Discussion:
[Koha] Why are there two SIP2 ports in Koha?
Michael Kuhn
2018-08-28 19:21:03 UTC
Permalink
Hi

When using the standard configuration in file "SIPconfig.xml" after
enabling and starting the SIP2 servers there are two ports:

<service
port="8023/tcp"
transport="telnet"
protocol="SIP/2.00"
timeout="60" />

<service
port="127.0.0.1:6001/tcp"
transport="RAW"
protocol="SIP/2.00"
client_timeout="600"
timeout="60" />

We have just reconfigured the following line

port="10.0.0.1:6001/tcp"

and our 3M SelfCheck System Model 8420 can successfully connect and
communicate via port 6001, without needing to add any sign in commands
in expect syntax (which is needed when using port 8023 via telnet, as it
is described in
https://wiki.koha-community.org/wiki/Setting_up_Koha_SIP_and_3M_machines ).

Can someone please explain why there are two ports? Are these just
offering the same functionality in two different ways (telnet, RAW), or
is it maybe recommended to use telnet for some unknown security reasons?

Best wishes: Michael
--
Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg. Fachausweis
Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz
T 0041 (0)61 261 55 61 · E ***@adminkuhn.ch · W www.adminkuhn.ch
_______________________________________________
Koha mailing list http://koha-community.org
***@lists.katipo.co.nz
https://lists.kati
Galen Charlton
2018-08-28 19:25:19 UTC
Permalink
Hi,
Post by Michael Kuhn
Can someone please explain why there are two ports? Are these just
offering the same functionality in two different ways (telnet, RAW), or
is it maybe recommended to use telnet for some unknown security reasons?
They offer the same functionality, just with slightly different ways
of logging in the SIP client. Most SIP2 devices we run into nowadays
use "raw"; the port 8023 config that ships with Koha can be treated as
an example to comment out unless specifically needed by one of your
SIP2 devices.

Regards,

Galen
--
Galen Charlton
Implementation and Services Manager
Equinox Open Library Initiative
phone: 1-877-OPEN-ILS (673-6457)
email: ***@equinoxInitiative.org
web: https://equinoxInitiative.org
direct: +1 770-709-5581
cell: +1 404-984-4366
_______________________________________________
Koha mailing list http://koha-community.org
***@lists.katipo.co.nz
https://lis
Michael Kuhn
2018-08-28 20:10:06 UTC
Permalink
Hi Galen and Chris

Many thanks for your quick answers! So we will however deactivate the
unneeded SIP2 server on port 8023.
Post by Chris Cormack
Of course SIP2 is hideously insecure so those ports should never be
exposed except on localhost and run through stunnel or a VPN.
If you expose unencrypted SIP2 traffic on a network then you are
sending all sorts of personal info unencrypted, most likely violating
the GDPR. And definitely opening yourself up to being compromised.
Thanks for clarifying that. We will try to find a way to secure the
unencrypted SIP2 traffic (most probably using stunnel).

Best wishes: Michael
--
Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg. Fachausweis
Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz
T 0041 (0)61 261 55 61 · E ***@adminkuhn.ch · W www.adminkuhn.ch
_______________________________________________
Koha mailing list http://koha-community.org
***@lists.katipo.co.nz
https://lists.k
Chris Cormack
2018-08-28 19:34:30 UTC
Permalink
Some self check machines operate SIP2 over telnet instead of raw. It's no more secure but some older machines work that way.

Of course SIP2 is hideously insecure so those ports should never be exposed except on localhost and run through stunnel or a VPN.

If you expose unencrypted SIP2 traffic on a network then you are sending all sorts of personal info unencrypted, most likely violating the GDPR. And definitely opening yourself up to being compromised

(it's trivial to capture the user and password of the SIP2 user at the very least)

Chris
Post by Michael Kuhn
Hi
When using the standard configuration in file "SIPconfig.xml" after
<service
port="8023/tcp"
transport="telnet"
protocol="SIP/2.00"
timeout="60" />
<service
port="127.0.0.1:6001/tcp"
transport="RAW"
protocol="SIP/2.00"
client_timeout="600"
timeout="60" />
We have just reconfigured the following line
port="10.0.0.1:6001/tcp"
and our 3M SelfCheck System Model 8420 can successfully connect and
communicate via port 6001, without needing to add any sign in commands
in expect syntax (which is needed when using port 8023 via telnet, as it
is described in
https://wiki.koha-community.org/wiki/Setting_up_Koha_SIP_and_3M_machines ).
Can someone please explain why there are two ports? Are these just
offering the same functionality in two different ways (telnet, RAW), or
is it maybe recommended to use telnet for some unknown security
reasons?
Best wishes: Michael
--
Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg.
Fachausweis
Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz
_______________________________________________
Koha mailing list http://koha-community.org
https://lists.katipo.co.nz/mailman/listinfo/koha
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Koha mailing list http://koha-community.org
***@lists.katipo.co.nz
https://lists.katip
Loading...