Technical Support
4.6 Remote Debugging
This section describes the setup and process of remotely connecting your Linux computer, referred to as the "remote computer", to an "assistant computer" in Jungo's lab, in order to either detect or resolve a problem that could not be identified in Jungo. There are many techniques that you can use to establish a remote connection between one computer and another, some of which are described herein. Select the one that best fits your current needs.
All techniques are based on SSH. Note that some require non-trivial software that must be downloaded from the Internet. The following figure depicts the remote connection's topology.
Figure 4.2 Remote Access Setup
4.6.1 Remote Computer Requirements
In order to efficiently assist in resolving a problem, the remote computer's minimum requirements are:
• Debian Linux
• A 2 GHz processor
• 512 KB of RAM
• Two network interfaces–one for the LAN and another for the WAN
• A serial cable for direct communication with OpenRG
Also required is a serial power relay device, enabling the remote assistant to perform a 'hard' reboot when needed. Such hardware can be evaluated and obtained using this link:
http://www.pencomdesign.com/2ch_relay.htm. For more information, refer to Section 4.6.4.
You must also verify that the SSH server is configured to allow incoming requests, and that a TFTP server is running in order to allow image modifications on the board. This can be done by typing:
netstat -l | grep SSH
You can type the same for a TFTP server. Depending on your Linux distribution, you can either use 'chkconfig', or manually update your /etc/init.d/ directory for activate-during-startup tweaks.
4.6.2 Secure Shell (SSH)
SSH is one of the best remote login client-server utilities, and it is supplied with all Linux distributions. SSH can be used for a terminal console session just like Telnet, and can be configured to transfer X-Windows applications as well. You can remotely connect to a
computer and watch an application running on the machine, but not the entire desktop. The remote assistant will use VNC (Virtual Network Computing) tunneling over SSH, to ensure that remote access to your computer is secured.
Install 'x11vnc server' (http://www.karlrunge.com/x11vnc/) to allow remote access to your computer. In order to allow tunneling through SSH, you must add a new user to your computer that will have the permissions you want for a remote user. The remote assistant will connect to your computer using 'vncviewer' through SSH. This connection is safe for several reasons:
• Your computer is password protected for privileged users only through SSH.
• All access to your desktop is done using VNC tunneling through SSH. This means that Jungo is only accessing port 22 on your computer, and not the unprotected port 5900 that VNC uses. It is recommended that you block all incoming traffic on port 22.
• Using x11vnc, it is possible to allow connections only from localhost, and setup passwords for VNC connections. Refer to 'man x11vnc' for more details.
In order to limit the remote assistant to port 22 on your machine, refer to Section 4.6.5, which provides a script that blocks all traffic unless its designated port is 22. To summarize, it is required that you have x11vnc installed on your computer, and have an SSH server running. It is recommended to block all incoming traffic, excluding traffic designated to port 22.
4.6.3 Using DNS and a Redirection Service
This section describes how to map a static/dynamic IP address or a long URL to an easy-to-remember subdomain, in order to have your host remotely accessed without giving away its IP address. The following example describes the service provided by http://www.no-ip.com, but any other service provider can be used. Perform the following:
1. Browse to http://www.no-ip.com.
2. Go to "Sign Up" and complete the registration form, and activate your account by clicking the URL that was sent to you by email.
3. Go to the "Downloads" section. Download and install the DUC client.
4. Install and run your client.
5. At this point you must add a host name, follow the software link to do so.
6. Click refresh and check your new host.
Your computer now has a permanent name as long as the DUC client is activated and your host name is checked. Your computer should be accessible now via that host name. Note that you can configure the DUC client to be a system service or to set it up to run during startup.
4.6.4 Setting Up a Serial Power Relay Device
A serial power relay device that connects to OpenRG and to your computer, enables power management commands (i.e. turn on/off) via the CLI terminal. Several devices can be purchased according to your needs. 1-channel, 2-channels and 8-channels are currently available by Pencom Design
(http://www.pencomdesign.com). Each channel can control a single OpenRG board. The relay device should connect to your wall power outlet and to OpenRG in the following topology:
Figure 4.3 Power Relay Device Connection
The numbered connections in this figure are as follow:
1. This is the power source for the relay board. It uses a regular 9v adapter that comes with your relay board.
2. This is a regular RS232 connection to your computer terminal. It enables the PC to control the power relay, thus enabling a 'hard reset' on your board remotely.
3. There are two outlets connected to the exact same location on the relay board. One of them is connected to a 'live' power source, and the other is a 'dummy' connected to your OpenRG board.
4. The 'dummy' outlet is not connected to a live power source, but to an outlet that is controlled by the relay board.
By issuing a command through the terminal, you close a circuit between the 'live' outlet and the 'dummy' outlet. Note that this connection is not trivial. You must open the relay board box and connect both outlets to the same connection. For more details, refer to the Pencom Design documentation, located at:
http://www.pencomdesign.com/files/8ch_relay_manual.pdf.
As previously mentioned, there are several relay boards available. The scenario described above is general, and is not detailed enough for proper activation of your board using the relay
remotely. There are specific jumper configurations that should be taken into consideration when connecting the relay boards. Each board has a different jumper set, depending on its number of channels. Contact your power relay board manufacturer for the full configuration schemes and for more information.
4.6.5 Protecting the Remote Computer
Copy and paste the following script, save it (for example, as allow_ssh.sh) and make sure its permissions are set to 'executable'. Then run it.
#^^^^^^^^^^^^^^^^^^^SCRIPT STARTS HERE^^^^^^^^^^^^^^^^^^^^^^^
#!/bin/sh
# This script is used to enable your computer with incoming traffic through
# port 22 only, to allow remote SSH sessions.
# This ensures your computer stays safe allowing access only to users that
# you have approved.
#
# Arguments:
# $SERVER_IP - your WAN server IP address.
#My system IP/set IP address of server SERVER_IP="X.X.X.X"
# Flushing all rules iptables -F
iptables -X
# Setting default filter policy iptables -P INPUT DROP
iptables -P OUTPUT DROP iptables -P FORWARD DROP
# Allowing unlimited traffic on loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
# Allowing incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Ensuring nothing comes or goes out of this box iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
#Use this to return to a normal state
# IPTABLES -X
# IPTABLES -F
# IPTABLES -P INPUT ACCEPT
# IPTABLES -P OUTPUT ACCEPT
4.7 Feedback
Jungo's support team is on a constant lookout for improving the service we provide. Better service equals to customer satisfaction. We urge you to send us your feedback, either by e-mail or phone, in order to convey the points where we can improve our service to you. For our contact information, refer to Chapter 47.