Custom Web Page for TELEM-GWM: Difference between revisions

From Phobos Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
This is a basic guideline for developing custom web pages for TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in [[Basic Security]]. Webservers uses XML data wich is described in here [[GW6 web schema]]
This is a basic guideline for developing custom web pages for TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in [[Basic Security]]. Webserver uses XML data wich is described in here [[GW6 web schema]]


=== What Features to Enable? ===
=== What Features to Enable? ===

Revision as of 08:28, 6 June 2013

This is a basic guideline for developing custom web pages for TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in Basic Security. Webserver uses XML data wich is described in here GW6 web schema

What Features to Enable?

On figure 1 there are features than can be configured for web server. Under “IP settings” you can select firewall settings. On which interface the web server should be enabled and if there is a IP address that should have the exclusive access to the web page. Then the TCP port selection.

Under http one can disable dynamic server features. “Forbid output control” if checked disables control operations through web server. “Enable GW application logs ..” if checked instructs the web server to send content from log files. “Enable syslog” if checked permits sending of /var/log/messages to the web client. “Enable general information ..” if checked permits sending of firmware revision and some additional info about the device to the web client. “Enable configuration ...” if checked permits sending of the configuration file of the main application to the web client. “Enable events ..” if checked permits sending of events to the web client. Events are encoded in XML.

Under “User” and “Password” an authorization can be enabled. TELEM-GWM uses digest access authentication.

Under “Custom” a custom web content can be selected. You have to select folder. All content from that folder is sent to the TELEM-GWM to be displayed to the web client.

Under “SSL” secure socket layer can be enabled. There are two options to use: in device generated keys or, user generated keys. 283px|thumb|center|Figure 1: Web Server Settings

Caveats

Three Password Attempts

Server uses session ID's to keep track of authenticated accesses to the server. Sessions timeout within 60 seconds. If you connect to server and set password wrongly for three times the used IP gets banned by firewall. Note this IP gets panned not only from web page but from the whole device.

If user forgets the password he can look it up from setup as it is in plain text. Alternative is to close the browser after two attempts and then retry. However server supports only 200 sessions and 50 connections per IP address(4 clients with 50 sessions each). Per client count can be further minimised by manually configuring the firewall. Note firewall state count differs from server IP count. That is if you remove the restrictions from firewall, web server will only support 50 connections per IP address and total of 200 sessions.

All in all it means that don't be surprised if three wrong password attempts denies access to the device. If you plan to brute force the password from web, program your script with time out of 65 seconds, use more that 4 IP addresses, make sure not to exceed 50 SYN packets from your attack hosts in total of 200 SYN packets and sessions. TELEM-GWM will not resist DOS attacks from botnets. The 3G uplink limit will be hit first. Make sure to restrict access with firewall.

No Automatic index.html from Subfolder(s)

Web server will not load automatically index.html or index.htm from subfolder(s).

No HTTP to HTTPS Redirection

You need to know which protocol is used. Don't worry the browser remembers the url's.