban rules)
isn’t really necessary. However, if you’re
a “belts’n’braces” type or you just want
to experiment, consider installing Uncomplicated Firewall (UFW) which is an
easy-to-use iptables configuration utility.
The following website has the basics
on UFW’s installation and usage: www.
digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufwon-ubuntu-14-04
Of course, all bets are off if you
decide to add the RPi to your router’s
DMZ (demilitarised zone). Placing it in
the DMZ means that it cannot contact
other devices on your internal LAN in the
event that it’s compromised (it’s added to
the DMZ by logging into your router and
going to the DMZ set-up page).
The downside is that all ports on the
router will then be forwarded to the RPi,
so it’s wide open. As a result, a firewall
is then an absolute must.
In practice, you would set up the firewall to initially block all incoming ports.
You then create rules to open port 443
(for https) and port 22 (or whatever you
change it to; see the panel “Connecting
Via SSH & VNC”) if you want connect
via SSH (secure shell).
(ie, 000-default.conf and default-ssl.conf) and add the
following lines under the lines you added in Steps 2 & 3:
AuthType basic
AuthName "private area"
AuthBasicProvider dbm
AuthDBMType SDBM
AuthDBMUserFile /etc/apache2/dbmpasswd
Require valid-user
Then do: sudo service apache2 restart
If you are using passwords, you should also use SSL
(ie, set up as per above) and use https:// to access the
site, otherwise your password could be intercepted.
Now, whenever you attempt to browse to the RPi’s
web server, you will initially be greeted by a dialog box
asking you to enter your user-name and password.
Accessing it via the internet
In order to access the RPi’s web server over the internet, you have to do the following:
(1) assign a fixed IP address to the RPi (by default, it
has a dynamic IP that’s assigned by the router’s DHCP
server);
siliconchip.com.au
(2) set up a port forward on your router; and
(3) determine your public IP address.
The easiest way to fix the RPi’s IP address
to to assign an IP to its MAC address (or
“Hwaddr”) in the router. A MAC address is
simply a unique code consisting of 12 hexadecimal characters that’s assigned to every
network device, such as a WiFi dongle. To
discover the MAC address of your RPi’s WiPi dongle, run ifconfig in a Terminal window;
the address consists of the 12 characters immediately following “Hwaddr” under wlan0.
That done, log into your router and look
for the DHCP set-up page, LAN IP page or
similar. You can then enter the Wi-Pi’s MAC
address and assign it an IP. The router’s
DHCP server will then always hand out that
IP to the RPi (ie, it will remain fixed). Fig.2
shows the set-up on a Netgear cable modem/
Fig.2: you can fix the RPi’s IP address by entering it against its MAC
router.
address in your router. Running the ifconfig command on the RPi gives
The next step is to set up port forwarding.
you the MAC address.
Basically, a firewall is built into the modem/
router. In order to make a connection to the
RPi’s web server, you have to open up (or
forward) the relevant port in this firewall so
that data can pass through.
By default, Apache2 uses port 443 for
https (port 80 for http) and this must be forwarded to the RPi’s fixed IP address. To do
this, navigate to the router’s port forwarding
set-up page, enter the relevant port number
and IP details and click “Add” (or similar).
Fig.3 shows the set-up for a Netgear cable
modem/router. As can be seen, port 443 has
been forwarded for https, the RPi’s fixed IP
address is 192.168.1.20 (yours may be different) and TCP is used for the protocol. Other
routers will have similar menus.
Similarly, port 9630 has been forward for
SSH (secure shell) access (see panel: ConFig.3: you also have to set-up port forwarding in the router to provide
internet access to the RPi’s web-server and the SSH service (see text).
necting Via SSH & VNC).
Once you’ve configured the router, save
the set-up and logout. You may also have to restart the
your WAN (wide area network) IP address is likely to
router for the settings to take effect.
change over time. And if it does change, you will not
The last step is to obtain your public IP address.
be able to log onto the RPi over the internet until you
That’s easy – browse to www.whatismyip.com/ and
check the new address from your local network.
your public IP will be displayed.
In many cases, that’s not likely to be much of an inIf you now enter https://<yourpublicIPaddress> in a web
convenience. Provided you leave your modem/router
browser on your PC, the login diaglog for your RPi
on, your WAN (or public) IP may stay the same for
should immediately appear. Enter your user-name and
weeks, months or even years. However, inevitably, it
password (ie, for the Apache2 server), and the Sense
will change. The modem/router may pick up a new IP
HAT readings should immediately begin scrolling down
when it’s restarted after being switched off for some
the page.
time or when it comes back online after a blackout, for
Note, however, that some home routers don’t support
example.
“loopback”, whereby you can use your WAN IP to conThe way around this is to sign up to a DDNS service.
nect to a computer on your local network. If that’s the
DDNS stands for “Dynamic Domain Name Server” and
case, try logging in using a computer that’s outside your
it allows you to log onto your home network without
LAN or switch off the WiFi on your smartphone and try
knowing its WAN IP. Instead, the DDNS automatically
connecting via its browser.
keeps track of your WAN IP (even when it changes) and
allows you to connect using a domain name. A domain
Dynamic DNS (DDNS)
name also has the advantage of being much easier to
One weakness of the above scheme is that, unless
remember than a WAN IP.
you’ve been issued with a static address by your ISP,
The way in which DDNS works is straightforward;
siliconchip.com.au
February 2016 59
Fig.4: Duck DNS is a free dynamic DNS provider. You
simply sign in using your Google (or other) account and
choose a hostname. You can then access the RPi’s server
over the internet using https://hostname.duckdns.org
Fig.5: once you have your hostname, open the Install
page, click the “pi” button and follow the instructions to
create the duck.sh script file and the Cron job (see text).
either your router or a computer on your network periodically checks the WAN IP (eg, every five minutes) and
updates the DDNS service. So if your WAN IP changes,
the DDNS will quickly be informed of the new address
and you will be able to log onto your home network
without too much delay (provided, of course, it’s not
down due to a blackout).
DuckDNS
Two of most popular free DDNS services in the past
have been DynDNS and No-IP. You can still use these
but note that DynDNS is no longer free, while No-IP
nags you to confirm your hostname every 30 days (unless you sign up for a paid version).
These two DDNS services are supported by many
routers, although many older Netgear routers only support DynDNS. If your router supports your preferred
60 Silicon Chip
Fig.6: setting up the Cron job on the RPi. Once set-up
is complete, it runs the script file every five minutes to
update the Duck DNS server with your WAN IP address.
DDNS service, then you can use the router itself to update the DDNS. That can be an advantage because you
don’t need to leave a computer running on the network
to do the job.
A great free DDNS alternative is Duck DNS at www.
duckdns.org In most cases, it won’t be supported by
your router but there’s an easy answer to that problem
– use the RPi itself to run a script to update the Duck
DNS server.
To set up Duck DNS, sign in on their home page using your Google, Twitter, Facebook (or other) account
(Fig.4), then give Duck DNS permission to discover
your email address and WAN IP. You then enter your
desired hostname into a dialog box and if it hasn’t
already been taken, it’s yours and you will also be assigned a “token”.
You should now be able to connect to your RPi using
the domain name, ie https://yourhostname.duckdns.org
Next, you need to configure the Raspberry Pi so that
it periodically contacts the Duck DNS server to update
the WAN IP. That’s done using what’s known as a “Cron
job” (Cron is name given to a software-based job scheduler that’s used in Linux). Duck DNS makes this easy:
(1) click the “install” menu at the top of their webpage;
(2) click the “pi” button under Operating Systems;
(3) select your given hostname under “first step –
choose a domain”; and
(4) follow the instructions to create the necessary script
file and the Cron job (see Fig.5 & Fig.6).
Note that if you are working directly on the RPi,
there’s no need to run the ssh command line – just open
a Terminal window and kick off with mkdir duckdns (do
not use sudo). This will create a /duckdns folder under
your /pi user folder.
You may be more comfortable using Nano or even the
Leafpad GUI text editor rather than the vi text editor
to create the duck.sh file (eg, nano duck.sh instead of vi
duck.sh). In addition, note that you don’t have to run
the last command listed (sudo service cron start) for the
Raspbian operating system.
Provided it returned “OK” when you ran cat duck.log
as instructed, your RPi will now update the DuckDNS
server with your WAN IP every five minutes. What’s
siliconchip.com.au
Connecting Via SSH & VNC
If you want to control your RPi over the
internet, it’s best to log-in via SSH (secure
shell). This gives a secure command
line interface, provided you’ve chosen a
secure user password for your RPi.
SSH is enabled by default when Raspbian is installed but can be disabled (or
enabled again) using raspi-config.
You can stick with SSH’s port 22 default if you like but we recommend that
you change it to something else. If port 22
is forwarded on the router, it will quickly be
found and bombarded by hackers making
repeated attempts to SSH their way in using brute-force methods. While Fail2Ban
will quickly deal with this, changing the
port number will drastically reduce the
number of unauthorised log-in attempts
in the first place, simply because the
default SSH port is not being used.
It’s best to choose a high port number, eg, 9321, 9630 or 10101, or similar.
That’s done by editing the sshd_config
configuration file:
sudo nano /etc/ssh/sshd_config
Change the Port 22 line to the new
port number (eg, Port 9321). Then do:
sudo service ssh restart
You can then log-in to your router and
forward the port so provide SSH access
into the RPi over the internet.
Mac and Linux machines both natively
support SSH but a Windows PC will
require the installation of an SSH client
such as PuTTY. Download the putty.exe
file from www.putty.org/, then rightclick the file and drag a shortcut onto
the desktop.
You’re now set to SSH into the RPi:
launch PuTTY, enter either your host
name (eg, yourhostname.duckdns.
org) or your WAN IP address, then enter
the port number and click the Open button. This will bring up a terminal window
and it’s then just a matter of logging in
with your RPi’s user name and password
(see Fig.7).
From there, you can control the RPi by
entering commands, just as if you were
directly using the RPi’s terminal. Entering
exit or Ctrl-D closes the connection and
the terminal window.
Using VNC Over the Internet
Directly accessing the RPi over the
internet using VNC can be a security risk
since all traffic apart from the password
(which is limited to just eight characters)
is unencrypted. You would also have to
open up port 5901 on the router and
again that’s bound to attract brute-force
authentication attempts.
The way around this is to tunnel the
VNC connection via an SSH log-in. SSH
ensures that all data is encrypted and,
as a bonus, you don’t have to open up
additional ports on the router.
Setting it up and connecting is a
breeze:
(1) Launch PuTTY, enter in your host
name (or WAN IP address) and the port
number (Fig.7);
(2) Enter a session name in Saved
Sessions;
(3) In the lefthand panel, expand the
entries under SSH and select Tunnels.
(4) In the resulting dialog, enter 5901
in Source port and localhost:5901 in
Destination, then click Add. These entries will then be loaded into Forwarded
ports (Fig.8).
(5) In the left-hand pane, click Session,
then click the Save button.
That’s it! – double-click the Saved Session in PuTTY (or select it and click Load,
Open) and log in. You can now securely
connect to the RPi’s VNC server via the
SSH tunnel by launching TightVNC and
entering localhost:1 in the VNC Server
field (Fig.9).
more, you will now be able to log into your RPi over the
internet using your domain name rather than a cumbersome and easy-to-forget WAN IP address.
How secure is it?
So how secure is the whole set-up? The answer is
about as secure as the strength of your password unless
you lock it down. Fortunately, there are a few simple
steps you can take to secure your RPi down, so that
you don’t get hacked. Take a look at the accompanying
panels: “Keeping The Baddies Out” and “Connecting
Via SSH & VNC”.
siliconchip.com.au
Fig.7: setting up a saved session in
PuTTY, the Windows SSH client. Note
that the RPi’s SSH port number was
changed from 22 (the default) to 9630.
Fig.8: here’s how to set up an SSH tunnel
in PuTTY for a VNC connection.
Fig.9: you can now connect to the RPi
via SSH, then connect via TightVNC by
entering localhost:1 for the Remote Host.
Browsing Confined To A LAN
If you’re going to be browsing to your RPi’s web-server
over your local network (LAN) only, then there’s no need
for password authentication. In that case, you can leave
out all of Step 10 and simply browse to the server using
http://<ipaddress>
Confining access to the local network also means that
there’s no need to open up the relevant port on your router.
In fact, you should leave that port closed if you don’t require
external access.
SC
February 2016 61
|