NEW Version of Travelin Man- cheap cloud server as gateway

DadinVa

New Member
Joined
Apr 20, 2016
Messages
9
Reaction score
2
Want to simplify how the user gets added to the PBX computers list of approved IP addresses and at the

same time increase the security? Then put a man in the middle. The idea is to have a cheap, stripped

down computer that determines the IP address of the user and then relays the IP address along with

two items typed in by the user (user ID and a 6 digit Time based One Time Password - TOTP) to the PBX

server. The PBX server verifies the userid and password and then adds the IP address to the list of

approved IP addresses. Within a couple of minutes, the user will be sent an email confirming that

the IP address they are using has been whitelisted and remote access is now enabled.

With the very inexpensive cloud hosting services and Raspberry Pi's available these days you can

easily afford to create a web site that only does one thing - it displays a web page where a user can

enter their ID and a TOTP password ( a time based one time password which can be generated using any

one of the free apps available for computers, tablets, and cell phones). As previously mentioned the

users current IP address is determined by the server and the ip address, userid and password is then

relayed to the PBX server. So there is no need to store information in the cloud except for the IP

address of the PBX server. To help prevent attacks, in the attached program I do store the number of

failed attempts for each user and for each IP address. For each failed attempt the connection from

the relay server to the PBX server is delayed by an additional second. Since there are 1,000,000

possible passwords and each password is only valid for 1.5 minutes, a second delay for each failed

attempt should prevent all attacks since only 12 passwords can be tried before a password is invalid.

On the PBX server you run one additional service which monitors port 5559. This port is only opened

up to the relay server in the cloud, no other IP addresses. The incoming userid is used to look up

the users account number and base32 seed password. This seed is then used to generate the TOTP one

time password. If the calculated password matches the password entered by the user, the IP address

is stored and I let TM4 scripts then handle the rest. Also, a SSL connection is used between the

relay server in the cloud and the PBX server. Both the client server certificates must match for the

SSL connection to be allowed.

On the users cell phone you have to install a browser program such as chrome, and a TOTP password

generator. One free option is freeOTP which is available on both android and ios devices.


The steps required are:
On PBXserver
1. download to the PBX server the programs to generate base32 password seeds and monior port 5559
2. Create an admin password to prevent unauthorized use of the password program
3. Generate client and server certificates with the provided script
4. open port 5559 to the IP address of your relay server in the cloud
5. On your router forward port 5559 to the PBX service
6. start the PBX server monitoring service called allow_entry
7. Install travelin man 4 (TM4)

On cloud host relay server
1. Install apache
2. Download to the cloud server the relay program and web page
3. copy the server and client certificates from the PBX server to the cloud relay server
4. Allow your IP address and then block all other IP addresses to all ports except ports 80 and 443
5. Start apache

On users cell phone
1. Install a TOTP one time password generator such as freeOTP.
2. On the PBX server generate a base32 seed password and put it in the TOTP app. To do this with

FreeOTP, open it and press the symbol key + . Then on the first line, in the email entry enter the

userid used to generate a password on the asterisk machine. On the next line press the space bar. On

the third line for secret enter the number you generated on the asterisk machine. Leave type as TOTP

and leave DIGITS as 6, also leave algorithm as SHA1 and leave interval as 30. Now press add. On the

new screen touch the entry with the userid you just entered. The symbol shows you how long until the

one time password is invalid and the number shown is the one time password you need to enter into the

web site. Currently the one time password is valid for 90 seconds. For security the same password can

not be immediately reused.
3 Add the cloud server as a favorite in the browser on the users cell phone

Longer term I am hoping to create a simple app for the phone which will connect with the relay server

and transmit the userid and TOTP password. Included in the zip file already is a relay program which

will monitor port 5560 on the cloud server and pass the information on to the PBX server. I also

have included python and java versions of the program to run on the users machine.
 

Members online

No members online now.

Latest Posts

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,273
Messages
136,528
Members
14,505
Latest member
athan