Table_of_Contents
1 Remote Shell and File Transfer
1.1 PuTTY Remote Access Program
1.2 WinSCP Secure File Transfer Program
1.2.1 File Transfer Between PCs
2.1 Running SecureOffice Headless
3 Access SecureOffice From Internet or WAN
3.1 Create Public and Private Keys For SSH
3.2 Configure Putty to Use SSH Keys
3.3 Remote Access to SecureOffice Web GUI
3.4 Configure WinSCP to Use SSH Keys
3.5 Secure Remote Access Using Dropbear
3.6 Add SSH Key for Secure Remote Access
3.7 Configure Firewall for Remote Access
3.8 General Services Remote Access
4 Tools for Initial SecureOffice Install
4.1 Linux Emergency Recovery USB Boot Disk
4.3 SecureOffice Virtual Machine
4.4 SecureOffice USB Boot Disk
List of Figures
Figure 1: PuTTY Login Menu
Figure 2: PuTTY Login Prompt
Figure 3: PuTTY Logged In
Figure 4: WinSCP Start Page
Figure 5: WinSCP Login Page
Figure 6: Active WinSCP Session
Figure 7: VNC Viewer Login
Figure 8 : VNC Viewer Logged In
Figure 9: NoMachine Remote Desktop
Figure 10: PuTTYgen Start Window
Figure 11: PuTTYgen Key Created
Figure 12: PuTTY Enter Private SSH Key
Figure 13: PuTTY Proxy HTTP Values
Figure 14: PuTTY Proxy HTTP Entered
Figure 15: Edit Dropbear Configuration
Figure 16: Dropbear GUI Configuration
Figure 17: Edit Firewall SSH Rule
Figure 18: GUI Firewall Open Port
Figure 19: GUI Firewall Port Open
Figure 20: Rufus Boot Disk Creator
Once the network LAN and WAN addresses are configured, SecureOffice can be accessed remotely, using SSH (Secure Shell access) from any PC on the LAN.
If SecureOffice is configured for WAN network topology, it is a major security risk to allow WAN (internet) SSH access to SecureOffice, which is disabled by default. A secure method to do this is discussed in Section 3.
Any PC on the SecureOffice LAN can SSH access SecureOffice with no additional configuration, independent of WAN or LAN network topology.
For SecureOffice LAN topology, the SecureOffice WAN network interface is connected to your router's LAN interface which is hopefully protected by the firewall on your existing router which should not have SSH port 22 open, a serious security risk unless using SSH key authentication with passwords disabled. If remote shell or file transfer access via SecureOffice WAN port (on your local LAN) is desired, port 22 can be opened on the SecureOffice firewall to allow SSH and SCP access. Since the LAN is already protected by the existing router, this is not a security risk, if you trust all users on your LAN. The procedure to enable SSH on the SecureOffice WAN port is documented in Configure Firewall for Remote Access.
PuTTY is a SSH (Secure Shell) remote access program allowing encrypted access to computers over a network connection.
Click the following link to Download PuTTY and click "Save File". In your download folder, double click on "putty.exe" to start the installer. Follow the prompts and accept defaults for all settings.
Double click on the PuTTY icon on your desktop, or in your start menu. You should see PuTTY, as below:
Figure 1: PuTTY Login Menu
Accept the default settings, enter the IP address of SecureOffice (LAN address in WAN topology, WAN address in LAN topology. If you have changed the SSH port from the default (22), enter the port number.
Enter a name for your session in the "Saved Sessions" field and press "Save".
Press "Open". Assuming the IP address is correct and you are connected to the correct network interface (Existing LAN interface - your router for LAN topology, SecureOffice LAN interface for WAN topology), you should see the SecureOffice (Linux) shell login prompt, as below:
Figure 2: PuTTY Login Prompt
Type "root" as user name, press "Enter" and type your root password (default "admin_54321"), and press "Enter" again. Note that characters are not echoed as the password is typed. Assuming the login credentials are correct, you will see the SecureOffice command prompt:
Figure 3: PuTTY Logged In
Basic PuTTY usage has been explained above. PuTTY is a very flexible utility, capable of much more. A full user manual is available at PuTTY Documentation.
WinSCP is a SCP (Secure File Copy) remote access program allowing encrypted access and file transfer from / to remote computers using a network connection.
Click the following link in your Web browser and download the latest released (not beta) version of WinSCP Download and click "Save File". In your download folder, double click on "winscp-XXX-setup.exe" to start the installer. Follow the prompts and accept defaults for all settings.
Double click on the WinSCP icon on your desktop, or in your start menu. You should see WinSCP login page, similar to below:
Figure 4: WinSCP Start Page
Select "New". The detailed login page will be shown. Fill in the "Host Name" (IP address of SecureOffice), "User Name" (root), "Password" (default: "admin_54321") fields and select "SCP" as the protocol. The login page should appear as below:
Figure 5: WinSCP Login Page
After filling in the login fields, select "Save", then "Login". Ignore any error regarding groups, it is normal. Your SCP session should become active, similar to below:
Figure 6: Active WinSCP Session
Assuming everything is correct, the program will open a directory window similar to Windows Explorer, as above.
You can drag files to and from this window, other Explorer windows, and your desktop. To access additional operations, right-click any object, and then select the operation from the context menu. You can also left-click a file or directory, and then drag it to another location.
When transferring files from / to SecureOffice, pay attention to "Transfer Settings". When transferring binaries (images, programs, disk images, compressed archives, etc) use "Binary". When transferring text (html, php, etc), use "Text". Otherwise, WinSCP may convert between Windows and Linux line ends and corrupt files. If "Default" (transfer directories with mixed content) is used, WinSCP will attempt to use the correct setting for each file and, may cause conversion issues. It is safest to always explicitly set the transfer settings for each file type being transferred.
See the detailed WinSCP documentation for various tasks you can do with WinSCP.
Many administration / configuration tasks such as installing virtual machines and websites require copying files between a remote PC and SecureOffice. WinSCP is the recommended tool for doing this.
Start WinSCP and login to SecureOffice. The WinSCP window will display as shown above in Figure 6.
The left pane displays the file structure on your PC, the right pane displays the SecureOffice file structure.
In the top left pane, select the PC disk that contains the directory to be transferred to / from. In the bottom left pane, select the directory that files will be transferred to / from.
In the right pane, navigate to the SecureOffice directory that files will be transferred to / from.
Files and directories can be transferred by selecting (left mouse click) and dragging between the left and right panes.
Directories can be created by right clicking within the destination directory, right clicking and selecting "New"
Some files and directories may require changing the ownership and security permissions on SecureOffice. This can be done by right clicking a SecureOffice directory / file and selecting "Properties".
When running SecureOffice virtual machines or other applications using the Xorg desktop, the desktop can be accessed remotely using various methods / packages. Typically, SecureOffice will be physically located away from your work area, near your internet connection (modem). SecureOffice may also be running headless (no monitor, keyboard or mouse connected). It is very inconvenient to have to physically connect a keyboard, mouse and monitor just to perform tasks requiring access to the Xorg GUI.
Note: Xorg (Linux GUI) is only available to subscribers of the custom SecureOffice package repository as are all packages (this section) required for remote desktop access.
Headless means that SecureOffice does not have a physical monitor, keyboard or mouse connected.
If no monitor is connected to SecureOffice, all desktop remote access methods will display a blank screen, since Xorg does not create a display when no monitor is detected.
There are two options to deal with this:
To use a dummy display for Xorg, enter (command prompt): "ln -sf xorg.conf_dummy /etc/X11/xorg.conf; reboot"
To use a real display (default, already done) for xorg, connect a monitor, enter (command prompt): "ln -sf xorg.conf_real /etc/X11/xorg.conf; reboot"
TODO: figure out single xorg.conf that will auto-adapt to real or dummy display.
The Xorg desktop can be accessed remotely by installing (premium package) tigervnc (server) on SecureOffice and VNC Connect (free client) on your PC, Tablet or phone. This is perfect for headless (no monitor) remote access to the Xorg desktop and applications.
Tigervnc has the ability to create / connect to multiple desktops (virtual, not primary desktop that is displayed on video port). Users wishing this functionality will have to research configuration alternatives. Following instructions are solely concerned with remotely accessing the SecureOffice primary desktop.
If using SecureOffice LAN topology (behind existing router) on single ethernet interface hardware, the port (tcp 5900) required for VNC is blocked by the SecureOffice firewall. Tcp port 5900 must be opened on the firewall to allow VNC communications. Note that your existing router firewall is protecting SecureOffice.
Ensure that your PC (or another client device) is connected to the SecureOffice LAN. Start VNC Viewer and enter the SecureOffice LAN address (default: 192.168.10.1). The login page will appear, as shown below:
Press enter. VNC Viewer will display a warning regarding "not encrypted", click "Continue". VNC Viewer will prompt for a password. Enter the password created previously. Your SecureOffice desktop will display, as shown below:
Figure 8 :VNC Viewer Logged In
Thus far, VNC Viewer can access the Xorg desktop only when connected to the SecureOffice LAN (wired or Wifi).
Unless configured otherwise, VNC uses port tcp 5900, which is blocked by SecureOffice firewall unless it was opened due to using LAN network topology (as above).
For WAN network topology, to allow VNC access from anywhere on the internet, there are two options:
The Xorg desktop can be accessed remotely by installing (premium package) nxserver on SecureOffice and the NoMachine client on your PC. This is perfect for headless (no monitor) remote access to the Xorg desktop and applications. Only the free NoMachine client / server is currently supported. A feature comparison between free and paid NoMachine client/server is available here.
The major differences between licensed and paid NoMachine remote access is:
If using SecureOffice LAN topology (behind existing router) on single ethernet interface hardware, the port (tcp 4000) required for NoMachine is blocked by the SecureOffice firewall. Tcp port 4000 must be opened on the firewall to allow NoMachine communications. Note that your existing router firewall is protecting SecureOffice.
A screenshot of NoMachine client (on PC) remotely accessing the SecureOffice Xorg desktop running VmWare Workstation and lxterminal (multi-tabbed console application) is shown below:
Figure 9: NoMachine Remote Desktop
It is a severe security risk to allow password access to SecureOffice command prompt (SSH), files (SCP), web configuration and services over the WAN interface when using WAN topology. If you need secure remote access to SecureOffice using the WAN interface (Internet, WAN topology, LAN, LAN topology), this section explains how to do it. Note that a public IP address, discoverable by DNS is required for remote access to SecureOffice from the internet.
Secure remote access may be achieved by configuring SecureOffice to use public / private encryption keys for login verification, configuring an instance of dropbear to listen to the SSH port, and opening the SSH port on the firewall.
The OpenWrt documentation contains a HowTo regarding OpenWrt public key authentication. The following sections provide a step by step procedure using PuTTY.
Start key generator: Windows: Start->All Programs->PuTTY->PuTTYgen
A window will appear, as shown below (after the "number of bits" field filled in)
Type 4096 (recommended, adequate security) or 5120 (extra security) in the "Number of bits in generated key" field:
Figure 10: PuTTYgen Start Window
Press the "Generate" button and move your mouse in the empty space to provide randomness when instructed. The public key will be generated and you will see the following window, as shown below:
Figure 11: PuTTYgen Key Created
It is recommended that all files created be placed in a single directory.
Copy the entire contents of the "public key for pasting" field and paste it into a text file (notepad++, wordpad or notepad) with name "something_ssh.pub", replacing "something" with whatever you choose. Save the "something_ssh.pub" file, you will need it later.
Optional: It is recommended to protect your keys with a passphrase. If you choose so, enter and confirm your passphrase. If you choose to use a passphrase and are logging into SecureOffice using this key, you will be prompted for this passphrase as part of the login process, an extra measure of security.
Press the "Save Public Key" button and choose a name of "something.pub", you will need it later.
Press the "Save Private Key" button. If you did not enter a passphrase, you will be asked to confirm this. Choose a name of "something.ppk", you will need it later.
Close PuTTYgen, your keys have been created.
Start PuTTY and load the session saved in section 1.1. Do not open the session yet. In the left pane, click "Connection->SSH" and then "Auth". You should see the following window:
Figure 12: PuTTY Enter Private SSH Key
Enter or browse to the directory and filename of the "something.ppk" (private key) file you created above. The full path and filename should appear in the "Private key file for authentication" field. Scroll the left pane up and click "Session". Click "Save".
At this point, configuration is incomplete. Keep going.
An advanced feature of PuTTY is ability to tunnel ports over the SSH connection. This can be used for secure remote access to the SecureOffice web configuration interface GUI and other services. This is an optional step and can be omitted.
In the PuTTY left pane, click "Connection->SSH" and then "Tunnels".
Figure 13: PuTTY Proxy HTTP Values
Fill in the "Source Port" and "Destination" fields as shown above. This will forward the SecureOffice internal port 80 (HTTP) to IP address 127.0.0.1 (localhost), port 80 on your client PC. Click "Add". You should see the following window:
Figure 14: PuTTY Proxy HTTP Entered
Repeat the above process to tunnel port 443.
Scroll the left pane up and click "Session". Click "Save".
At this point, configuration is incomplete. Keep going.
Note: If your client PC already has a service running on the source port, the tunnel will fail. This can be seen by enabling PuTTY logging, attempting to connect over the tunnel and failing. Close the connection and inspect the PuTTY log to see this. Due to VmWare Workstation being installed on a client PC, a service was running at "https://127.0.0.1:443". Had to change the "Source port" to "444" and access the Luci web interface at "https://127.0.0.1:444".
WinSCP can also be configured to use public / private keys for secure access using the WAN port.
Start WinSCP and select (left pane) the session to SecureOffice previously created. Click "Advanced" and then "Authentication" in the left pane. In the "Private key file" field, browse to the directory and filename of the "something.ppk" (private key) file you created above. The full path and filename should appear in the "Private key file" field. Press "OK", then Click "Save".
At this point, configuration is incomplete. Keep going.
Connect to SecureOffice over the LAN and start PuTTY (default address 192.168.10.1), login as root. Enter the following command:
"nano /etc/config/dropbear"
Type in the configuration values shown below:
config dropbear
option PasswordAuth 'on'
option Port '22'
option Interface 'lan'
config dropbear
option Port '22'
option Interface 'wan'
option PasswordAuth 'off'
option RootPasswordAuth 'off'
Figure 15: Edit Dropbear Configuration
The first section configures dropbear to listen for SSH connections on LAN port 22. This is the default setting and should already be there.
The second section is new and configures dropbear to listen for SSH connections on WAN port 22. Type the second section in and hit "CTL+w" (both keys together) to save the file.
Note: For additional security, the WAN SSH port can be changed to a non-standard port such as 3333. If you do this, you must also change the ports used for your firewall, remote PuTTY and WinSCP sessions to match.
If preferred, this configuration can be done using the SecureOffice web GUI. To do so, enter your SecureOffice LAN address (default 192.168.10.1) in a web browser, login and navigate to System->Administration. Under "Dropbear Instance", click add. Fill in the values as shown below:
Figure 16: Dropbear GUI Configuration
Click "Save&Apply"
At this point, configuration is incomplete. Keep going.
Connect to SecureOffice over the LAN and start WinSCP (default address 192.168.10.1), login as root.
In the left pane, navigate to the directory (on your PC) where you saved the "something_ssh.pub" (SSH authorized key) file.
In the right pane, navigate to "/etc/dropbear".
In the left pane, select "something_ssh.pub" (SSH authorized key) file and drag it to the right pane. This copies the file from your PC to SecureOffice, directory "/etc/dropbear/"
Connect to SecureOffice over the LAN and start PuTTY (default address 192.168.10.1), login as root. Replace "something_ssh.pub" with your filename, enter the following commands (one per line, then enter):
The commands above save a copy of authorized_keys and adds the new key to the authorized_keys file.
If preferred, this configuration can be done using the SecureOffice web GUI. To do so, enter your SecureOffice LAN address (default 192.168.10.1) in a web browser, login and navigate to System->Administration. Paste the contents of the "something_ssh.pub" file in the "SSH-Keys" field.
Click "Save&Apply"
At this point, configuration is incomplete. Keep going.
Connect to SecureOffice over the LAN and start PuTTY (default address 192.168.10.1), login as root. Enter the following command:
"nano /etc/config/firewall"
At the end of the file, type in the configuration values shown below:
config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '22'
option name 'support-SSH'
Figure 17: Edit Firewall SSH Rule
If preferred, this configuration can be done using the SecureOffice web GUI. To do so, enter your SecureOffice LAN address (default 192.168.10.1) in a web browser, login and navigate to "Network->Firewall->Traffic Rules". Under "Open ports on router", click add. Fill in the values as shown below, then click "Add":
Figure 18: GUI Firewall Open Port
Click "Save&Apply". You will see a new firewall entry for "support-SSH", as shown below:
Figure 19: GUI Firewall Port Open
At this point, remote access configuration of SecureOffice is complete. To have the new settings take effect, SecureOffice can be rebooted (powered off, then on), or "reboot" can be entered at a command prompt:
At reboot, the PuTTY session (and WiFi connection) will end. Need to re-connect using PuTTY.
Alternatively, re-boot can be avoided by entering the following commands:
It is possible to use different (service dependent, documented on internet) remote access methods per service. This is a lot of work and high maintenance. SecureOffice recommends a global (all services, common method) approach, requiring minimal configuration to make services remotely accessible.
Any SecureOffice service accessible using ports can be securely accessed remotely from anywhere on the internet using PuTTY tunneling. Assuming that PuTTY and dropbear have been configured per previous sections, it is a simple matter of configuring a PuTTY tunnel (as was done for the SecureOffice web GUI in section 3.3) for the ports required for the service (80, 443 for web GUI). To remotely access a service becomes a simple matter of connecting to SecureOffice using PuTTY. The service can be accessed from any client PC at "127.0.0.1:<port number>" where 127.0.0.1 is localhost.
Another global remote access approach is to use VPN server scripts (does not require a commercial VPN provider). Accessing services becomes a simple matter of clients establishing a VPN connection to SecureOffice. This connects the client to the SecureOffice LAN, allowing access to all devices and services. The service is accessed remotely the same as it is locally.
Note: When connecting to SecureOffice or services using an IP address as opposed to DNS domain name, all encrypted connections will result in a security warning. This is because SSL certificates verify by domain name and not IP addresses. Despite the warning, connections will still be secure. This can be avoided by adding an entry in the form of "<SecureOffice IP address> <your domain name>" in the "/etc/hosts" file of client PC's.
A public IP address, discoverable by DNS is required for remote access to SecureOffice from the internet. If not yet done, configure DDNS by determining DDNS requirements and following the Dynamic DNS Configuration section.
To test PuTTY remote access to SecureOffice, use the PuTTY connection configured previously, replacing the LAN IP address with "yourdomain.com" and, the correct SSH port (if you changed it, else 22). Press "Open". If successful, if you entered a passphrase for your SSH key, you will be prompted for it and then logged in. If you did not choose a passphrase, you will be logged in. If failure, verify configuration for PuTTY, dropbear and firewall.
To test browser remote access to SecureOffice GUI, open a browser on your PC, enter "https://127.0.0.1:443" or "https://localhost:443" (or the correct HTTPS port if you changed it from 443 - Section 3.3) for address. Press "enter". You should see the OpenWrt login page. If not, and PuTTY is working, re-check the "Tunnel" settings (PuTTY left pane, click "Connection->SSH" and then "Tunnels") for PuTTY.
To test WinSCP remote access to SecureOffice, use the WinSCP connection configured above, replacing the LAN IP address with "yourdomain.com" and, the correct SSH port (if you changed it, else 22). Press "Login". You will be prompted for your SSH key password, if you chose one and logged in. If you did not choose a key password, you will be logged in. If unsuccessful, verify WinSCP configuration, to insure the correct private key file is used.
SecureOffice installation is achieved using a Linux shell script requiring a Linux system able to access the disk which is intended to host the SecureOffice operating system.
If you already have a Linux system or virtual machine and interface hardware capable of accessing the physical disk that will host the SecureOffice operating system (USB, SD, TF, mSATA, SATA, etc), this section can be skipped.
The following sections cover several Linux options (choose one) that can be used for installation of SecureOffice
Choosing this installation option has the following advantages:
The preferred (free) emergency recovery disk is "System Rescue" on a USB stick. Installation instructions are available here. Important: Be sure to run the Windows installer as Administrator, otherwise the USB disk will fail to boot. Once installed on a USB disk, it is suggested to test it by booting your target or another PC, which may also require changing the BIOS boot order to boot from USB first.
If, during boot from "System Rescue" on a USB stick, the following errors are received:
error: file "/isolinux/rescue64" not found.
error: you need to load the kernel first.
Move the USB disk back to a Windows system and, using Windows notepad, notepad++ or some other editor (not Wordpad or Word) that does not change line endings from Linux to Windows format, open file (on USB disk) "/boot/grub/grub-XYZ.cfg" (XYZ is the System Rescue version). Change all occurrences of "isolinux" to "syslinux", save the file, eject the USB disk and attempt to boot again.
Alternatively (Linux skills), at above error, you can edit the grub command line, changing "isolinux" to "syslinux", boot and make the above changes permanent by editing the "grub-XYZ.cfg" using a Linux text editor from within System Rescue.
If, for some reason, "System Rescue" is not desired, there are many other Linux recovery boot disk options available (do internet search) and install one.
Choose this option (perhaps in addition to Recovery Boot Disk above) for the following reasons:
Once you have chosen and installed VmWare Workstation on your PC, it is necessary to choose and install a Linux distribution virtual machine for VmWare Workstation.
If the virtual machine is intended solely to install SecureOffice, any Linux distribution is adequate. Ubuntu is a very popular distribution, available here. Other distributions are available here, or, by internet search.
If it is your intent to install Sme-Server (recommended Linux distribution for services hosting), Sme-Server can also serve as the installation virtual machine.
If the virtual machine is intended to run under the SecureOffice VmWare Workstation application, you can save effort by creating (on PC) the virtual machine you intend to run under SecureOffice and use it (on your PC) for SecureOffice installation. The virtual machine can be copied to SecureOffice later.
If intending to follow recommendations and use Sme-Server virtual machine to host your websites, email and other services under SecureOffice, you can save effort by creating the Sme-Server virtual machine on your PC for SecureOffice installation and copying it over to SecureOffice later. You can install Sme-Server by following the previous link.
Once you have chosen and downloaded a Linux distribution, virtual machines can be created. Instructions for creating virtual machines from ISO images is located here. Virtual machines can be created on a host PC or directly on SecureOffice using the premium VmWare Workstation application.
The recommended settings for creating virtual machines (on PC or SecureOffice) destined to run under SecureOffice are:
A SecureOffice virtual machine may be used to evaluate SecureOffice and / or as a Linux system to install SecureOffice on real hardware.
To install a SecureOffice virtual machine:
Further information regarding configuring and using the SecureOffice virtual machine is available here.
Rufus is a Windows program for creating boot disks on removable media from image files. It can be used to install emergency recovery systems such as "System Rescue" above and SecureOffice.
A SecureOffice USB boot disk can be used as a Linux system for installing SecureOffice. In addition, it can be used to evaluate hardware compatibility of target PC's (if it boots and works without error, hardware is compatible). Another use is for SecureOffice evaluation before committing to hardware.
This section focusses on using Rufus to create a SecureOffice boot disk, USB booting SecureOffice on the target system and installing SecureOffice on the target system. Note that Rufus only works with disks that Rufus identifies as "removable" which includes USB, SD, TF and mSATA (with appropriate adapter). Note that some mSATA disks appear as non-removable and are not visible to Rufus.
Download and install Rufus (follow instructions) from here.
A screenshot of Rufus is shown below:
Figure 20: Rufus Boot Disk Creator
To create a SecureOffice boot disk:
If using the SecureOffice boot disk for evaluation, go to Initial SecureOffice Boot.
This method has the advantages of testing whether SecureOffice is compatible with your target hardware and providing an emergency recovery disk. It is the recommended approach.
Assuming SecureOffice has booted from USB, SecureOffice can, if desired be installed on the final target disk. In essence, the SecureOffice USB boot disk is used as the Linux distribution for installation. Follow Install SecureOffice on Boot Device instructions.
SecureOffice comes bundled with the nano text editor by default. To use it type "nano file_to edit" at the SecureOffice command prompt. A summary of key commands is shown below. "CTL+Key" means "press the CTL and Key simultaneously":
Notepad++ is a free source code editor and Notepad replacement. It has many useful features such as find and replace in files. It is useful for editing Linux files on Windows PC's since it does not translate Linux to Windows line endings as many Windows editors do. Notepad++ can be downloaded here.
7-Zip is a free file archiver with a high compression ratio. It performs the same functions as WinRar, WinZip and other compress / de-compress utilities. 7-Zip can be downloaded from the previous link.
|
Technologies Used: