Bill of Material

I tried to source all of the parts from one supplier so you could just add to cart and go. I picked sparkfun as I really like their gear and how they give back to the opensource community.

• Arduino Uno ($29.95) really most Arduinos will do but the Uno has 32k of Flash and my code might not fit in 14k arduino .
• HIH-4030 ($16.95) based humidity sensor. This is an analog sensor that is very easy to interface.
• BMP085 ($19.95) Barometric pressure sensor. This one is i2c based, so if your Arduino doesn’t have i2c ports you’ll need to find a replacement. NOTE THAT THIS IS A 3.3V SENSOR AND NOT 5 VOLTS
• DS18b20 ($4.95) 1-wire temperature sensor.
• 16×2 LCD ($24.95) This is optional if you don’t want the real time display, but come on, who doesn’t want a real time display!
• latching hall effect sensor ($1) This is optional. If you buy the vortex anemometer, it has a reed sensor that would also work.
• GPS Shield ($79.95) This is optional if you don’t want GPS coordinates or if you are using the serial output to push the data to another device that already has GPS data
• SD card adapter ($9.95) This is optional if you are not wanting to log data or are using the serial output for logging //Not Working
• Inspeed Vortex Anemometer ($55) any pulse based anemometer will work, but the vortex is very solid, has easily replaceable parts and is already at a great price.

Grand total you’re looking at $243 for the full package, or $128 if you don’t need GPS, the LCD screen or the SD card. Sparkfun sells each of these pieces like building blocks, so they have a fair amount of price overhead compared to the raw components. If you wanted to build this entirely on your own, you could get the price down to under $100 with all features enabled, but you’re going to need to know how to surface mount solder.

What’s it do?

The arduino is the brains of the whole system. At boot, it initializes all of the sensors and then starts looping over the humidity, temperature and pressure sensors reading each one. After it has a good reading of those three sensors, a series of calculations are made to figure out the dewpoint, heat index and temperature adjusted pressure. A routine is tied to interrupt 0 that is triggered for every rotation of the anemometer that increments a counter and measures the number of rotations that have occurred in the last second. That number is then used to calculate windspeed based on 1hz = 2.5mph . The LCD screen is updated once every second and the serial data is updated at around 2hz.

Wiring it up

I will do a sketch and upload it shortly

Basic code with no SD card

This is the code that you would use if you built this system with no SD Card. It needs at least Arduino 1.0, The Dallas OneWire library and at least 14k of storage. You’ll need at least an arduino with 18k of flash and not a Mega or Leonardo. The code will run on a mega/leonardo, but the pins will be all messed up and you might damage the 3.3v sensor. The GPS also needs to be set to pins 4 and 5, see sparkfuns documentation on how to move those pins. Be warned, I am NOT a developer so this code will be far from efficient.

/*Mobile weather station using Arduino and some sensors
 Can be used with an anemometer, temp, humidity and pressure sensors
 anemometer is interrupt driven off a Hall sensor
 2013/05/14  removed DS18S20 requirement, now just using the temp off 
 the bmp085
 2013/05/15  removed an overflow condition in the anemometer. Migrated to the 
 adafruit bmp085 library. added a blinky light for the anemometer
 */

#include <Adafruit_BMP085.h>
#include <OneWire.h>
#include <Wire.h>
#include <SoftwareSerial.h>
#include <math.h>
#include <TinyGPS.h>

//LCD stuff
SoftwareSerial lcd(6, 7);  //LCD on D6 and D7

//Temperature stuff
float Tempc;

//Anemometer stuff
unsigned long rpm;
unsigned long timeold;
unsigned long rpmcount; 
int led = 13; //Pin an LED is hooked to that flashes with each anemometer RPM

//Humidity stuff
const int HIHPin = 0; //analog pin 0
float RH;
float temperature;
float max_voltage;
float dewpoint = 0;
float td;

//Barometer stuff
Adafruit_BMP085 bmp;
long pressure;

//GPS Stuff
#define RXPIN 5 // Set GPS Receiver RX 
#define TXPIN 4 //Set GPS Receiver TX 
#define GPSBAUD 4800 //Not your serial coms, this is for GPS com
int year;
byte month, day, hour, minute, second;
float latitude, longitude;
unsigned long age;
TinyGPS gps;  //initialize the tinygps library and use it
SoftwareSerial uart_gps(RXPIN, TXPIN); //Init GPS software UART

void rpm_irq() {              //Routine that is run when INT is trigged, Don't add too much stuff here
   rpmcount++;                //increments a counter and flashes a light
   digitalWrite(led,HIGH);
   delay(50);
   digitalWrite(led,LOW);
}

void setup() {
  Serial.begin(115200); 
  attachInterrupt(0, rpm_irq, FALLING); 
  Wire.begin();
  if (!bmp.begin()) {
    Serial.println("Could not find a valid BMP085 sensor, check wiring!");
    lcd.print("NO SENSOR FOUND");
  while (1) {}
  }
  lcd.begin(9600);  //Start the LCD at 9600 baud
  clearDisplay();  //Clear the display
  setLCDCursor(2);  //set cursor to the 1st line
  lcd.print("Initializing");
  setLCDCursor(16);  //Set the cursor to the beginning of the 2nd line
  lcd.print("Please wait...");
  uart_gps.begin(GPSBAUD);  //start GPS
  //Flash the backlight:
  for (int i=0; i<3; i++)
  {
    setBacklight(0);
    delay(250);
    setBacklight(255);
    delay(250);
  }
  pinMode(led, OUTPUT);
}

void loop(){  
  //Update wind speed every 3 RPM
  //if(rpmcount>=3) {
  //  rpm=(2500*rpmcount)/((millis()-timeold));  //Convert RPM to MPH basde on 1hz=2.5mph
  //  timeold = millis(); //count the ms spent in IRQ
  //  rpmcount = 0;
 // }
  //update most displayed parameters every second
  if (!(millis() % 1000))
  {
    rpm=(2500*rpmcount)/((millis()-timeold));  //Convert RPM to MPH basde on 1hz=2.5mph
    timeold = millis(); //count the ms spent in IRQ
    rpmcount = 0;
    pressure = bmp.readPressure();
    float temperature = getTemp();
    float DewPoint = ReadDewpoint(temperature);
    RH=ReadHumidity();
    clearDisplay();  //Clear the display
    setLCDCursor(3);  //set cursor to 1
    setLCDCursor(0);  //set cursor to 1
    lcd.print(rpm,DEC);
    lcd.print(" MPH "); //print data to the LCD
    lcd.print(pressure);
    lcd.print(" pa");
    setLCDCursor(16);  //Set cursor to the 3rd spot, 1st line
    lcd.print(temperature);
    lcd.print((char)223);
    lcd.print(" ");
    lcd.print(DewPoint,2);
    lcd.print((char)223);
    Serial.print(year, DEC); 
    Serial.print("/");
    Serial.print(month, DEC);
    Serial.print("/"); 
    Serial.print(day, DEC);
    Serial.print(",");
    Serial.print(hour, DEC); 
    Serial.print(":"); 
    Serial.print(minute, DEC); 
    Serial.print(":"); 
    Serial.print(second, DEC);
    Serial.print(",");
    //Latitude 
    Serial.print(latitude,5); 
    Serial.print(",");
    //Longitude 
    Serial.print(longitude,5);
    Serial.print(",");
    //Altitude in meters
    Serial.print(gps.f_altitude());
    Serial.print(" m,");  
    //Heading in degrees
    Serial.print(gps.f_course());
    Serial.print(" deg,"); 
    //Speed in KMh
    Serial.print(gps.f_speed_kmph());
    Serial.print(" KMh,");
    //wind speed in MPh
    Serial.print(rpm,DEC);
    Serial.print(" MPH,");
    //Humidity in %
    Serial.print(RH,4);
    Serial.print(" RH,");
    //Temp in F
    Serial.print(temperature);
    Serial.print(" F,");
    //Dewpoint in F
    Serial.print(DewPoint);
    Serial.print(" DPF,");
    //Pressure in PA
    Serial.print(pressure);
    Serial.println(" pa");
  }  

    //update GPS data every 10 seconds
  if (!(millis() % 10000))  //If it's been 10s
  {

    while(uart_gps.available())     // While there is data on the RX pin...
  {
    int c = uart_gps.read(); 
    gps.encode(c);
  }
    gps.f_get_position(&latitude, &longitude, &age);
    if (age == gps.GPS_INVALID_AGE)
    {
       lcd.print(" !");
    }
    else {
      lcd.print(" K");
      gps.crack_datetime(&year, &month, &day, &hour, &minute, &second);  
     lcd.print(" K");
    }
  }
}

void setBacklight(byte brightness)
{
  lcd.write(0x80);  // send the backlight command
  lcd.write(brightness);  // send the brightness value
}

void clearDisplay()
{
  lcd.write(0xFE);  // send the special command
  lcd.write(0x01);  // send the clear screen command
}

void setLCDCursor(byte cursor_position)
{
  lcd.write(0xFE);  // send the special command
  lcd.write(0x80);  // send the set cursor command
  lcd.write(cursor_position);  // send the cursor position
}

float ReadHumidity()
{
  //Humidity sensor is temperature sensitive and requires real temp to get an accurate value
  float val = 0;
  float RH = 0;
  float voltage;
  max_voltage = (5-(0.00372549*temperature)) ; // The max voltage value drops down 0.00372549 for each degree F over 32F. The voltage at 32F is 3.27 (corrected for zero precent voltage)
  val = analogRead(HIHPin);
  voltage = val/1023. * max_voltage; //this is calibration data, see the HIH datasheet for more info
  RH = 161.0 * voltage / max_voltage - 25.8;
  RH = RH / (1.0546 - 0.0026 * (temperature - 32  * 5/9)); 
  return RH;
}

float ReadDewpoint(float temperature)
{
  float TempC;
  TempC = (temperature - 32) * 5/9;
  td = (log10(RH)-2.0)/0.4343+(17.62*TempC)/(243.12+TempC);  //calculate dewpoint
  dewpoint = ((243.12*td/(17.62-td) * 9/5)+32);
  return dewpoint;
}

float getTemp(){
  float TemperatureSum = bmp.readTemperature();
  TemperatureSum = (TemperatureSum *1.8) + 32;
  return TemperatureSum;

}

 

openssl s_client -connect www.google.com:443

This connects to google.com over SSL and will display on screen and should look something like this.

jason@boomer:~$ openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
—
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
—
Server certificate
—–BEGIN CERTIFICATE—–
…

Another command I’ll run is to make sure weak SSL ciphers aren’t enabled on my hosts, so using the same command but adding -cipher LOW


jason@boomer:~$ openssl s_client -connect google.com:443 -cipher LOW

CONNECTED(00000003)
139786025997984:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741:
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 7 bytes and written 70 bytes
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Now sit back and enjoy the awesome. Most of the time you don’t get any feedback when you do this,  so just try to run ‘telnet’ after the command returns.


DISM /online /Cleanup-Image /SpSuperseded


Will run for awhile and clean up all of those left over remnants on your drive.  Output should look something like this

 
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>DISM /online /Cleanup-Image /SpSuperseded

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Image Version: 6.1.7600.16385

Removing backup files created during service pack installation.
[==========================100.0%==========================]
Service Pack Cleanup operation completed.
The operation completed successfully.

C:\Windows\system32>

I’m using swatch in linux to monitor my auth.log file looking specifically for brute force attempts, note that this is not a complete treatise on all of my security precautions, this is just how I deal with the ones that really annoy me.  My swatch.conf is here

watchfor /authentication failure/
threshold track_by=$1, type=both, count=5, seconds=3600
exec /usr/local/bin/notifyme "$_"


I’m essentially telling swatch to look for any attacker that fails more then 5 ssh attempts in 1 hour, when you find such a person send the log file entry that triggered the alert over to a script called /usr/local/bin/notifyme as a parameter.

notifyme is just a bash script that uses a few external programs.

Next you just need to run twidge for the first time and set it up with your twitter account.

The bash script itself is pretty simple.  When it runs, it takes the string sent to it from swatch, creates an email and a tweet off of the hostname, time and user they tried to break in as and then runs a noisy and thorough nmap scan against the host attacking you. No point in being quiet, if someone triggers this alert it wasn’t by accident.   If the host is running a webserver, nmap will also create a png screenshot of the page that they are serving and store it in /tmp. I used to have it sent in an email but one time I got 4 20mb png files that came in over a 3g connection. so we don’t do that anymore.

#!/bin/bash

echo "To: $RCPT" >>$FILE
echo "From: $FROM">>$FILE
echo "Subject: $SUBJECT" >>$FILE
echo "" >>$FILE
echo "" >>$FILE
echo "On $DATE, asshat at $HOST tried to ssh brute force as $USER" >>$FILE
echo "Running nmap scan..." >>$FILE
nmap -A -P0 -sV --script=default,http-screenshot $HOST >>$FILE
echo "---" >>$FILE
echo "" >>$FILE
echo "" >>$FILE
PORTS=`cat /tmp/message.txt |grep open | awk -vORS=' ' {'print $1'}|grep -v Warning`
TWEET="#WallofShame $HOST open ports $PORTS"
TWEET=`echo $TWEET | cut -c-140`
ssmtp -s $SUBJECT -f $FROM $RCPT <$FILE
twidge update "#WallOfShame $HOST tried to brute force SSH as $USER on $DATE"
twidge update "$TWEET"

If you want to take this further, you can integrate calls to shodanhq using curl that will also pull back what security vulnerabilities the attacking host’s listening services are vulnerable to. I started off initially posting this information to twitter but decided that “incite to violence” would be an appropriate description for that feature.   But lets say you felt like you needed to do that research anyways, field #3 in the nmap open port results is all you need to submit to shodan to see if your attacker has a great big hole in his boat.

curl http://www.shodanhq.com/exploits?q=`cat $FILE | grep open | awk {'print $3'}`


Lots and lots of room for improvement, but this is where I’m starting. you can monitor my scripts output by following my twitter account at @scratchhax

1. open regedit and look for the following key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msahci

2. right click on “Start” and select “Modify”
3. Change the value to be “0″ and then reboot

Be sure that you enabled AHCI support in your BIOS. when you reboot windows will install the AHCI drivers for your drives and then make you reboot again.

open a command prompt as admin. It has to be admin or this won’t work. Run the following
fsutil behavior query disabledeletenotify

DisableDeleteNotify = 1 means that TRIM is disabled
DisableDeleteNotify = 0 means that TRIM is enabled

Note that TRIM will only work on an SSD drive that is set to use AHCI in BIOS. If you installed windows using Legacy or SATA mode, you can either reinstall windows after switching your BIOS to AHCI or you can edit your registry to enable AHCI drivers after you have changed your BIOS to use AHCI

2factor authentication is awesome, therefore google authenticator is awesome.  I wanted all of my internet connected boxes to use 2factor for ssh, but only when the source IP isn’t coming from one of my internal networks. Here is how I did that on ubuntu 12.10

install the google_authenticator pam module

sudo apt-get install libpam-google-authenticator


edit /etc/pam.d/sshd and add the following before the @include common-auth line

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so


create the file /etc/security/access-local.conf and add the following to it

+ : ALL : 192.168.0.0/28
+ : ALL : LOCAL
- : ALL : ALL

192.168.0.0/28 should be the subnet of your trusted network that you will not require 2factor from.

Edit /etc/sshd/sshd_config and make sure that

ChallengeResponseAuthentication yes

is set. By default it is set to No.

Install the google authenticator app on your phone and add a new source. Log into your server as the user that you want to setup and run, from the command line

google-authenticator


Now either copy the codes into your authenticator app or scan the QR code. Restart ssh and you’ll be done! If you try to connect from a host outside of your trusted network, you should get prompted for your 2factor code. Anything inside of your trusted network should be allowed in with just a password.