Open Source Music on Hold

I have been working on a new project for work that I thought I would share with you. At work our Music on Hold devices (the things that provide music when you are put on hold) have been going faulty regularly. The device we currently use is a Fortune 2000 MOH from Rocom. It retails for about £260 If you are considering one of these devices, please read on.

Faulty by Design
The Rocom devices seem to last about 12-18 months before going faulty. I suspect that its the flash cartridge but being a proprietary design means its not easily replaceable.

Ideally the device will have no moving parts; we did away with the original devices (which were literally CD players) because they were unreliable and not remotley manageable.

All we really need it to do is

  • play music on a loop
  • automatically start after power interuption
  • be remotely managable

Open source
The continued failure of device after device (we have about 70 of them accross EMEA) got me thinking, there must be a better way. I looked at Shuttle PCs but they failed the moving parts criteria (well there are ways but it didnt seem a good fit). Then my mind we to a very small fanless PC that i bought a couple of years back from Aleutia. So I took a look at the website to see if it was viable. The original device has now become the Aleutia T1

While the original device ran Puppy Linux but all the current ones run Ubuntu. Great, so the device is small, fanless and runs a very good, open source, operating system, and has a network port. So far so good.

Next I needed to work out if it would automatically start after a power outage. I dropped a quick email to the guys at Aleutia to see if this was possible and they very quickly responded to confirm that there was a BIOS setting for exactly this requirement. The final part was playing music on a loop. I was expecting it to be quite easy to acheive and I wasnt wrong.

The method of music playback I have gone for is called MPD (Music Playback Daemon), which is easily installable (its in the Ubuntu repos). I quickly installed MPD an uploaded an MP3 to the folder. Finally I added the MP3 to the playlist and set it to repeat and I was in business. Within 30 mins of unpacking the T1 I had it playing back music.

I shutdown the T1 and removed the power adaptor to test its ability to power on automatically. No sooner than I applied the power the device booted up, once the device had booted, MPD started playing the music – WIN

Final Steps
Now that I had a working device up and running, I need to think about how its supported within our company. I guess other people wouldnt be happy with SSHing into it to control it (which is really very simple actually). What I needed was a front end. Needless to say there are many front ends written for MPD. I went with a very simple web front end called MPDPlayer – its one of the many open source front ends listed on the wiki.

Ive done a little customisation of this and added a file upload button so that the whole process can be managed from the web interface.

Test Test Test
Im now in the process of testing and I do seem to have come accross a bug where playback stops after a number of days. I could just schedule a reboot of the device every night but I would prefer this to be a last resort. The MPD forums have given me some into on how to debug MPD, so I shall persue that.

So whats the catch? Well there doesnt seem to be one, plus this solution comes in nearly £100 cheaper than a Rocom and comes with a three year warranty rather than Rocoms 12 month one. Finally, as it uses a standard compact flash card, if it does go faulty, we can very easily replace it.

Overall Im really pleased with how easy its has been to “scracth my own itch” using existing open source projects. I intend to contribute my file upload button back to the MPDPlayer guys in the true Open Source fashion. Im also hoping that this experience will open my companies mind to using more open source solutions in future.

As ever I welcome your comments


Wave Goodbye to Email

For sometime now I have been of the opinion that email is broken. It worked at the time but now over 90% of email traversing the internet is spam. Sure, there are pretty good anti spam and anti virus systems but I honestly think we are just postponing the inevitable. I have had this conversation with friends many times and mostly they disagree but I honestly think we need something to replace email

Google Wave

Ive just watch the 80minute talk about Googles Wave and I think they really could be onto something. It combines rich interaction with very social features and its kind of an opt in model, like Facebook or Twitter, where you have to add people to your system. This means no unsolicited waves.

They have been working on this for two years and it looks really good. Dont take my word for it, go and check out the video here

Finally, and I have saved the best until last, they will be releasing it under open source so that you can set up your own Wave platform and it has federation built right in so that it will interoperate with other Wave platforms brilliantly

Lets hope this finally kills off email – it had a good innings but its time for it to go now


Securing Remote Admin

Once you start running/administering your own server, live on the internet, you really need to think about securing access to it. In this post, Im going to look at the different ways that you can achieve this and the pros and cons of each of these

Firstly lets think about what it is that we are trying to prevent and what we it is that we are not trying to prevent. For this discussion I’m going to assume the server that we are running is a simple webserver hosting a blog. So therefore we want the world to be able to view our blog but not to be able to log on to the server and perfrom admin tasks.

We wil assume that the webserver listens on the standard web ports of 80 & 443, that it connects to a mysql server on the same box (running on 3306) and the we administer the box via SSH, again on the standard port – port 22.

Firstly lets take care of the low hanging fruit. MySQL will, by default, bind to the servers live IP address and so expose port 3306 to the world. (by default it wont allow remote logins but its still a port that is exposed that we dont need to have exposed). Opening the config file for MySQL (/etc/my.conf) we can simply use this line “bind-address=” and restart the service to make it bind to the loopback instead. (We will assume that you did this before you setup your blog software and so the blog software was configured to use as well)

Good, so thats one port now taken care of. This just leaves the web ports (80 & 443) and ssh open to the world (port 22).

The next thing we need to decide is just exactly how secure we want to be – remember the is an inverse relationship between ease of use and great security; its always a trade off.

Relaxed Approach
We may decide that this is only our blog, that we have a regular off site backup of the database and so we arent really too concerned about security. If this is the case we could probably stop right here, making sure that we

  • Use a strong root password
  • keep the webserver up to date with latest patches
  • keep the blog software up to date with the latest patches

Pros – very little work to setup. Can admin from anywhere, doesnt require additional software (ssh keys)
Cons – you are exposing port 22 to the world and could potentialy be at risk to a zeroday attack or someone just guessing/bruteforcing your password

Restricting Access
We may decide that doing a little more to secure remote access is worthy investment, but we dont want to go crazy. Here are some of the things we could do

Limited range of IPs allowed – Use a firewall (IPTables typically) to only allow a few IP addresses access to port 22. This assumes you will always connect from one of these IPs and never need to admin the box from anywhere else
Automated, proactive, blocking of rouge IPs – If we need to make sure that we can admin the box from anywhere (lets say we travel a lot and dont wont to limit access down to a few IPs) we could use tools that watch for, and react to, brute force password atempts.

The two programs I would recommend here are Fail2ban which looks at your logs and if it sees a certain number of failed password attempts will add a firewall rule to block the source IP and DenyHosts which does a similar job but instead of adding a firewall rule, the source IP is added to /etc/hosts.deny. The nice thing about Deny Hosts is that it gives you the ability to sync your entries with other peoples. Lets face it, if someone is brute forcing your box, they are almost certainly doing it to soemone elses as well. There is nothing stopping you using both Fail2ban and DenyHosts at the same time for a belt and braces approach.

Pros – this is much more secure, you have heavily restricted the number of users pounding on your box, while allowing yourself the ability to admin the box
Cons – takes a little more work to setup and you could potentially lock your own IP address out if you are not careful

Higher Security Approach
So we have decided that security of our box is very important and so we are going to go put extra affort into securing it.

Limit to SSH Keys only – we can disable the ability to logon using a username and password full stop, limiting it to SSH Keys only. This means that even though the port may be open to the world, its imune to password brute forcing. You could combine this with the “Restricting Access” approach if you want to go the extra step.

Pros – you have elimated the attackers ability to bruteforce/guess your password, drastically reducing your exposure to a breach
Cons – requires that you have with you the coresponding SSH key when you need to access your server

Paranoid Approach
No matter what, you just arent comfortable with the admin port being visable, you want to retain the ability to remotle admin the box but you dont even want people to be able to see or connect to the admin port. Sound impossible? Not so, we can use one of these two methods to make this happen.

First off is Port Knocking. This means that port 22 is totally firewalled off until the box receives a certain sequence of packets to a predefined set of ports – so maybe the sequence is tcp/6880, udp/3399, tcp/8881 – if the box receives these packets in this sequence then it will open port 22 to the source address for a limited time – at which point you connect.

The downside of this for the ultra paranoid is that if someone sniffs the network at the same time that you send the sequence, then they know you sequence and could replay them and enable visibility to port 22 for themselves. This is where the second approach comes in – SPA

SPA or single pack authentication evolved from port knocking. It addresses the weaknesses (capture and replay) and adds some functionality. In a nutshell you send a single packet to your server with an encrypted payload that describes what you want to do. So for example you may say that you want to enable port 22 on server x and port 2222 on server y – this request is encrypted and sent to the server. The server receives the SPA packet and, if you have used the correct password to encrypt it, decrypts the contents and acts on them. It is imune to a replay attack as the the contents of the packet have a timestamp included in the encrypted payload. I really like this approach and use it to gain access to my home network.

The software I use to do this is called FWKnop and more information can be found here

Pros – you are as secure as is humanly possible, it doesnt get more secure than this unless you disconnect it from the internet and bury it in a bunker
Cons – you need to have the client software installed on the machine you want to admin from, in order to send the SPA packet

if you feel I have missed anyting off, made mistakes or just want to let me know about your methods of securing remote access – please use the comments box to give me your feedback


Next we should probably think about installing a HIDS but I will save that for a future post

Open Source Disk Imaging

Disk imaging is used extensively within the IT departments of most companies. This enables them to quickly build desktops and laptops, to a repeatable standard and backup critical devices in order to quickly recover from a hard disk failure. In the past this has required some fairly expensive and proprietary software. These images are generally stored on a server but engineers can, and regularly do, carry a handful of them around with them.

The individual components required to do this with Open Source software do exist but until recently no-one seems to have tied them together with a nice, web based, front end. Enter FOG – a free open-source computer cloning system, which does exactly that. FOG is a Linux based server, that lets you backup and restore disk images for desktops/laptops and servers without the need to even carry a boot floppy/CD – as it uses PXE to boot from the network.

If setting this up sounds complicated, they do provide a VMWare virtual appliance for you to download use to do your initial testing – however, due to the large amounts of storage and IO demands, the VMWare appliance isn’t recommended for large scale production environments.

My initial tests are very encouraging and so if disk imaging is something that you are interested in, I wholeheartedly recommend checking this project out  – kudos to Chuck Syperski and Jian Zhang for creating this.


Privacy through Add-ons – LeetKey

While at work the other day, I wanted to send a friend an email but I didn’t want it going through the corporate systems. It used to be that just using webmail was generally enough to give you this protection (using corporate email is obviously out of the question), but in these days of increasing surveillance and paranoia over Data Leakage I know that every packet is being inspected at the gateway for certain text patterns.

I could have used a webmail provider that allows HTTPS connections I guess, such as Gmail (and been sure to check the certificate) but I wanted more than that

Now there are plenty of solutions if you are happy installing some encryption software on your computer but I wanted something that wouldn’t alert people who were looking at my add/remove program list. For example I could use FireGPG but that needs you to have GPG installed and have copies of your public and private keys. Freenigma (new ownership BTW) is similar in that it requires public/private keys to have been setup in advance and didnt quite fit what I needed

Some may suggest Hushmail but things like this are nearly always blocked at the proxy when you work at a large company

All I wanted to be able to do was a little quick (and strong) symmetric encryption and simply text the password to my friend. I briefly considered coding something but that is way beyond my skill levels and I realised that if I wanted it, then surely Im not the only one who did. I continued my search and eventually found the solution in a not particularly obvious Firefox add-on – LeetKey

LeetKey lets you select some text on a web page and convert it into (and back from) Elite Speak,but it doesn’t end there. You can also do other conversions/transforms with it – such as Morse code, base 64 etc etc. It also lets you do 128 bit AES en/decryption ! Fantastic, that is exactly what i was looking for. So now I can have nothing more than a Firefox add-on and I can send private emails to people on the fly.

Why not install it and use the AES Decrypt function with the password monkey to decrypt the following text


Have Fun, OSG