How to create a fast locked down WEB KIOSK

Forum rules
Share your brain ;)
User avatar
nassausky
apt-getter
Posts: 83
Joined: Wed May 06, 2015 1:15 pm

How to create a fast locked down WEB KIOSK

Unread post by nassausky » Thu Jun 25, 2015 9:35 pm

How to create a WEB KIOSK using a linuxbbq Live Distribution
FYI: This requires a bit of linux familiarity and is quite a bit more in depth than my previous tutorial on creating a simple movie/video client

This project was originally started to quickly and easily create an ISO image for some online catalog at a public library.
In order of priority was
1) Quick install
2) Able to lock down a website with a handful of additional links using whitelists.
3) Able to restart web browser if it somehow gets shutdown
3) Hotkeys to perform some specialized tasks
4) Quick load time
5) Remote management via ssh
6) The final image is smaller than most (I got mine to about 310 meg on final implementation)
7) Create the image so it's very flexible (my opinion easier than porteus web kiosk)

On that last note I have also used this procedure for a staff room timeclock web client.

At any point during the following instructions you can opt out of any of the lockdowns and/or customize it to your own liking. There are also a few alternative applications you can install instead what is listed but what I have below are usually the smallest in download size making the resulting image probably the smallest you can make it with the features I needed. The firewall also is tiny which many don't like working with since it is a bit cumbersome but I just needed it for the particular purpose of piping every web request through the proxy which kept the size down.

Key:
$ symbol means run the proceeding command as user

I) QUICK OVERVIEW creating a web kiosk ISO image

These instructions were originally geared for Academy which uses the wmii window manager.
You can very easily adapt these to other distributions.

[Hint}Alt-Enter is the hotkey shortcut if you want an x-terminal using LinuxBBQ Academy.

Keep in mind any time during your endeavor into bbq, you can use the following commands to see some toys that's included in the base install:

Not necessary to run either of the following commands but just to have an idea of all the tools built into bbq:
$bbq
$bbqpkg

Now is a good time to setup a password for the default user:
$passwd


Let's also setup a new password for root:

$sudo -s
#passwd
$exit

First lets make sure we can read the terminal
$dkeger
Choose a color theme or press ENTER to give you the default high contrast theme (Alternatively colorbar and yellowbeak are not too bad to read)


Now lets setup the timezone:
$sudo dpkg-reconfigure tzdata

If for any reason your time or date is wrong use:
$sudo date --set YYYY-MM-DD
$sudo date --set HH:MM:SS

Now get your network up and running:
$sudo ceni

Make your manual changes to /etc/apt/sources.list.d/debian.list if you want a faster update. In my case I changed the "cn" in the list to "us" by editing the file with the following command:
$sudo nano /etc/apt/sources.list.d/debian.list
then ran the debian update:
$sudo apt-get update

Optionally install apt-spy to keep package repositories up to date:
$sudo apt-get install apt-spy
$apt-spy update

What's needed for download from the repositories:

You can find any package you like using the search keyword:
$search browser
and using the pipe | symbol and grep to limit the result :
$search browser | grep simple


Installing qupzilla because for my purpose it has most of the features I need including proxy configuration, changing browser identification (user agent) for a particular website I use needs it.
$apt-get install qupzilla
or simply:
$ins qupzilla



With tiny proxy alone you can setup a whitelist and only allow certain websites through but adding iptables you can force the user to only use the proxy port and prevent all other activity if a user tries to modify the browser config.
$apt-get install iptables tinyproxy

Needed a hotkey application so decided on using triggerhappy since it's tiny to install compared to something like xbindkeys in this distribution

$apt-get install triggerhappy

For secure remote connection
$apt-get install openssh-server

Optionally if you create scripts in windows you may need to fix problems when you run windows created scripts in linux:
$apt-get install dos2unix

Depending on your policy you might want to capture screen shots remotely of the pc to diagnose and/or keeping users honest. The following will install a smaller vnc server which doesn't allow live session viewing meaning it will only hook up on another display but you can grab a screen capture of the remote display by running scrot after you switch displays then switch back to the vnc display to view the scrot feh the image viewer
$apt-get install tightvncserver feh scrot


To setup hotkeys add your hotkey lines to any file ending in .conf in the /etc/triggerhappy/triggers.d/ folder. For example I want the keypad asterisk key to quickly shutdown qupzilla so I called my conf file keys.conf as so:
$sudo nano /etc/triggerhappy/triggers.d/keys.conf
and add the following:

Code: Select all

KEY_KPASTERISK 1 /home/user/keyasterisk
Create your script you want called on the hotkey event and I put it in the user's home dir for now but you can change that later.
$sudo nano /home/user/keyasterisk
and add the following:

Code: Select all

#/bin/bash

#This will quickly close the browser faster than sending Ctrl-Q
#It's not pretty so close your eyes
killall qupzilla
#Purge session data to open up again cleanly 
rm /home/user/.config/qupzilla/profiles/default/session.*
Create a script to start the triggerhappy daemon:
The script will keep checking every event which fires. Any event that matches the code in a .conf file will fire the asociated script.

$sudo nano /home/user/thd-start
and add the following:

Code: Select all

#!/bin/bash
/usr/sbin/thd --daemon --triggers /etc/triggerhappy/triggers.d/ /dev/input/event*
Now make it executable

$chmod +x /home/user/thd-start


Run a test now to make sure the hotkey daemon is working properly:
$/home/user/thd-start

If your custom hotkey functions as expected then continue otherwise you'll have to deviate from this tutorial to figure it out.

Edit /etc/rc.local and add the following before exit:

Code: Select all

killall thd
/home/user/thd-start


Let's modify .xinitrc to loop and restart qupzilla on exit.
Edit /home/user/.xinitrc and after exec x-window-manager & add:

Code: Select all

#The custom script below will loop until the internet is up
sudo check4net

#The custom script below will make a pw required for sudo access
/usr/bin/sudolocker &

while true;
do
	/usr/bin/qupzilla www.nytimes.com
	#The following custom script is optional that checks for net connection
	/usr/bin/check4net
done
I am testing the homepage with new york times newspaper for the moment. Later on you will see why. Hint: How to check for more relative links.

$sudo nano /usr/bin/sudolocker
and add the following:

Code: Select all

> /etc/sudoers.d/live

$sudo nano /usr/bin/sudounlocker
and add the following:

Code: Select all

$echo "user ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/live
Now make them executable assuming you have no other with locker as the suffix in folder /usr/bin/:
$chmod +x /usr/bin/*locker


$sudo nano /usr/bin/check4net
and add the following:

Code: Select all

#!/bin/bash
hostip=""
COUNTER=0
while [ -z "$hostip" ];
do
	let COUNTER=COUNTER+1
	service networking restart
	hostip="`timeout 3s gethostip -d www.google.com`"
	echo "Counter=$COUNTER : Host (www.google.com)=$hostip"
done

Make it executable:
$sudo chmod +x /usr/bin/check4net

Now it's time to optionally setup tinyproxy if you want to use whitelists
Edit the /etc/tinyproxy.conf as root and add the following few lines to the end of the file:

Code: Select all

$sudo /etc/tinyproxy.conf
and add the following:
FilterExtended On
FilterURLs On
FilterDefaultDeny Yes
Filter "/etc/filter"
User proxy
Important: Go back in that same file and comment out the User nobody line by placing a hash in front of it

Add your home page as a test site to the /etc/filter file as root:
$sudo /etc/filter
and add the following:

Code: Select all

www.nytimes.com

Edit/Preferences/Browsing/Proxy Configuration Tab
Manual Configuration
HTTP localhost Port 8888

Now if you go to any other website but your home page it should block you. :)



Now when you run it you might be wondering "Hey where is the full page". Simple some pages require other pages to load correctly. But then your next question will be how can I find out what the urls are. Well the good news is that I did my research with this project. I put together a script called curlparse

First install curl:
$sudo apt-get install curl
Then install ack to get the nice color passthrough:
$sudo apt-get install ack

Next create the script file:
$sudo nano /usr/bin/curlparse
Add the following lines:

Code: Select all

#!/bin/bash

curl -sL $1|grep -oP '(?<=http://)(.*?)(?=")' \
|ack --flush --passthru --color --color-match=on_blue "$1" \
|ack --flush --passthru --color --color-match=on_magenta "(.jpg)|(.png)|(.svg)" \
And run it like so:
$curlparse nytimes.com

Notice that the majority uses the nytimes.com domain (highlighted) but there is a good amount of nyt.com domains that need to get through to display images. That is the magic for this sample. You will have to do your research yourself as far as what sites need to get through he whitelist to work.

$sudo /etc/filters
Add nyt.com and exit
Now run
$service tinyproxy restart

Test it out and assuming you added the proxy to your browser it should prevent other sites.
You might want to set it up to restart every so often with a crontab because one forum mentioned it had a memory leak

If it's loading/blocking sites correctly now we can lock it down to only use the proxy.
Create an iplock script to block.
$sudo nano /usr/bin/iplock
Add the following

Code: Select all

#!/bin/bash

### SECTION 1
## First completely clear and reset the iptables.  Normally I used iptables -F but that doesn't work all the time
###

echo "Starting IPv4 Fresh..."
# IPv4

   ##
   ## set default policies to let everything in
   iptables --policy INPUT   ACCEPT;
   iptables --policy OUTPUT  ACCEPT;
   iptables --policy FORWARD ACCEPT;

   ##
   ## start fresh
   iptables -Z; # zero counters
   iptables -F; # flush (delete) rules
   iptables -X; # delete all extra chains

### END SECTION 1
## End of resetting the iptables
###

### SECTION 2
## Allow inbound and outbound for our host above which dynamically gets the ip address and saves it to variable $hostip
###


echo "Allowing previous connection ..."
#Allow previous connections through
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allowing DHCP & DNS..."
#Allow DHCP Requests through
iptables -I INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
#Allow DNS Requests through
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
echo "Allowing icmp,lo,eth0 INPUT..."
#Allow ping Requests through
iptables -A INPUT -p icmp -j ACCEPT
#Allow loopback interface through
iptables -A INPUT -i lo -j ACCEPT
#Allow eth0 interface through
iptables -A INPUT -i eth0 -j ACCEPT
echo "Allowing SSH & VNC..."
#Allow SSH through
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#Allow VNC through
iptables -A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT

echo "Rejecting icmp..."
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

#echo "Allowing hostlist OUTPUT(Only works on connection to inet w/correct ip)..."
#timeout 3s iplocklist
#echo "Passed timeout 3s getting host list from iplocklist. Continuing..."


echo "Allowing only root and proxy full access"
iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner proxy -j ACCEPT


echo "Dropping the rest of port 80..."
iptables -A OUTPUT -p tcp --dport 80 -j DROP


echo "New iptable settings:"
iptables -L
#echo "Confirm IP address is set correctly"
ifconfig

echo "Done setting up iptables!"
The code above does a little more than lockdown it will display the result at the end.




For sanity I wanted to create a quick way to completely reset the iptables to allow full access once again and that is why I created ipreset:
$sudo nano /usr/bin/ipreset
Add the below code to the file

Code: Select all

#!/bin/bash

# IPv6

   ##
   ## set default policies to let everything in
   ip6tables --policy INPUT   ACCEPT;
   ip6tables --policy OUTPUT  ACCEPT;
   ip6tables --policy FORWARD ACCEPT;

   ##
   ## start fresh
   ip6tables -Z; # zero counters
   ip6tables -F; # flush (delete) rules
   ip6tables -X; # delete all extra chains

# IPv4

   ## 
   ## set default policies to let everything in
   iptables --policy INPUT   ACCEPT;
   iptables --policy OUTPUT  ACCEPT;
   iptables --policy FORWARD ACCEPT;

   ##
   ## start fresh
   iptables -Z; # zero counters
   iptables -F; # flush (delete) rules
   iptables -X; # delete all extra chains

echo "Checking for network..."
#sleep 2s
#service networking restart
check4net

echo "New iptable settings:"
iptables -L
echo "Confirm IP address is set correctly"
ifconfig

You can now play with iplock file if you want to tweak it and reset it with ipreset if you run into a problem.

To have it lockup during boot you will have to edit /etc/rc.local
$sudo nano /etc/rc.local
add under the /home/user/thd-start line we added above to start the hotkey triggerhappy daemon:

Code: Select all

sudo -u user tightvncserver :1
/usr/bin/iplock &
exit 0
Notice I added my optional tightvncserver (in this case is not secure and you should consider using ssh) which you can instead add x11vnc (instead you would use a command line like x11vnc -usepw -forever &) if you want full remote control of the active display. If you add this though you should set a password for it before you burn the ISO so i'd do it now. The first time you run the tighvncserver it will ask you to set a password. This is the password that you use when connecting remotely.

$/usr/bin/tightvncserver

Optional remote screenshot capture:
$sudo nano /usr/bin/sc
Add the following

Code: Select all

#!/bin/bash
if [ $DISPLAY = ":0" ]; then
	clear
	echo
	echo "**************************************"
	echo "This must be run from a remote session"
	echo "**************************************"
	echo

else
	cd /home/user/scrots
	#delete old .png
	rm -f *.png
	#switch to running standard tightvnc remote display
	DISPLAY=:0
	scrot
	#switch back to local vnc viewer display
	DISPLAY=:1
	feh *.png
fi
With the above script you can type sc into a vnc viewer connected to this machine and grab a screenshot and press a key to return back to terminal command line.


Now let's get ready for the ISO. Add the following to snapshot_exclude.list if you're going to be creating the ISO in a live session.


$sudo nano /usr/lib/bbqsnapshot/snapshot_exclude.list
Add:

Code: Select all

- /lib/live/overlay
- /lib/live/image
- /lib/live/rootfs
- /lib/live/mount
- /run/*
Which was easier than a technique I tried on this post http://linuxbbq.org/bbs/viewtopic.php?f ... hot#p41520.
Important note: If you start making larger images you will probably have a problem where you see the final image 1/10th the normal size maybe around 30meg. I found out if I was using 8 Gig RAM from a live session, 32 bit versions of OS only see 4 Gig RAM. Using the command free -m you can divide that number by 1000 to tell how much Gig Mem you are using. You'll have to use the 64 bit versions which are newly posted on this forum YAY!


Ready to burn
$sudo frenchmaid -y
$sudo bbqsnapshot
Make any optional changes and press Ctrl-X to exit each editor & Q to exit ncdu
As you're going through this snapshot procedure I found that I personally like to change the timeout value from 00 to 25 to give it 2.5 secs to boot. I also like to change the first label live in that boot menu (isolinux.cfg) to something short and more descriptive about the snapshot

That is it and now you should have a time stamped .ISO image in the /home/snapshot folder

Just to clarify it, this was all done in one live session which I have been normally running with 8 Gig RAM to create the snapshot. If you'd like to then install it to a HDD when I have time I will leave some information on how to lock down the boot process.
Last edited by nassausky on Fri Aug 07, 2015 5:47 pm, edited 18 times in total.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: How to create a fast locked down WEB KIOSK

Unread post by GekkoP » Fri Jun 26, 2015 6:53 am

Interesting stuff, thanks for sharing.

User avatar
wuxmedia
Grasshopper
Posts: 6445
Joined: Wed Oct 17, 2012 11:32 am
Location: Back in Blighty
Contact:

Re: How to create a fast locked down WEB KIOSK

Unread post by wuxmedia » Fri Jun 26, 2015 9:02 am

My - you have been busy, great how-to :)
"Seek, and Ye shall find"
"Github | Chooons | Site"

User avatar
nassausky
apt-getter
Posts: 83
Joined: Wed May 06, 2015 1:15 pm

Re: How to create a fast locked down WEB KIOSK

Unread post by nassausky » Fri Jun 26, 2015 11:16 am

Thanks. Yeah much of it was straight forward but the iptables alone didn't work out when I was dynamically acquiring the ip addresses from hostname then some digging around I found the alternative.

Will breeze through it a few times to try some more cleaning it up.

User avatar
dkeg
Configurator
Posts: 3782
Joined: Sun Nov 18, 2012 9:23 pm
Location: Mid-Atlantic Grill

Re: How to create a fast locked down WEB KIOSK

Unread post by dkeg » Fri Jun 26, 2015 11:20 am

Wow. Bravo on a tremendously well written and laid out How-To. Seriously. Good Stuff. And a very interesting project!

Work hard; Complain less

User avatar
simgin
Meme Fodder
Posts: 1167
Joined: Sun Jan 06, 2013 12:07 am
Location: Bradford-on-Avon, UK

Re: How to create a fast locked down WEB KIOSK

Unread post by simgin » Fri Jun 26, 2015 12:22 pm

Wow oh wow, very nice work Nas :D
Cheers
simon
Someone told me that I am delusional, I almost fell off my unicorn.

User avatar
nassausky
apt-getter
Posts: 83
Joined: Wed May 06, 2015 1:15 pm

Re: How to create a fast locked down WEB KIOSK

Unread post by nassausky » Fri Jun 26, 2015 1:52 pm

Thanks for the positive feedback! It's a love/hate relationship writing these tutorials. Love to leave the documentation and help but boy do I hate organizing the layout and flow of it especially with a 22" screen, would be sweeter to organize them with a 40" monitor where more content is on the screen at once.. Time to go garage sale shopping .. haha


Side question: It might help out a bit if someone knows an editor that I can format the bb code with a GUI front end. All suggestions open ;) [Started a new thread http://linuxbbq.org/bbs/viewtopic.php?f=6&t=2160]

User avatar
rhowaldt
Dog
Posts: 4565
Joined: Wed Oct 17, 2012 9:01 am
Contact:

Re: How to create a fast locked down WEB KIOSK

Unread post by rhowaldt » Fri Jun 26, 2015 4:06 pm

wonderful how-to sausky, thanks so much for writing this! bb-editor or not, this shit will always be appreciated.
it seems you went with the BBQ Philosophy: live sessions are not supported? i will make my own and support myself! fantastic. well done :)
All statements are true in some sense, false in some sense, meaningless in some sense, true and false in some sense, true and meaningless in some sense, false and meaningless in some sense, and true and false and meaningless in some sense.

User avatar
simgin
Meme Fodder
Posts: 1167
Joined: Sun Jan 06, 2013 12:07 am
Location: Bradford-on-Avon, UK

Re: How to create a fast locked down WEB KIOSK

Unread post by simgin » Fri Jun 26, 2015 11:21 pm

Welcome to the family Nas :)
Someone told me that I am delusional, I almost fell off my unicorn.

Post Reply