Versions Compared

Old Version 25

changes.mady.by.user Petr Pokorný

Saved on

compared with

New Version Current

changes.mady.by.user Charles Wernicke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
minLevel2
maxLevel3

...

IP Whitelisting

When a Terminal connects to CAS, you may save the IP and restrict that BATM to connect only via that IP. An attacker typically won’t be able to forge the IP that a Terminal connects from. In instances where a BATM will be consistently connected from a known IP, this is also a valuable tool to prevent a stolen BATM from operating.

...

Client Certificates

Client Certificates ensure that an encrypted channel between your Terminal and CAS is intact. The certificate cannot be forged, and encrypted traffic between your Terminal and CAS cannot be established without that certificate. The certificate absolutely identifies the Terminal.

...

...

Hardware Pinning

Hardware pinning checks the serial numbers of various components within your BATM. It saves this data and checks it during every boot. It sends it to CAS to verify that nothing has changed. If something has changed, that Terminal won’t be permitted to conduct transactions until either the original components have been reinstalled -or- the list has been updated (by you).

Terminal >> Actions:

...

Also available via the batm-manage command: https://generalbytes.atlassian.net/l/cp/uvvAqRD1

  • See: terminal-hwconf-clear

...

Terminal VPN

Terminal VPNs are supported on firmwares 20221118 and newer.

...

.

If the file doesn't exist, run the command below on your server (as root user).

  • Code Block
    echo $HOSTNAME > "/batm/config/hostname"

  • The entry in the file will be used in URLs sent in emails and links.

  • restart CAS to apply any changes to the hostname file.

A VPN is another specific hurdle for hackers. When enabled, the VPN establishes a secure tunnel between the BATM and CAS that cannot be intercepted or manipulated. A VPN ensures that all data traffic is encrypted end-to-end and builds out a bit further than a mere TLS connection.

To implement the Terminal ↔︎ CAS VPN connection:

...

Log in to your server’s CLI

Create keys for every Terminal

...

use: batm-manage vpn-generate [terminal serial number] .

...

Instructions: https://generalbytes.atlassian.net/l/cp/

...

Navigate to Terminal >> Settings and activate the VPN.

...

The VPN status will be acknowledged in CAS' sidebar status section:

...

Info

Terminal VPN clients use TCP port 7742.

It is redirected to port ranges 13000:130xx (xx - number of load balanced interface).

  • Default = 1 per 200 terminals.

  • If you drop all input on your firewall, you will have to re-enable incoming connections to these ports. Configuring Server Firewalls

If you manually restart your firewall:

You have to run this command: . /batm/vpngen/firewall-rules

  • It will insert load balancing and firewall rules for terminals at the top of firewall rules table.

  • On CAS server restart, the rules are loaded automatically.

Port 7741 can be closed after all terminals are connected through the VPN

  • Any time a BATM is reset, it will attempt to reconnect via port 7741

  • Open port 7741 as needed to reconnect these orphans.

Note

Automatic and manual removal:

If you’ve already attempted to create keys for a Terminal without the hostname file,

run: /batm/batm-manage vpn-clean

or manually remove these files to fix the install:

Code Block
rm /batm/vpngen/vpngen-easyrsa-vars.conf
rm /batm/vpngen/vpn-initversion
rm /batm/vpngen/vpn-list-terminal-groups.txt
rm /batm/vpngen/vpn-list-terminals.txt
rm /batm/vpngen/vpn-list-users.txt
rm -R /etc/openvpn/keys/vpnTgroup0
rm /etc/openvpn/vpnTgroup*.conf

VPN Troubleshooting

Logs:

Information about connected terminals to all load balancing interfaces:

Code Block
cat /var/log/openvpn/vpnTgroup*.log

Information about a specific terminal:

...

H2MzgMY8