LINBPQ Configuration
Some of this is subject to change, but as of writing, works on a single node, assuming that the appropriate telnet port is forwarded to the Pi running the service.
See the to-do at the bottom for what’s still to be done.
Dedicated user
Since we’re exposing our device (and effectively our home network) to the internet, we want to lock down things as much has possible.
Most examples of services being run on a Pi won’t be taking security into consideration, typically running services as the built-in pi or root users. We don’t want to do this, keeping security risks at a minimum.
We’ll create a dedicated system user to run LINBPQ, this account won’t have root privileges.
adduser --system --no-create-home bpquser
Here we’re creating the user bpquser, specifying that it’s a system account and that no home directory is to be created. You won’t be able to switch user to this account as a result – i.e su - bpquser, but you can run commands as the user.
Note that this is specific to the Pi and Debian, so while it may look like this command works on other linuxes, CentOS for example, confirm that you cannot switch to the user. This can vary across Operating Systems.
Downloading and setup
This is subject to change, but right now let’s install in /opt/. Run with evelvated privileges.
mkdir /opt/linbpq
cd /opt/linbpq
wget http://www.cantab.net/users/john.wiseman/Downloads/installLinBPQ
chmod +x installLinBPQ
./installLinBPQ
chown -R bpquser /opt/linbpq
This sets up everything except the actual configuration file. Move the file into /opt/linbqp/linbpq and make sure it’s readable by the bpquser user.
Check that any default names and passwords in the file are updated.
Hmm… this could get messy/confusing. With the current setup, the LINBPQ binary is located at /opt/linbpq/linbpq/linbpq. To-do!
We can try executing LINBPQ as that user now. This is only for testing – once complete we’ll have this all work automatically.
su - bpquser -s /bin/bash -c "/opt/linbpq/linbpq/linbpq"
I’ve found that we need to include the shell (-s /bin/bash), probably down to there being no home directory/PATH definition.
pi@raspberrypi:/opt/linbpq/linbpq $ sudo su - bpquser -s /bin/bash -c "./linbpq"
su: warning: cannot change directory to /home/bpquser: No such file or directory
G8BPQ AX25 Packet Switch System Version 6.0.21.29 March 2021
Copyright 2001-2021 John Wiseman G8BPQ
Current Directory is /opt/linbpq/linbpq
Configuration file Preprocessor.
Using Configuration file /opt/linbpq/linbpq/bpq32.cfg
Boom. CTRL+C to stop for now.
Service
Create /lib/systemd/system/linbpq.service. This, once configured, will automatically start the service on boot as the bpquser account we just created.
Paste this to the contents of the file and save.
[Unit]
After=network.target
[Service]
User=bpquser
WorkingDirectory=/opt/linbpq/linbpq
ExecStart=/opt/linbpq/linbpq/linbpq
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target
Then…
systemctl daemon-reload
systemctl enable linbpq
systemctl start linbpq
systemctl status linbpq
Briefly, daemon-reload is used to advise systemd that changes have been made to a service file. If you don’t do this, the other commands won’t work. We’re then “enabling” the service, which tells the OS to run this at boot. Next, we’re starting the service now, rather than at the next reboot. Finally, we’re checking the status of the new service.
You can start the service without enabling, but this means that it won’t start automatically on the next reboot.
The status command should return something similar to the below.
â— linbpq.service
Loaded: loaded (/lib/systemd/system/linbpq.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-03-14 20:14:29 GMT; 1s ago
Main PID: 26389 (linbpq)
Tasks: 3 (limit: 4185)
CGroup: /system.slice/linbpq.service
└─26389 /opt/linbpq/linbpq/linbpq
Looking good!
Note, if you make any changes to the bpq32.cfg file, you’ll need to restart the service apply these. I’ve found that if you make changes to any of the other files while the service is running, the changes you make will be overwritten when you start the service next.
So – if you’re wanting to change any of the config files, it’s probably best to systemctl stop linbpq, make the changes, then systemctl start linbpq.
Config overview
A brief overview of what I’ve picked up from the config. For other parts I haven’t mentioned, see the BPQ documentation.
USER=mm6lol,passwd,MM6LOL,"",SYSOP
USER=second_user,passwd,SECOND_USER,"",SYSOP
The SYSOP parameter here sets the user as a system operator. I haven’t actually played about with a non-sysop user, so not fully aware of the difference. TBC.
APPLICATION 1,BBS,,MM6LOL,LVLBBS,200
APPLICATION 2,CHAT,,MM6LOL-1,LVLCHT,255 S
Hmm… So I misinterpreted what ‘applications’ are in this context. As I copied a lot of this, I thought that Application 2,CHAT... in the config was a component of something else. It’s actually the chat function. I couldn’t figure out how to access the live chat, and this was why!
If you want to see what happens when you disable these, prior to doing this, log into the BBS and view the available options.
Connected to MM6LOL-10's Telnet Server
?
HOWGD:MM6LOL-10} BBS CHAT CONNECT BYE INFO NODES PORTS ROUTES USERS MHEARD
Now stop the service, edit bpq32.cfg and comment out the APPLICATION 2 line at the bottom.
APPLICATION 1,BBS,,MM6LOL,LOLBBS,200
;APPLICATION 2,CHAT,,MM6LOL-1,LOLCHT,255 S
Restart the service and check the available options.
Connected to MM6LOL-10's Telnet Server
?
HOWGD:MM6LOL-10} BBS CONNECT BYE INFO NODES PORTS ROUTES USERS MHEARD
Note that when you run for the first time, a couple of additional config files will be created in the working (/opt/linbpq/linbpq/) directory. The default values are fine at the point, but as of note, those of interest may be linmail.cfg and chatconfig.cfg.
Security
Telnet isn’t secure. It’s disabled/not even installed by default in most cases now. The reason behind this is because everything is in clear text, allowing anyone on the same network (or scanning AX25 packets) to see what’s going on – which is why it’s used in amateur radio.
We can go over wireshark at some point to show how visible things are.
So one thing you want to do when using Telnet based services is use a unique username and password that you haven’t used anywhere else, though password wise this is good practice in any case. Anyone listening in will be able to see the details you’re authenticating with.
I’m thinking of cutting telnet access over the web, only allowing access to the server over SSH, where you would then telnet locally. This would go something like…
local-machine $ ssh user@server
remote-machine $ telnet localhost 8010
Connected to MM6LOL-10's Telnet Server
This means that access to the server over the web is secure, and if we eventually enable access over the radio, would still be able to make unencrypted connections to the BBS that way.
It adds a layer of complication to things, but again, this is a device sitting on your home network – you want to keep things as secure as possible… and Telnet is not a good way of doing this.
Another possible option is using a site-to-site VPN, so that again, Telnet traffic is only exposed to those that need it.
It looks like MysticBBS accepts SSH authentication, so that might be an option for non radio-based BBS fun-times.
To-do
new user for linbpqrun with as low priv as posscreate service to start- tidy up install dir so that the binary isn’t at
/opt/linbpq/linbpq/linbpq - general Pi security best practices
- i.e. change Pi password (or even better create user to replace pi account and delete it)
- look into linking bbs over IP
- this may be referred to as AXIP
- have user ssh to server then run telnet?
- ssh via key only
- this person has an idea
- depending on how wide we want this to be used, maybe a bridged VPN might be an idea
- so nothing is exposed to the wide-web, just available to us
- file transfer?