Home » Technology » Microsoft & PCs (Page 3)

Category Archives: Microsoft & PCs

Introducing Atomic Flash: 15-Minute Turnkey Asterisk Installs

Wednesday, February 4, 2009 / 1 Comment on Introducing Atomic Flash: 15-Minute Turnkey Asterisk Installs

PBX in a Flash offers a number of Asterisk- compatible PBX solutions to meet virtually every need. These range from base installs of Asterisk 1.4 and 1.6 in both 32-bit and 64-bit flavors. In addition, the Orgasmatron builds provide turnkey installs for Everex gPC systems and Dell PowerEdge SC440 and T100 servers. And our recent VPN in a Flash build for the Acer Aspire One NetBook introduced the ultimate portable, secure traveling communications server including the Hamachi VPN.

For 2009 we round out our offerings with the ultimate development tool, a bootable USB flash drive which can create turnkey, full-featured Asterisk PBX systems in 15 minutes or less. As its name suggests, this build was specially engineered for the new Atom-based motherboards found in most netbooks although it works just fine with Dell’s PowerEdge T100 servers as well. Many of the newer netbooks lack a CD/DVD drive so a bootable flash installer is ideal. In addition to a current generation computer, you’ll also need an 80GB or larger SATA disk drive which can be configured as sda1, sda2, and sda3. RAID setups are not yet supported unless you’re very familiar with reconfiguring Mondo Restores. With your new computer in hand, just plug in the Atomic Flash, and boot the computer from the flash drive. Type nuke and have a cup of coffee. When you return in 15 minutes and type a couple commands, your system will be ready for deployment. Add your trunk providers, match phones to the preconfigured extensions, secure passwords, and you’re all set. It’s that easy!

Make no mistake. This is a Bleeding Edge installer featuring a Fedora 10 Remix¹ that’s less than a week old. It supports the latest and greatest motherboards, wired and WiFi networks, and it includes the KDE graphical user interface for those that love GUIs. Out of the box, it provides a functioning softphone as well as your own private Hamachi VPN connecting up to 15 additional systems so the entire setup can be deployed as a mobile communications hub in less time and for less money than most folks spend on their breakfast.

For those that demo systems for a living, no one will touch this presentation. Just show up at a customer site with a $300 Acer Aspire One NetBook and an Aastra 57i business phone. While the customer watches the Atomic Flash build a new PBX in a Flash server from the ruins of a Windows XP clunker, you can connect and configure the 57i and explain how simple VoIP networks can be.

When you finish your 10-minute slide show, your system will be operational. Dial any 800 number from your Aastra phone, and presto… instant, flawless communications! Now explain to the customer what the world of penny-a-minute communications is all about with every call between PBX in a Flash systems and other SIP phones absolutely free… worldwide.

Friends of PIAF. So how do you get one? If you don’t mind a preproduction version, which means we have to custom-build every flash drive, here’s how to get yours. First, this offer is for a limited time (until we get sick of cloning flash drives). And don’t expect to receive your unit overnight. In fact, it may be several weeks or more depending upon how busy we get with other Honey-Do’s. But we won’t forget you!

Now what? Just make a contribution of $50 or more to the PBX in a Flash project through PayPal, and we’ll give you one (as in gift for free), and we’ll even pay the shipping. Limit of one per contributor please! Keep in mind that $50 barely covers the cost of the 8GB flash drive, the shipping, the PayPal commission, and the labor (at 5¢ an hour) so your generosity is most appreciated. And when we get tired of working for 5¢ an hour, we’ll holler. 🙂

Once your Atomic Flash device arrives, please visit http://atomicflash.org or http://pbxonaflash.com for complete installation instructions.

The Perfect Complement. The stars have all lined up to provide a perfect opportunity for you to purchase a state-of-the-art NetBook. Click or hover on the image above for details. If you’d prefer a server, you now can grab a Dell Poweredge T100 server with dual 160GB SATA drives and 2GB of RAM saving $397 off the list price. Either hardware works great with Atomic Flash.

Are You Crazy? Why Are You Doing This? Well, yes and because it’s the First Anniversary of PBX in a Flash! We want everyone to experience PBX in a Flash in all its greatness now that we’ve got it down to a 15-minute walk in the park. These are tough economic times for many businesses around the world, and we want you to help us spread the word about the savings that can be realized through Voice Over IP. We also want to encourage those of you on the fence about a career to enter the Asterisk® reseller community, and we’re doing our part by providing the perfect sales and development tool.

So now’s your chance. We hope you’ll tell every business acquaintance and friend you have about PBX in a Flash. And you have our heartfelt thanks for your continuing support. It’s been a blast!

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Some Recent Nerd Vittles Articles of Interest…

Fedora and the Infinity design logo are trademarks of Red Hat, Inc. Asterisk is a registered trademark of Digium, Inc. All other trademarks and registered trademarks are property of their respective owners. This software aggregation is neither provided nor supported by the Fedora Project and contains non-Fedora and modified Fedora content. Official Fedora software is available through the Fedora Project website [↩]

Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

Tuesday, January 27, 2009 / 18 Comments on Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

Here's a headline to wake up any CEO: "Small business gets $120,000 phone bill after hackers attack VoIP phone." News.com.au actually ran this story on January 20. "Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours... 115,000 international mobile calls were made using the small business's VoIP system over a six month period."

News Flash: Be sure to read our latest article introducing Travelin' Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that's lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.

For the latest Security Tips: See our most recent article.

Sad to say that folks install VoIP phone systems to save money and then completely ignore tried-and-true network security principles: hardening your system, regularly watching your logs, and periodically changing your passwords. If PBX in a Flash were a commercial offering, we'd probably keep much of what follows to ourselves and start touting our PBX systems as the only Asterisk® offering with Secure-Wrap™. That's not our world, of course, nor is it what open source is all about... which turns out to be both a blessing and a curse. We openly and jointly figure out ways to secure our Asterisk systems as well as those of our competitors. Then the bad guys get to read all about it and come up with new, more creative "solutions." The silver lining is there are millions of insecure Asterisk systems so the creeps typically move on to easier targets.

Today we'll walk you through our Top Ten Security Tips and Tricks. All of these can be implemented easily to harden your Asterisk PBX and lessen the chances of the bad guys transforming your VoIP system into a free, international payphone: you pay, they phone. In the process, we'll identify some common security blunders that accompany new system installs in hopes that you won't make the same mistakes. So let's start with the basics. If you plug your Asterisk PBX directly into the public Internet without carefully securing it, your chances of being hacked within the hour are pretty good.

Rule #1: Protect Your PBX With IPtables. PBX in a Flash systems are delivered with the IPtables firewall enabled. Leave it that way! If your Asterisk implementation doesn't have IPtables support, demand that it be added immediately or ask for assistance in adding it yourself. There is no reason not to use a freely available, open source firewall, period! And there are many good tools including WebMin (also included in PBX in a Flash distributions) to get it configured properly. With PBX in a Flash, all of the grunt work has been done for you.

Firewalls, of course, are only as good as the set of rules defined to secure your system. So only activate ports that are absolutely essential to run your PBX. For an excellent review of the ports that are opened by default in PBX in a Flash systems, see Joe Roper's summary. Think of an activated port as a hole in the dike. The more holes you add, the less secure your PBX will be. We'll leave it to you to count the holes in the dike if you choose to run your PBX without IPtables enabled. Our rule of thumb for PBX security goes something like this. If you don't need web access to your PBX, don't open ports 80 and 9080. If you don't need SSH, FTP, FOP, or WebMin access to your PBX, don't enable those ports. Better yet, don't even turn those services on unless there is a pressing need.

All of the IPtables rules are stored in /etc/sysconfig/iptables. Don't edit this file unless you know what you're doing. If you need help with the rules, post a question on the PBX in a Flash Forum. Typical response time on posted questions is under an hour on our forum. And don't forget to restart IPtables if you make changes to any of the rules: service iptables restart.

Rule #2: Protect Your PBX With A Hardware-Based Firewall. If one firewall is good protection, two firewalls are even better. As much as NAT-based firewall/routers get a bad rap, the extra layer of protection that a $50 hardware-based firewall/router delivers cannot be overstressed. Think of the software-based firewall as the tool of choice to secure your PBX on your internal LAN while the hardware-based firewall secures your system on the public Internet. We recommend the dLink WBR-2310 for home and SOHO use. It provides a reliable NAT-based router, a firewall, and excellent WiFi capability for under $50. If you've got some spare change, step up to one of dLink's Gaming Routers which we happen to use. They provide all the tools you'll need to prioritize your VoIP traffic. As with Rule #1, only open and redirect ports that are absolutely essential to use your PBX.

Rule #3: Safeguard Against Random Password Hacks. There is no better tool to protect your PBX from random password attacks than Fail2Ban 0.8.3. Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful password attempts. It updates IPtables rules to reject those IP addresses for a period of time that you can set in /etc/fail2ban/jail.conf. Originally PBX in a Flash systems were shipped with an earlier version of Fail2Ban that provided only minimal protection. If your system doesn't include the jail.conf file above, you still have the older version. Simply run our update script to get the current release:
cd /root mkdir fail2ban cd fail2ban wget http://pbxinaflash.net/source/fail2ban/fail2ban-update chmod +x fail2ban-update ./fail2ban-update service fail2ban restart

As was true with IPtables, Fail2Ban is only as good as the rules which are defined to identify failed password attempts on your system. On PBX in a Flash systems, we now protect against web, FTP, SSH, SIP, and IAX password attempts.

If your particular Asterisk implementation lacks Fail2Ban support, you're missing a critically important (free) tool to safeguard your system from random password attacks against SSH and your protected web sites as well as your SIP and IAX extension passwords. For tips on installation, review our script that is available on this thread in the PBX in a Flash Forum.

Rule #4: Narrow Access With IP Address Restrictions. Security privileges in the U.S. government are based upon a "need to know." It's pretty simple. If you don't have a need to know the information to perform your duties, you don't get the privilege. You can use a similar technique to secure your PBX by implementing IP address restrictions. For example, if all of your extensions are housed on a private subnet of your internal LAN, then there is no reason to allow Internet access to those extensions. Similarly, for extensions outside your local network, you now can hardcode the IP address into the extension to restrict access. To implement this with Asterisk and FreePBX-based systems, you'll first need to upgrade FreePBX to at least version 2.5.1.1. Once you've upgraded, go into each extension and enter either an IP address or an IP subnet for that extension in the permit field. For an IP address, the syntax is 192.168.0.44/255.255.255.255. For an IP subnet, the syntax would look like this: 192.168.0.0/255.255.255.0. This one tip would have been worth $120,000 to the Australian company referenced above. Yes, consultants can be worth their weight in gold. 🙂

If you're as absent-minded as we are, you don't want to have to worry about remembering this each time you add a new extension to your system. So it's quite simple to change the default permit entry from 0.0.0.0/0.0.0.0 to the subnet mask of your LAN. Then you only have to adjust this entry whenever you add an extension which is not on your internal LAN. For example, if your LAN subnet is 192.168.0, then we want to replace the default entry with 192.168.0.0/255.255.255.0. The file to edit is /var/www/html/admin/modules/core/functions.inc.php. Just search for $tmparr['permit'] in BOTH the iax2 and sip sections of the file and make the value substitution preserving the single quotes on both sides of your new entries.

You also can implement both password and IP address restrictions to limit web access to your server. With Apache web servers, this is done through .htaccess files and directory restrictions in your Apache config files. On PBX in a Flash systems, htaccess password restrictions now are the default setup in all of our builds. Suffice it to say, if you can access the /admin directory on your web site from the Internet without being prompted for a password, your site probably has been compromised. Keep in mind that these passwords get cached so be sure you have cleaned out your browser cache before having a heart attack. Better yet, try this from a browser you don't ordinarily use (such as the one on your cellphone).

For additional security, you can further restrict access to your web directories by adding a list of authorized IP addresses to the .htaccess file in each subdirectory. Here's what an .htaccess file with IP address restrictions might look like. The first Allow entry is the private LAN subnet, the second is a remote site, and the third is the Hamachi VPN subnet mask:
Deny from All Allow from 192.168.0 Allow from 68.218.222.70 Allow from 5.67

Rule #5: Don't Use 'Normal Ports' for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you've done. Read that last sentence again. It's important! With a hardware-based firewall such as the WBR-2310, this is incredibly easy. dLink calls them Virtual Servers. Here is a typical entry:
HTTP 192.168.0.150 TCP 80/2319 Allow All Always
You can simply redirect common ports to different ports for Internet access. Don't do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. For example, port 80 typically is the default web server port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) web access, simply remap TCP port 80 to some obscure port and change it periodically. For example, you might redirect TCP port 80 to port 2319. Once the setting is saved, you access the web site with a browser entry like this: http://pbx.mydomain.com:2319/. Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don't use these numbers obviously! Make up your own. The key here is that 5 minutes work every month will keep web access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 80 every night while you're sleeping. Incidentally, most of these routers also will let you block access to certain ports during certain hours of the day. If you're sleeping, there's really not much need to provide SSH and web access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world's best crackers reside in countries where daytime happens to be nighttime in the United States.

Rule #6: Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our wild-assed guess (WAG) is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn't Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. The first five rules would have protected most Asterisk systems. But our WAG on the number of Asterisk PBX's that have implemented all five rules above would be less than one in a thousand. Part of that is because some of these tools weren't readily available until recently. But part of it is because most of us are just plain L-A-Z-Y.

Really secure passwords really do matter. And it's more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, make certain it has a really, really secure password. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). You've been warned. It's your phone bill and bank account!
<end of sermon>

Rule #7: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn't begin to describe some of what lies under the FreePBX covers. Make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.

Our rule of thumb on Internet web accessibility to an Asterisk PBX goes like this. Don't! But, if you must, build as many layers of protection as possible to assure that your system is not compromised. If the bad guys get into FreePBX, the security of your PBX has been compromised... permanently! This means you need to start over with all-new passwords by installing a fresh system. You simply cannot fix every possible hole that has been opened on a FreePBX-compromised system!

Rule #8: Implement VPNs for PBX Systems. PBX in a Flash has provided simple install scripts to deploy Hamachi VPNs on all of our current systems. Hopefully, the other aggregations will do likewise. In addition, we offer turnkey VPN in a Flash systems which provide this functionality out of the box. VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. We now are exploring other VPN solutions which would facilitate the use of VPN-enabled telephones such as the new offerings from SNOM.

Rule #9: Check Your Logs Every Day. We're still dumbfounded by the following quote from the article above: "115,000 international mobile calls were made using the small business's VoIP system over a six month period." Six months and they never checked their call logs? Sounds like they earned this phone bill. FreePBX provides an incredibly simple way to review your call logs. Click the Reports tab at the top of the screen and look at the bar graph showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day! It also should be noted that Ethan Schroeder has released a beta of some new monitoring software which will provide more granular monitoring of daily call volumes. For additional information or to participate in the beta, visit this link.

Rule #10: Do Some Reading... Regularly. No security implementation is complete without a little regular effort on your part: reading. If you're going to manage your own network or PBX, then you need to keep abreast of what's happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the trixbox Forum, and the FreePBX Forum. Aside from reviewing your call logs, it's the best 15 minutes you could spend to safeguard your system. We also have an RSS Feed which includes security alerts.

Update #1: Be sure to read this great new article. It has two fresh ideas for securing your system!

Update #2: Please also read this Nerd Vittles Alert about FreePBX backdoors and default passwords that was published on April 15, 2011.

Some Other Suggestions. A couple other suggestions come to mind that don't involve securing your PBX per se but nevertheless will lessen your exposure in the event of a security breach. First, if your usual calling patterns don't involve international calling or if they're limited to one or two countries, tighten up your outbound dialplan and restrict calling to countries that you actually need. It can always be changed when the need to call elsewhere arises. Second, if you use pay-as-you-go providers, never use credit card auto-replenishment. Instead, add funds periodically using the provider's web interface. The advantage of this is that, if someone does manage to break into your system, your loss will be limited to the current balance in your provider account. You'll not only save a lot of money, but you'll also get a notification that something has gone horribly wrong. Finally, a forum user mentioned one we had overlooked. If you have a mix of POTS and VoIP lines, don't put the POTS lines in the default outbound pool for toll calls. This could potentially save you lots of money.

Continue Reading Part II: The VoIP WhiteList for IPtables...

Got Some Other Ideas? 50,000 heads always are better than one when it comes to network security. If there are things we've missed, take a minute to post a comment. It'll help all of us keep our systems more secure. Good luck!

Digium® Weighs In. Since this article first appeared, Digium has released its own set of tips on SIP security. By all means, have a look!

Security Alert of the Week. A trixbox user yesterday reported that he had discovered a rootkit exploit on his server. You ~~can~~ could read all about it here. The 6:03 a.m. (California time) post mysteriously disappeared a few hours later... soon after the trixbox staff got to work. Another darn computer failure according to Fonality staff. 😕 We've attempted to recreate the information from Google snippets. And here's a simple test to see if you have a similar rootkit problem:
ls -all /sbin/init.zk

Want a Bootable PBX in a Flash Drive? Our bootable USB flash installer for PBX in a Flash will provide all of the goodies in the VPN in a Flash system featured last month on Nerd Vittles. You can build a complete turnkey system using almost any current generation PC with a SATA drive and our flash installer in less than 15 minutes!

If you'd like to put your name in the hat for a chance to win a free one delivered to your door, just post a comment with your best PBX in a Flash story.¹

Be sure to include your real email address which will not be posted. The winner will be chosen by drawing an email address out of a hat (the old fashioned way!) from all of the comments posted over the next couple weeks. All of the individuals whose comments were used in today's story will automatically be included in the drawing as well. Good luck to everyone and Happy New Year!!

Special Thanks to Our Generous Sponsors

Some Recent Nerd Vittles Articles of Interest...

This offer does not extend to those in jurisdictions in which our offer or your participation may be regulated or prohibited by statute or regulation. [↩]

Finally … Installing Asterisk@Home on Your Windows PC for Free: Here’s How

Tuesday, February 7, 2006 / 41 Comments on Finally … Installing Asterisk@Home on Your Windows PC for Free: Here’s How

For those wanting to experiment with an Asterisk® PBX, there is no better offering than Asterisk@Home 2.5. And you sure can't beat the price: it's FREE. The only drawback for Windows PC users has been that you needed a dedicated machine on which to install Asterisk@Home with its Linux operating system. Well, that's no longer a problem. Now you can run Asterisk@Home 2.5 with its built-in CentOS/4 Linux operating system as a virtual task on your Windows XP or Windows 2000 system. And, you get an Apache web server with PHP, a SendMail server, the SugarCRM contact management system, and a MySQL database server all rolled into the package at no additional cost. Did I forget to mention: it's still FREE. Better yet, if you happen to have a 2GB USB flash drive, you can carry your new PBX and softphone with you wherever you go and run it on almost anyone's Windows PC.

The magic to make all of this work is the terrific VMware Player which also happens to be free. Just download and install the player from this link to get started. You'll need a Windows PC with at least a 500 MHz processor with 256MB of RAM and about 2 gigs of disk space for this project. Once installed, the VMware Player runs virtual sessions on your Windows machine that look and feel just like any other Windows app... except, in this case, the application is CentOS/4 Linux running Asterisk@Home 2.5. VMware ranks right up there with Asterisk@Home and sliced bread as things you can't and shouldn't live without.

Update: This tutorial now has been updated to support the latest version of the TrixBox Asterisk server. Click here for details.

The remaining piece you'll need to get started is Asterisk@Home 2.5 packaged as a VMware application. Lucky for all of us, the fine folks at vmwarez.com have done all of that for you. Just download the 560MB ZIP file (587629051 bytes) from here, unzip it, and run VMware Player with the 1.5GB VMDK version of Asterisk@Home. Once it's running and after you read the next paragraph to decipher the new root password, follow along in our Asterisk@Home 2.5 Tutorial beginning at Securing Your Passwords and then moving on to Basic System Configuration to get Asterisk configured and working. The only difference from installing this natively using the AAH 2.5 ISO image is you don't have to endure the knuckle drill of installing Linux and WebMin, updating the OS, and compiling Asterisk. It's like getting a free SPA-9000 with voicemail. Yes, the vmwarez folks have done the heavy lifting for you. Thanks, Jim!

The first time you run Asterisk@Home 2.5 using the VMware Player you'll be notified that the image has been moved from its original location. Duh! Switch to keyboard input on the virtual terminal by clicking inside the VMware window or pressing Ctrl-G. Then simply tell VMware to create a new image application, and your CentOS/4 Linux server will start the boot process. Unless you have the same network card that the vmwarez folks use, you'll be advised that your network hardware has changed. Choose Yes to remove the existing network driver and, when CentOS finds your real network card, choose Yes to use it. Netconfig will load automatically to let you configure the IP address for your network adapter. Hit the space bar to tell CentOS to obtain an IP address from your DHCP server, then tab to OK and save your entry. See our full tutorial for how to protect this IP address on your router/firewall. Once CentOS completes the boot process, Asterisk@Home will be loaded, and you'll get the Linux command prompt. Login in with the username root. You will need to know a different password than the default AAH password to gain root access to the Linux console: it's vmwarez. You can obtain the IP address of your new Asterisk server by typing ifconfig eth0. To gain web access to Asterisk, switch back to Windows by pressing Ctrl-Alt, fire up a web browser and point it to the IP address of your new Asterisk server. Choose Asterisk Management Portal. To gain access, the username is maint and the default password is vmwarez. Is it as fast as running Asterisk@Home natively on a dedicated Linux machine? Damn close on my Windows XP machine, and it sure does make a great sandbox to see if Asterisk@Home is something you can't live without. Now head on over to our Asterisk@Home 2.5 Tutorial and enjoy the free ride!

And the silver lining to this story ... download (258MB) and use VMware's FireFox web browser application (1GB) and never worry about AdWare, malicious ActiveX controls, and web site Trojans and viruses on your Windows PC again. And, yes, it's FREE!

Downloading Tip: For those that use BitTorrent (highly recommended), here's a link to the file. To assist others, put a copy of the .torrent file in the same directory in which you download the zipped image.

Some Recent Nerd Vittles Articles of Interest...

ISP-In-A-Box: The $500 Mac mini (Create Your Own Planet … Really!)

Monday, January 30, 2006 / 1 Comment on ISP-In-A-Box: The $500 Mac mini (Create Your Own Planet … Really!)

Today we're officially launching three new Planet sites for the universe to enjoy ... at least those with an Internet connection. For those unfamiliar with Planet, it's a terrific RSS news feed aggregrator which downloads news feeds published by web sites and aggregates their content into a single combined web page showing the collective feeds in chronological order, latest news first. Planet Mac collects news from two dozen of the most well-respected Mac sites on the web while Planet Gadget focuses on late-breaking news about all your favorite new toys collected from more than a dozen worldwide sites. And, last but not least, for all you Superman buffs: Planet Daily, a site with all the latest (real) news headlines from around the globe. There are loads of other planet sites of interest. A long list is available at Planet Planet, the mothership. And, yes, there's even a Planet Asterisk®. Finally, for those of you lucky enough to have a Nokia 770 Internet Tablet, you'll be happy to know that virtually all Planet sites are Nokia 770-friendly. In fact, hitting the 150% zoom key gives you a perfect Big-Type read with no horizontal scrolling, the way eBooks oughta be but usually aren't. If you missed our review, the Nokia 770 is the best $350 travel companion imaginable ... well, almost.

This is where most press releases end. But today we're going to show you how to build your own Planet: add a Mac, one Python, a feed parser, a templating engine, and a domain. Mix and serve. Presto! Your own new Planet is born. While this project will run on a Windows or Linux machine, it's much more fun to build and maintain it on a Mac ... because it's a 30-minute project! About half of our readers don't (yet) have a Mac. Too bad! But there's still hope. You really don't have to live with viruses, trojans, root kits, adware, and other secret back doors into your system unless you just enjoy pain. Anyway, there's never been a better time to try a Mac. Can you spell Intel R-O-C-K-E-T? Our tutorials will get you up and running in no time with your own web server, mail server, MySQL and PHP servers ... at no additional cost. Take it from a guy that lived and breathed PCs for over 20 years: Come on Over from the Dark Side. You'll never look back! We haven't, and the learning curve is virtually non-existent. </end of rant>

Now, where were we? For our own Planet sites, we're actually maintaining them on three iMacs (Mac minis work just as well), and then we're uploading content once an hour through a cron job to our redundant WestNIC-hosted Linux servers for all the world to see. It's called bandwidth, and you'll need plenty of it if you tackle a project such as those we've bitten off today. Of course WestNIC is practically giving bandwidth away at the moment: 500 gigs a month with 10 gigs of permanent (backed up!) storage for under $10 a month. Wow! We've used WestNIC for well over a year now, and it's been flawless. That's quite a contrast from our three previous hosting providers, all of whom served up a nightmare about once every three months. The $8.95 deal probably expires in the next couple days so HURRY if you're interested. That price is less than 10% of the going rate from most reputable providers for this much bandwidth.

Where to Begin. The real trick to making the Planet software work is getting the right Python engine installed on your system. While both Mac OS X Panther and Tiger come with Python preinstalled, it's unfortunately an older version which lacks support for python-bdb, the critical component to achieve liftoff with Planet. So download MacPython 2.4.1 from here. Once you've downloaded the software, just install it as you would any other Mac application. Can you say double-click? If you're running Tiger, you'll also want to apply the installer fix which is explained on the web site. Finally, grab the latest nightly build of Planet from here. Once the tar ball decompresses on your desktop, rename the folder to planet just to keep things simple. Because of some privileges issues, the easiest way to get things working is to give everyone full rights to this folder. Open a Terminal window, switch to root access, and set the rights substituting your account name on your Mac for mine (in bold):
sudo su chmod 777 /users/wardmundy/desktop/planet exit
Be sure your Mac's web server is running (System Preferences->Sharing->Personal Web Server) and then create a web folder for your new Planet site using your account name, not root. Just issue this command:
mkdir /library/webserver/documents/planet

Configuring Planet. Before you can actually test things out, we need to do a little basic configuration magic with Planet. From your desktop, double-click the planet folder, then the examples folder, then the fancy folder. Now Ctrl-Click on config.ini and choose Open With ... TextEdit. You'll need to modify a few sections of code. Starting at the top, you'll see a section that looks like this:
# Every planet needs a [Planet] section [Planet] # name: Your planet's name # link: Link to the main page # owner_name: Your name # owner_email: Your e-mail address name = Planet Schmanet link = http://planet.schmanet.janet/ owner_name = Janet owner_email = janet@domainname
In the name field, give your planet a name. In the link field, insert the fully qualified domain name for your planet. Fill in your owner_name and owner-email address, and you're all set. Now move down the page to new_feed_items and change the 2 to something like 30. This sets the number of items your application will download from each RSS feed. You can adjust all of this later depending upon your subject matter. Continue moving down the page until you get to output_dir. Change the existing output entry to the address of your new web site directory on your Mac: /library/webserver/documents/planet. Leave the remaining settings alone at least until we get a successful first run.

The final step is setting up the actual RSS feeds which will be supported by your Planet application. Scroll further down the page until you get to the last section which starts like this:
[http://www.netsplit.com/blog/index.rss] name = Scott James Remnant face = keybuk.png # pick up the default facewidth and faceheight

[http://www.gnome.org/~jdub/blog/?flav=rss] name = Jeff Waugh face = jdub.png facewidth = 70 faceheight = 74

If you haven't done so already, now it's time to figure out what you want to cover in your Planet application. It could be subject matter oriented. If you need some ideas, just scan the RSS Feeds available from the Washington Post. Or you may choose just to collect your favorite RSS feeds into a Personal Planet. If you're addicted to your Nokia 770 like we are, trust us when we say you'll never touch another news reader after you see the zoomed text display of a Planet site on your Internet Tablet. Once you figure out your site's contents, write down the names of the sites and the addresses of the feeds. Then you simply replace the examples in the config file with your own selections. For example, a Nerd Vittles entry would look something like this. You'll note that we've commented out the optional "face" which is reserved for a picture of the blog owner. If you decide to use faces, you'd also want to uncomment the facewidth and faceheight lines and insert the correct dimensions for the picture to speed up loading of the web page.
[http://mundy.org/blog/wp-rss2.php] name = Nerd Vittles #face = nerd1.png # pick up the default facewidth and faceheight #facewidth = 62 #faceheight = 80

When you complete all of your RSS feed entries, press Command-S to save your config file changes to disk.

Setting Up the Web Site. We don't need to do much construction work on the Planet web site since the Planet application will handle the heavy-lifting for us. We do, however, need to copy a few things to the web site directory. So open your web site directory with Finder (DefaultDrive->library->webserver->documents->planet). Then open the planet folder on your Desktop in a second Finder window. Now copy the images folder from output to the open planet web folder. Also copy the planet.css style sheet to your planet web folder. If you have a favicon.ico file for your new web site, put it in there, too.

Modifying the Look and Feel of Your Site. Don't do it now, but make a mental note that you can customize your Planet site in any way you desire. Just be sure you make a backup of the web site template before you make improvements. The template is in the /examples/fancy folder and is named index.html.tmpl. You can edit the file with any text editor including TextEdit, pico, and nano. If you use pico or nano, be sure to start up the editor with -w to avoid unexpected line wrap problems.

Taking Your Planet for a Spin. Ready for a test run? Drop down to a Terminal windows again, and switch to root access (sudo su). Switch to the planet folder on your Desktop using your account name, not mine (replace all of the bold entries). And then give it a whirl:
cd /users/wardmundy/desktop/planet /usr/local/bin/python /users/wardmundy/desktop/planet/planet.py /users/wardmundy/desktop/planet/examples/fancy/config.ini
You'll get some feedback that looks something like the following although you won't have any cached data on your first run:
INFO:planet.runner:Loading cached data INFO:planet:Feed http://www.popgadget.net/index.xml unchanged INFO:planet:Feed http://feeds.gawker.com/gizmodo/full unchanged INFO:planet:Feed http://mundy.org/blog/wp-rss2.php unchanged INFO:planet:Updating feed http://www.bradsdeals.com/rss.cfm?c=6 DEBUG:planet:Items in Feed: 20 INFO:planet:Feed http://feeds.feedburner.com/ubergizmo unchanged INFO:planet:Updating feed http://www.woot.com/Blog/Rss.aspx DEBUG:planet:Last Modified: 2006-01-27T17:15:41+00:00 DEBUG:planet:Items in Feed: 20 ERROR:planet:Error 404 while updating feed http://gizmonews.com/wp-rss2.php INFO:planet:Updating feed http://www.engadget.com/rss.xml net:Items in Feed: 40 INFO:planet:Updating feed http://techbargains.com/rss.xml DEBUG:planet:E-Tag: "4679fc226323c61:94c" DEBUG:planet:Last Modified: 2006-01-27T17:00:12+00:00 DEBUG:planet:Items in Feed: 93 DEBUG:planet:Removed expired or replaced item http://www.techbargains.com/news_displayItem.cfm/57004 DEBUG:planet:Removed expired or replaced item http://www.techbargains.com/news_displayItem.cfm/56997 DEBUG:planet:Removed expired or replaced item http://www.techbargains.com/news_displayItem.cfm/56969

INFO:planet.runner:Processing template examples/fancy/index.html.tmpl INFO:planet.runner:Writing /library/webserver/documents/planet/index.html INFO:planet.runner:Processing template examples/atom.xml.tmpl INFO:planet.runner:Writing /library/webserver/documents/planet/atom.xml INFO:planet.runner:Processing template examples/rss20.xml.tmpl INFO:planet.runner:Writing /library/webserver/documents/planet/rss20.xml INFO:planet.runner:Processing template examples/rss10.xml.tmpl INFO:planet.runner:Writing /library/webserver/documents/planet/rss10.xml INFO:planet.runner:Processing template examples/opml.xml.tmpl INFO:planet.runner:Writing /library/webserver/documents/planet/opml.xml INFO:planet.runner:Processing template examples/foafroll.xml.tmpl INFO:planet.runner:Writing /library/webserver/documents/planet/foafroll.xml
The object here is to get a clean run. The way to figure that out is to look in the first section above for lines that begin with the word "ERROR." These are processing errors in accessing the sites you specified for inclusion in your Planet site. What this usually means is that either a site you chose is down, or the address of the site is incorrect, or the format of the RSS feed is not yet supported by Planet. You won't find many of the latter since Planet supports most flavors of RSS feeds. In any case, these errors need your attention and should be fixed in or removed from your config file before you automate the data collection process. The second section of code above tells you whether Planet was successful in generating the documents for your web site. If you don't see errors here, then you should be able to access your site at http://localhost/planet/ using your favorite web browser.

Automating Your Planet Site. Once you get a successful run and get the errors resolved, you'll want to automate the data collection process. You don't want to have to manually run the planet python script every time you want to visit your web site. And, if you plan to offer the site to others, then it obviously needs to be kept current. Also, if you plan to publish your web site through a hosting provider or even .Mac, this also can be automated. First, you need a script. And then you need to tell your Mac to run it periodically by adding a crontab entry. Here's the runupdate script we use. And, yes, your Planet also produces RSS feeds which can be published by copying those files to your host provider as well as what's shown below. Look in /library/webserver/documents/planet for the names of the RSS feed files. To begin, create a text file in the planet folder on your Desktop and insert something like the following. Be sure to chmod 775 runupdate to make the script executable. And remember to always run your script as root, or it will fail. Don't run the script yet. We've got to move the planet folder on your Desktop first.
#!/bin/bash cd /users/wardmundy/planet /usr/local/bin/python /users/wardmundy/planet/planet.py /users/wardmundy/planet/examples/fancy/config.ini cd /library/webserver/documents/planet /usr/bin/ftp -in <<EOF open planetgadget.com user username password bin hash prompt cd www dele index.php rename index.html index.php put index.html bye
There are several potential gotcha's above. First, make sure you are positioned in the planet folder on your desktop before running the planet python script as root. Second, use your account name in the bolded entries on the second and third lines above, not mine. Third, make sure you are running the correct version of python to execute the script because there now are two versions on your Mac. Providing the extended name for python solves this. Fourth, insert the domain name of your host provider in lieu of planetgadget.com and provide the account name and password that you use to gain FTP access to your site. The www entry is the directory location of the web pages on our FTP site. YMMV!

Our hosting provider supports both .html and .php web pages so we perform a little magic here. Before uploading the updated web page (index.html), we first must delete the old one. But, when we do that, we run the risk that someone will hit the site at the moment the page is gone. This would result in a 404 error, and no web page. Not good!. So, what we do is rename the page to index.php after first deleting the old index.php file. Then, if someone hits the page during the update, they will get the index.php page which displays (when there is no index.html page). And it will look exactly like index.html since it has no embedded PHP code and, in fact, is the older version of the identical page.

The final step in automating updates of your Planet web site is to add a crontab entry on your Mac so that the above script runs periodically during the day and night. Before we do that, open a Finder window with the default folder for your accountname. Then drag the planet folder into this directory. Be careful not to accidentally drag the folder inside some other folder already stored in your accountname folder. Now open a Terminal session, switch to root user access (sudo su), and add the following line to the bottom of the system crontab file (pico -w /etc/crontab). Note that there should be a single tab between each of the seven entries below. Delete the intervening spaces! If it lines up with the other entries in your crontab file, you've done it correctly. Then save your changes: Ctrl-X, Y, then press Enter.
01 5-20 * * * root /users/wardmundy/planet/runupdate
Be sure to use your account name instead of mine. This crontab entry runs the script at one minute after the hour between the hours of 5 a.m. and 8 p.m. If you wanted the script to run hourly all day and night, replace 5-20 with an asterisk (*). If you wanted the script to run once every four hours, replace 5-20 with */4. If you only want the script to run at certain hours, just replace 5-20 with a list of the hours separated by commas with no spaces. Enjoy your new Planet!

Coming Attractions. Later this week we'll clue you in to the first (ever) Valentine's gift-with-a-plug for the Little Mrs. that won't get you killed. Caution: YMMV Then next week we'll be hot on the trail of the new, new, new Asterisk@Home release! Come join us. It's free.

Other Asterisk Projects? For a list of our previous Mac projects, click here. For a complete catalog of our previous Asterisk projects, click here. For the most recent articles including those you missed over the Christmas and New Year's holidays, click here and scroll down the page.

ISP-In-A-Box: The $500 Mac mini (WebDAV and Web Folders 101)

Friday, May 13, 2005 / 2 Comments on ISP-In-A-Box: The $500 Mac mini (WebDAV and Web Folders 101)

Microsoft deserves a lot of credit for popularizing the idea of Web Folders, but the open source movement gets the accolades for making WebDAV work reliably across all the computing platforms. If you didn't already know, WebDAV stands for Web-based Distributed Authoring and Versioning. Simply put, it is an HTTP protocol extension that allows people anywhere on the Internet to collaboratively edit and manage documents and other files using the same protocol and port used for surfing the web. In the Mac world, WebDAV provides a Disk Volume on your Desktop that "looks and feels" like any other networked hard disk. In the Windows world, WebDAV provides a Web Folder which can be used like any other mapped drive in Network Neighborhood. If you're still a little fuzzy about the WebDAV concept, think of how you link to another drive on your local area network. WebDAV gives you the same functionality across the entire Internet with virtually the same ease of use. Depending upon user privileges, of course, you can copy files to and from a WebDAV volume, and the protocol imposes versioning control through file locking to assure that multiple people don't change the same file at the same time. Panther and Tiger versions of Mac OS X provide both a WebDAV client and server, and today we'll walk you through configuring and using both the client and the server on your Mac. Because of the number of folks that also use Windows machines at the office, we'll also briefly touch upon how to access your Mac WebDAV resources and set up a Web Folder from a Windows XP machine.

HOW-TO Use the WebDAV Client on the Mac. We're going to start by walking through the set up process for connecting to a WebDAV server resource anywhere on the Internet. To connect to a WebDAV resource from a Mac, press Command-K from Finder. Then enter a Server Address in the following format: http://192.168.0.103/dav/. This tells Finder to use the HTTP protocol to establish a link to an IP address and folder that you designate. You also can use a fully-qualified domain name in lieu of an IP address. Typically, you'll be prompted for a username and password, and then a new volume will appear on your Desktop which can be used just like your local hard disk. When you finish using the resource, CTRL-Click on the volume and Eject it. It's that simple.

HOW-TO Use Web Folders on a Windows PC. The Windows process is a bit different as you might expect, but the results are the same. Once connected, you'll have a mapped drive that can be used just like any other network drive. The simplest way is to map a drive (see inset). To access Web Folders and save your settings, we're going to use the Add Network Place Wizard. You can access it in several ways. Either Right-Click on Network Neighborhood and choose Map Drive. Or from My Network Places, choose Add a network place. Or from Windows Explorer, choose Tools->Map Network Drive. Now click "Sign up for online storage or connect to a network server" at the bottom of the window.

When the Add Network Place Wizard appears, you'll be prompted for where to create the network place. Select "Choose another network location" and click Next. For the Internet address, use the same syntax as on the Mac: http://192.168.0.103/dav/ and click Next. Give your network place a name and click Next then Finish. Your new Web Folder will now appear in My Network Places. Just click on it to connect. Here's the gotcha with WebDAV on the Windows platform. If you access a Web Folder by IP address, when you're prompted for a username and password to log in, the username must be in email format: john@doe.org. Another "Better Idea" from our friends at Micro$oft. So when you create usernames on your Mac, keep this in mind if you want Windows users to be able to access the resources reliably. It doesn't matter what the email username or domain is, but it has to be in email format. When you finish using a web folder, be sure to disconnect. Open Windows Explorer, choose Tools->Disconnect Network Drive, and select the Web Folder you wish to disconnect.

Connecting to a WebDAV Resource. We've temporarily set up a sample WebDAV server on one of our Tiger-enhanced Macs so that you can experiment with WebDAV access from your favorite Mac, Linux, or Windows machine. For reasons which should be obvious, we've disabled writing to our WebDAV server only because we didn't want our hard disk filled up by some anonymous bozo in the middle of the night. We're also going to provide a single username and password for everyone to use. It should be stressed that neither of these scenarios is typical. First, the usual purpose of a WebDAV server is to facilitate collaboration which means all authorized users should be able to read and write to the volume. Second, you usually don't provide access to a WebDAV server for anonymous users. That's what web sites are for. But this is Wiki World, and we wanted to show you how these things are put together before you roll your own. So bear with the constraints recognizing that, when you set up your own WebDAV server, it will be much more robust.

To access the system, follow one of the client access methods outlined above. The web address using Windows is http://webify.us. For Macs, use http://dav.webify.us:82. When prompted for a username and password, use bozo for the username and forlife as the password. If you have problems with the username on a Windows PC, use bozo@webify.us. Don't forget to disconnect when you are finished playing. NOTE: This system (only) will be down for a move to its new permanent location from Thursday afternoon, May 26 until Saturday morning, May 28. Our apologies.

That about covers using a WebDAV client. For step-by-step instructions on creating your own WebDAV server on your Mac, here's a reprint of the article from our former Tiger Vittles site.

ISP-In-A-Box: Building a WebDAV Server for Remote Access

Ever wished you had several gigs of off-site disk storage so you could safely back up all your most important data and use it for remote access or collaboration. One option, of course, is a .Mac account which gives you 125MB of iDisk storage space and other goodies for $99 a year. You can increase your iDisk to a gigabyte for an additional $49.95 a year, a bargain compared to some commercial sites. Here’s another approach that’ll save you hundreds of dollars a year. Find a friend with a Mac and an Internet connection and swap several gigs of storage space on your friend’s Mac for several gigs of storage space on yours. Then follow along here, and we’ll show both of you how to build and use WebDAV servers to do exactly what the commercial firms are doing. And you can use the Apache software that’s already installed with Mac OS X Tiger.

As you now know, WebDAV stands for Web-based Distributed Authoring and Versioning. Simply put, it is an HTTP protocol extension that allows people anywhere on the Internet to collaboratively edit and manage documents and other files using the same protocol and port used for surfing the web. In the Mac world, WebDAV provides a Disk Volume on your Desktop that “looks and feels” like any other networked hard disk. In the Windows world, WebDAV is called Web Folders. They can be used like any other mapped drive in Network Neighborhood. If you’re still a little fuzzy about the WebDAV concept, think of how you link to another drive on your local area network. WebDAV gives you the same functionality across the entire Internet with virtually the same ease of use. Depending upon user privileges, of course, you can copy files to and from a WebDAV volume, and the protocol imposes versioning control through file locking to assure that multiple people don’t change the same file at the same time. Panther and Tiger versions of Mac OS X provide both a WebDAV client and server. Nerd Vittles walked you through configuring and using the WebDAV clients. So let’s tackle the WebDAV server setup now. This works with Tiger or Panther by the way.

In a nutshell, the WebDAV server setup goes like this. We’ll create a new subdirectory in the web server’s storage folder which we’ll use for WebDAV read and write access. Then we’ll set up a username and password system to support WebDAV access. Next we’ll activate the WebDAV mods in Apache which already are installed on your Mac. We’ll then reconfigure Apache a bit to support WebDAV formatting. And finally we’ll restart our web server and presto, WebDAV. You don’t need to be a Rocket Scientist to do this, but you do have to get your hands dirty with a command-line editor, Pico. If you’ve followed other Nerd Vittles tutorials, then this one will be a breeze. Just be sure you edit carefully and, if something does go wrong, copy your backup Apache config file back over the edited one and try again. Apache errors don’t get reported in System Preferences->Sharing when you activate your personal web server. If you have problems and want to see what’s going on, activate and then run WebMin (which we previously covered at Nerd Vittles and upgraded here last week for Tiger). Using your browser, access WebMin and choose Servers->Apache Webserver. Then start and stop the web server from there. Errors will be reported with the line number in the config file that’s causing the problem. Ctrl-C in Pico will tell you what line number you’re on in the config file. If this sounds like I’ve had recent experience, you’d be correct. But you won’t have to pull your hair out. I’ve already done that with mine.

Creating a WebDAV Folder. Open a Terminal window, and switch to root access: sudo su. Then navigate to the root of your web server folders: cd /Library/WebServer/Documents. Create a new WebDAV folder: mkdir dav. Change the permissions of the folder’s group to match the Apache group: chgrp -R www dav. If you want to provide write access to users who connect to your WebDAV folder, then change the permissions to allow it: chmod 775 dav.

Building a Password File. We already built a password file in the Web Sites 101 tutorial on Nerd Vittles. We used that password file to manage web site access to various web directories. You probably don’t want to use the same password file for WebDAV unless you are building this just for yourself. The only trick to password files is you want to put the file where Apache can read it but your web visitors cannot. And you want to be careful not to insert blank lines in the file with just a colon. That basically lets everyone in. The format for the file is username:password, each on a separate line. And the passwords are encrypted. Here’s how to do it.

Open a Terminal window and switch to root access: sudo su. Now move to the directory where we’ll put the password file: cd /usr/local. We’re going to name this password file dav.pw so we can remember what it’s for. To create the file and erase any existing file without warning type: htpasswd -c dav.pw admin. Think up a password you can remember, and you’ll be prompted to type it twice. Now let’s verify that the file was created: cat dav.pw. You should see the word admin, then a colon, and then your encrypted password. To add additional users to the file, just type: htpasswd -m dav.pw username where username is your next user. You’ll be prompted for the password. Remember, if you accidentally use the htpasswd -c syntax a second time, you will overwrite your existing file and all of its entries. So be careful. Finally, remember to make duplicate entries using full email syntax for the username to assure that Windows users can access your DAV resources: htpasswd -m dav.pw joe@schmo.com.

Reconfiguring Apache to Support WebDAV. Open a Terminal window, and switch to root access: sudo su. Then navigate to the folder with Apache’s configuration file: cd /etc/httpd. First, let’s make a backup copy of the config file in case something goes wrong: cp httpd.conf httpd.conf.dav.save. Now let’s carefully edit the config file: pico httpd.conf. Uncomment the headers_module line by searching for headers (Ctrl-W, headers, enter) and then pressing Ctrl-D while positioned over the # sign at the beginning of the line. Now search for mod_headers (Ctrl-W, mod_headers, enter) and uncomment that line (Ctrl-D while positioned over beginning # sign). Now search for dav_module (Ctrl-W, dav_module, enter) and uncomment the line (Ctrl-D while positioned over beginning # sign). Now search for mod_dav (Ctrl-W, mod_dav, enter) and uncomment the line (Ctrl-D while positioned over beginning # sign). Now press Ctrl-V repeatedly until you get to the bottom of the file. Switch to your web browser and download this WebDav snippet. When the code snippet displays in your web browser, press Command-A then Command-C to copy all of the code to your clipboard. Then switch back to Pico, click at the bottom of the config file, and paste the code snippet into the config file by pressing Command-V. Use the down arrow to move to the BrowserMatch section of the code we just pasted and be sure “redirect-carefully” didn’t end up on a line by itself. If it did, position the cursor over the first letter “r” and press the backspace key to move it back up to the end of the previous line of code. Don’t worry if a dollar sign displays at the end of the line after you move it. This just indicates that additional text is off the screen… the price we pay for using a free editor. Now we should be all set. Save the config file: Ctrl-X, Y, enter. And restart Apache by deselecting and then reselecting Personal Web Sharing from System Preferences->Sharing. Close the Terminal window by typing exit, pressing enter, and then pressing Command-Q.

Testing Your WebDAV Server. To test whether WebDAV is working, switch to your Desktop and, using Finder, press Command-K. When prompted for the server address, type http://localhost/dav and then click the Connect button. Enter your username and password that you created in the dav.pw password file, and a blank dav folder should appear on your Desktop. Drag a file from your Desktop to the folder to be sure everything is working as it should. If you’ve enabled web access through your Mac and router firewalls (which we have previously covered here), then you should be able to access your WebDAV folder from the Internet with your IP address or domain name using the syntax: http://mydomain.com/dav. Enjoy your new WebDAV server. Now all you need is a friend to share it with.

iTunes Bait and Switch: Say It Ain’t So, Steve

Wednesday, May 11, 2005 / 2 Comments on iTunes Bait and Switch: Say It Ain’t So, Steve

After selling over 400 million songs through the iTunes Music Store, Apple reportedly has pulled a fast one. The Bait: Remember the original iTunes promise? Songs purchased on iTunes could be copied to an unlimited number of iPods that you own and could be played on up to five Macs or PCs. And you could burn playlists to music CDs up to seven times. And you could burn individual songs to music CDs an unlimited number of times. Well, that was then and this is now according to a little blurb on VersionTracker this week. In announcing the latest release of Roxio’s award-winning CD and DVD burning software, Toast Titanium 6.1, which was supposed to fix some compatibility issues with Tiger, a not-so-subtle gotcha has been added. The Switch: "Following discussions with Apple, this version will no longer allow customers to create audio CDs, audio DVDs, or export audio to their hard drive using purchased iTunes music store content."

If true, Apple’s welching on the terms of their music license with end-users by strong-arming software developers into crippling their CD burning software may just earn them one of the biggest class-action lawsuits of the century … to the tune of 400 million already-purchased songs. Does Apple have the right to change the terms of their music license for future sales from iTunes? I suppose so. Do they have the right to change the rules for songs people have already purchased? Any first-year law student could answer that as could most folks with about an ounce of common sense. But you can still burn a CD using iTunes, you might be saying. And I would respond, "Yeah. This week." How many times in the past year has Apple made changes to iTunes that further restrict your use of music you lawfully purchased? Making iTunes the exclusive software for burning music CDs of music purchased from the iTunes Music Store will work just about as well as letting the Arab nations unilaterally set the price of oil. What’s coming next: music CDs that will only play on Apple CD players. Give us a break! Maybe it’s time for folks to take a look at allofmp3.com after all. It’s only 95¢ a song cheaper than iTunes. But we were all trying to be good citizens, except Apple apparently. If Apple can continually change the ground rules after the fact, then it’s hard to fault those who resort to tools such as PyMusique to protect their music investment.

The fundamental difference in what Roxio apparently was doing to reverse engineer the Apple encryption scheme and what Real appears to be doing is quite simple. People have always had a contractual right to copy their encrypted songs to music CDs. So, just as printer manufacturers have no right to assert the Digital Millenium Copyright Act (DMCA) to bar competitors from making compatible print cartridges, Apple has no legitimate DMCA claim to bar other companies from providing tools to perform the lawful act of making music CDs from iTunes downloaded songs. If Apple was only worried about their encryption scheme with no ulterior motives, then it would have been a simple matter to license a decryption library to Roxio for the limited purpose of making music CDs from iTunes downloaded music. That obviously didn’t happen.

It’s too bad that Apple, which has been embraced by the public as the model technology company in this country, just can’t seem to resist the temptation to jump into the legal thicket and shoot itself in the proverbial foot. Worse yet, it always seems to happen when Apple is on a roll. Makes you wonder what would happen if Apple really were in the desktop computing driver’s seat, doesn’t it? Once word spreads that Apple is beginning a process of further crippling music downloads by changing the original terms of their deal with the public, then, read my lips, the iTunes lock on music downloads is going to be history. So, Steve. Say it ain’t so. You’ve inspired a new generation of kids to actually buy their music. Don’t make them all sorry they trusted you.

About the Author. Ward Mundy is a retired attorney who spent more than 30 years providing legal and technology assistance to the federal courts in the United States. Nothing in this article should be construed as legal advice, and obviously the views expressed herein are solely those of the author.

ISP-In-A-Box: The $500 Mac mini (Skype = Free Phone Service)

Friday, April 22, 2005 / 8 Comments on ISP-In-A-Box: The $500 Mac mini (Skype = Free Phone Service)

No Mac mini would be complete without free local and long distance telephone service. Thanks to Skype, your prayers have been answered. You can call anyone in the world who also uses Skype and talk as long and as often as you like for free! You can also place conference calls to up to four other Skype users at a time anywhere in the world at no cost. And you can call plain old telephones (POTS) by dialing an existing area code (or country code) and phone number for about 2¢ a minute to most of your favorite places. There are no hidden charges! The complete rate table is here. For 30 euros or about $40 a year, Skype will provide you a real POTS phone number in the area code of your choice with free voice mail and free incoming calls. Then all your friends can call and irritate you whether they use Skype or not.

The key ingredient for Skype is you have to have some type of computer, and it has to be running the Skype software to place and receive calls. There are free versions of the Skype software to support Windows PCs, Macs, Linux, and Pocket PCs. You’ll also need a way to talk and listen on your phone calls. You can use either a microphone and speaker, or a Skype-compatible USB phone, or a Skype-compatible terminal adapter/router, or a Bluetooth or USB headset. Suffice it say, a new Skype-compatible phone solution is announced every week so do a little Googling if you don’t find what you want below.

Skype Alternatives for the Mac. Since the Mac mini doesn’t include a microphone or line input jack, you’ll need to add a microphone and a USB audio input device such as the iMic if you want to use the microphone/speaker approach on the mini. Hint: The Mac mini’s speaker leaves a lot to be desired. The better and cheapest solution on the Mac platform for U.S. users is the Plantronics Audio 45 USB Stereo Headset for about $30. The under $100 wireless solution in the U.S. is to purchase the Plantronics M3000 Bluetooth headset and the dLink DBT-120 USB Bluetooth adapter for your Mac, if it didn’t come with Bluetooth. Once you get the dLink adapter or, if you have Apple’s internal adapter, you’ll need to upgrade the firmware in order to use the headset. Note that this only works for the Mac’s bluetooth adapter and more recent dLink adapters! Just download the 1.2 Bluetooth Firmware here and install it. We’ve had mixed results with the bluetooth headset. If Skype were my only phone service, I’d recommend the USB headset on the Mac platform. [Footnote: Tiger totally resolves the Skype bluetooth headset problems.]

Skype Alternatives for Windows Users. For Windows users, there is the IPMate S90, a $50 router that allows you to use your regular telephones with your PC and Skype. While the S90 is a Windows-only solution, if you have an old clunker Windows machine sitting around, here’s a way to put it to good use. Other Windows-only solutions are the rapidBox and the VTA1000 Skype and SIP Gateway for $59.

European Alternatives. For our European friends, the easiest solution is the cordless DU@LPhone. In addition, the $60 USB Cyberphone K is available directly from Skype; however, the dialing keypad does not yet work with Macs. [See the comments for another great European alternative.]

USB Phone Alternative. Finally, an untested, but promising, USB phone which it is claimed works on both the Mac and Windows platforms for about $60 including shipping is the Dontronics USB phone made in Australia. Let’s us hear from you if you get one.

Installing and Using Skype. Skype is one of the easiest software packages you’ll ever install. Just download the latest version from here for your chosen operating system and follow the prompts. You’ll need to set up a Skype username and password as part of the installation process and, if you want to be able to call regular telephones, you’ll need to put a little money in your SkypeOut account on the Skype web site. Configuration is equally painless. Run the application and choose Skype->Preferences. Review the settings and make any adjustments desired. Most of the defaults are fine. Under the Audio tab, select your input and output devices, and you’re ready to make your first call. If you’re calling another Skype user, just enter their username and click Call. If you’re calling a POTS number in the U.S., enter +1 and then the area code and number and click Call. Test your Skype service by calling echo123.

Once everything appears to be working, feel free to try out your system by giving us a call if you speak English. Our Skype account name is wardmundy, or you can reach us through our Washington, D.C. phone number: +1-202-470-1646. Don’t forget the plus sign. Skype is picky about it. If the voice mail system answers (that also is available through Skype), leave a message together with your name, where you’re calling from with the time zone and the best time to return your call, and, of course, your Skype name. We return our calls, but it may take us a bit of time depending upon nerd volume. Final note: This is not a tech support service. If you need technical assistance, call a friend or former friend. You can’t afford us. Enjoy!

For another approach to free phone service, read our latest article on SIP telephony options.

Some Recent Nerd Vittles Articles of Interest…

ISP-In-A-Box: The $500 Mac mini (Chapter XIV: Remote Access and Remote Control)

Wednesday, February 23, 2005 / 7 Comments on ISP-In-A-Box: The $500 Mac mini (Chapter XIV: Remote Access and Remote Control)

Today we’re going to tackle all the flavors of Remote Access for your Mac. It’s a must-have resource for Road Warriors and anyone using their Mac as a server of almost any kind. There are dozens of great remote access tools available but, in the interest of not putting everyone to sleep at once, we’ll focus on some of the built-in (i.e. free) tools, the best of the open source tools (i.e. free), and a couple of the more popular commercial products. The prerequisites for all of these tools are having an always-on Internet connection and having an always-on Mac. And sleep mode doesn’t qualify as ON insofar as remote access is concerned.

There are two types of remote access tools in my book: safe and dangerous. Safe in this context means the connection between you (wherever you are) and your Mac server is always encrypted so that others can’t intercept your password or data. Dangerous means everything else such as FTP. We’re only going to discuss safe remote access tools, and I’d urge you to think twice about enabling or using anything else. Once someone intercepts your unencrypted password, they basically own your Mac and all the data that’s stored on it. So ask yourself if that’s a risk you are willing to take. And I think you’ll probably come to the same conclusion we have: Just Say No.

If you’ve been following our advice, then there is a hardware-based firewall of some variety between your Mac server and the Internet. And your Mac has its built-in firewall enabled as well. Before remote access will work, you’ll need to open the SSH (secure shell) port (22) by accessing the Sharing Folder under System Preferences. Just check the Remote Login box to enable other computers to access your Mac using SSH. You’ll also need to create a rule in your hardware-based firewall that passes Port 22 traffic to the IP address of your Mac. If you don’t know what your Mac’s Internet address is, just click here using a web browser on the Mac in question.

Once you have enabled Remote Login, your Mac automatically starts three UNIX servers: SSH for remotely logging in to your machine, SCP for remotely copying files to/from your machine, and SFTP which is functionally identical to a traditional FTP server except the connection is secure. With SSH, the simplest way to access your server from another machine is to open a Terminal window, switch to root access (sudo su), and then open an SSH session: ssh 111.111.111.111 where the IP address is the actual IP address of your server. If you’re inside the hardware firewall with your server, then you can use your internal IP address as well. Unless you’ve installed a security certificate on your Mac (which really isn’t necessary since an unregistered one will be generated automatically), you will be warned that the authenticity of your server cannot be established. Just type yes to proceed, and then enter your root password. Once you’re connected to your server, you can do anything you could do from a Terminal window sitting at your machine. Type man scp for a tutorial on how to use the secure copy program. q gets you out. When you are finished with your SSH session, type exit to logout.

Secure FTP works similarly. You login by typing: sftp username@111.111.111.111 where username is an actual account on your server and the IP address is your server’s actual IP address. After typing your password, you will be presented with the sftp> prompt. Type ? to see the list of possible commands. When you are finished with your SFTP session, type exit to logout. If you only need to copy files back and forth to your Mac server, this is probably the easiest and simplest method to use. And it’s free.

If your primary remote access requirement is to copy files between your Mac and a remote machine but you prefer the ease of use of a Mac OS X Aqua interface, then there is no finer program than Transmit (see inset). While it’s not free, $30 won’t break the bank for most folks, and you’ll be getting the top of the line FTP and SFTP product available in the Mac marketplace. If, down the road, you decide to use a web hosting facility for your web site(s), Transmit is the one tool you simply cannot live without. Copying files is as simple as dragging and dropping them into a Transmit window. If you can’t tell, we use Transmit ourselves for managing web sites and have for many years. You won’t be disappointed.

There’s another type of Remote Access program. The applications in this group are designed to let you remotely display and control the desktop of your Mac. In other words, what you see is the same thing someone sitting in front of your Mac server would see … only slower. For some, this is an essential component of remote access. For others, it’s a big waste of computing and bandwidth resources. Just be forewarned that Remote Control software is not perfect and is resource intensive, and you won’t be disappointed if you have a fast broadband connection in both directions on both machines. Keep in mind that a typical Mac display these days exceeds 700,000 pixels with millions of colors, and it will give you some idea of the amount of data which must be transmitted just to replicate a single static screen. And that’s before you ever move your mouse! Yes, there are compression techniques and shortcuts that the various applications use to reduce the size of the screen transmissions, but it still is a bandwidth intensive operation because of the screen sizes and resolutions of today’s monitors. Apple makes a perfectly acceptable commercial application to handle remote control called Apple Remote Desktop 2. And, if money is no object or for large organizations, it is a perfectly acceptable solution for remote control. You should be aware, however, that half of the Apple remote control package is available at no cost to users of Mac OS X v10.3. That half is now standards-based and, because it’s free, we’re going to take advantage of it today. Standards-based means that it is compatible with every VNC client for virtually every computing platform in the world, all the way down to cellphones and PDAs if you can stand the performance. The other half (purchased from Apple) will set you back $299 for 10 clients or $499 for unlimited clients. The good news is you don’t need the costly half because there is a standards-based product for Macs which works well and is only getting better. Finally, be aware that this remote control solution is not encrypted meaning that it is possible (theoretically at least) for someone at your ISP’s router to intercept the data. With built-in compression, the data stream still would pretty much be gibberish, but at least it is something you should be aware of. See the comments to this article for an approach that uses an SSH tunnel.

So our remote control approach will be to download and install the latest version of the Apple VNC client. And then we’ll download the standards-based Chicken of the VNC to handle access to the remote desktop. And, as we mentioned, any standard VNC product can be used to connect to the Apple VNC desktop once we get it upgraded to version 2.1. You can read all about the history of Bell Labs VNC software and all of its supported platforms here. Finally, a word about nomenclature. The piece of software residing on the host machine always has been called the VNC Server until Apple came along and named theirs the Remote Desktop Client. The piece of software on the traveling machine that is used to connect back to your host or home base has always been called the VNC Client except Apple calls theirs the Apple Remote Desktop. Sounds confusing? You bet. For our purposes, we’ll refer to the Host Machine (meaning your home base host) and the Remote Machine (meaning the computer from which you are making the connection to your host machine). Whew!

Now, let’s upgrade the software on your Host Machine to make sure the standards-based remote access products will work. Just download and install the Apple Remote Desktop Client 2.1 from here. When you complete the installation, you will need to enable Apple Remote Desktop under the Services tab in the Sharing folder of System Preferences. Then click on the Access Privileges button, choose a user account, make sure all the boxes in the right column are checked, and check the "VNC viewers may control screen with password" option. Enter a password that you will use for remote access. Leave the "guests may request access" option unchecked, or you’ll have to have someone sitting at your host machine to grant access. Click the OK button to save your changes. Next, you need to open the firewall ports on your Mac and your hardware-based firewall to support remote access. Click on the Firewall tab. Then click the New button. Choose VNC (5900-5902) from the pull-down list. If it will only be you connecting to your host machine, then you only need to open port 5900 on your hardware-based firewall and point it to the internal IP address of your host machine. That completes the Host machine installation and setup for remote control.

Now let’s do the other half: the traveling or remote machine software, aka the VNC client. To test this, you’re going to need a second computer (not necessarily a Mac). It’s helpful to have a second computer inside your hardware-based firewall so we can get the kinks out before you try this on the road. If your second machine is also a Mac, then the software you need is Chicken of the VNC (get it?). Download the 2.0b2 version from a SourceForge mirror site to your Desktop. Once it is installed on your Desktop, drag the icon to your Applications folder. Double-click on the icon to start the application. The VNC Login screen will appear. Fill in the IP address of your Host machine and the password you assigned when we enabled the Apple Remote Desktop. The Shared Display checkbox lets more than one person connect to the same Host at the same time so long as you use different ports. Port 0 uses 5900, port 1 uses 5901, etc. The ports have to be open and pointed to your host on your hardware-based firewall. For now, you can leave Shared Display unchecked and make sure the Port is set to 0. Leave the Default Profile setting as is and decide whether you want to save your password in your keychain. That’s all there is to it. Click the Connect button and the screen of your Host machine should miraculously appear. You can toggle the Host machine display between a window and full-screen by pressing Command-Option-Control-`. To disconnect, just close the Host machine display window or choose Connection, Close Window from the title bar menus.

For additional assistance and terrific web-based documentation, just click on Help while the program is running. To keep up with the latest developments of Chicken of the VNC, visit MacUpdate. If you need VNC software for other platforms, Real VNC has the latest versions and AT&T’s VNC archive is another worthwhile site although it now is over five years old. VNC clients also are available for Palm devices and Treo smartphones as well as Pocket PCs and compatible smartphones. Enjoy!

Category Archives: Microsoft & PCs

The Most Versatile VoIP Provider: FREE PORTING

Links

Follow us

Recent Posts

Special Thanks to Our Generous Sponsors

Special Thanks to Our Generous Sponsors

Post navigation

Support Nerd Vittles

Free Asterisk Solutions

Tags