While I’m not writing this to inform you about ways to scare friends and family, the title could be true if the following idea was used in a sinister way.I am working on creating a very clever security system in my apartment. This is mostly for fun, but it does have practical applications. More on that when I spend more money on the project.

As a part of this security system, I want the ability to talk (or spook) to whoever is in my apartment. If I get a message that my door has been opened, I want to give the intruder the sense that there is someone around and completely aware of what is going on. There are other practical applications too, such as monitoring kids while you’re away to make sure they aren’t in a yelling match or make sure the babysitter isn’t being a bad example.

I figured the best way to provide an example of this was to show it in action. I have recorded a video which shows me calling a telephone number and Trixbox kicking into action. I will explain how this is done after the video:

So how does one pull off something like this? Well first you need to make sure that your Trixbox has an inbound telephone number (you can get a cheap 800 number from sites such as Vitelity) so that you can actually interact with your system. Once you have that figured out, you need to add a custom extension in the extensions_custom.conf file. An example entry would look something like this:

[custom-intercom]
exten => s,1,Set(__SIPADDHEADER=Call-Info: \;answer-after=0)
exten => s,2,Set(__ALERT_INFO=Auto Answer)
exten => s,3,Set(__SIP_URI_OPTIONS=intercom=true)
exten => s,4,ChanIsAvail(SIP/4587&SIP/9321,js)
exten => s,5,Macro(user-callerid,)
exten => s,6,Dial(Local/4587@from-internal,,A(beep),)
exten => s,105,Macro(vm,4587,BUSY)
exten => s,106,Wait(5)
exten => s,107,Macro(hangupcall,)
exten => s,hint,SIP/4587&SIP9321

In the above example (which was originally posted on the Trixbox forums by another user), 4587 is the extension I am calling and putting into speakerphone/intercom mode, while 9321 is the extension I am calling from.

After you have the code added to extensions_custom.conf, you must add a Custom Destination. If you were to use the above code, your custom destination would be something such as:

custom-intercom,s,1

Now you can finish up by adding a new inbound trunk and setting the Caller ID Number to your mobile phone number and setting the call destination to your new Custom Destination you just setup. This will make sure that calls will only go to intercom/speakerphone mode when you call and allow all other calls to route normally.

The above method is pretty secure unless someone figures out your mobile number and the phone number associated with Trixbox, as many VoIP services allow you to enter fake caller id information (which can be useful in the correct and honest conditions).

If you have questions or corrections to this entry, please let me know by leaving a comment. Also if you’re tempted to call the number listed in the video: I registered it for this video and it has since been decommissioned.

The Apache module mod_rewrite is one of those things that many people don’t use or don’t know how to use properly. It not only helps your website with Search Engine Optimization (SEO), but makes your overall site look cleaner. Wordpress has built in support for mod_rewrite and I am taking advantage of it here, but it’s also something I’ve started using full time with any coding projects I take part in.

First lets look at a sample implementation of mod_rewrite. In this example we are imagining our .htaccess file is located in the root of our public html folder:

1. <IfModule mod_rewrite.c>
2. RewriteEngine on
3. RewriteRule Pattern Substitute
4. RewriteRule ^folder-a/([a-z.0-9]+)$ hidden-a/image/$1
5. RewriteRule ^about$ modules/plugins/index.php?mod=about
6. RewriteRule ^folder-c/([0-9]+)$ hidden-c/?id=$1
7. </IfModule>

Lets start with lines 1 and 7: While you probably don’t need these if you’re going to run the script on your site only and not distribute it, it’s best to include them as a habit anyways in case you do develop a script you want to give away.

Next we get to lines 2 and 3: Line 2 basically tells mod_rewrite to turn on while line 3 tells it we will be doing pattern substitution (replace X with Y). Nothing we really need to worry about.

Lines 4, 5, and 6 are where the fun begins. Right off you see that each line begins with RewriteRule, which tells mod_rewrite that this line contains URL modification commands. The next part always starts with ^ and ends with $ (like a container). The data contained in this part is basically our “if ($X = $Y), then grab data from $Z” line. The final part is our $Z line, as we are grabbing the actual data from the location mentioned in this part. A more detailed explanation follows.

PART A	    PART B		    PART C

RewriteRule ^folder-a/([a-z.0-9]+)$ hidden-a/image/$1

In line 4 we are telling the system to look for calls to folder-a and anything after it that contains a lowercase a through z, a period, and the numbers 0 through 9. If these parameters match, load the actual data located at hiddena/image/$1, but replace the $1 with the information that came after folder-a. So as an example: If your user requests http://yoursite.com/folder-a/foo.jpg, your site is going to return http://yoursite.com/hidden-a/image/foo.jpg. As this all happens server side, your URL stays nice and clean.

In line 5, we have a very basic example. If someone loads the about directory on your site, it automatically returns modules/plugins/index.php?mod=about. This is a nice way to hide those ugly variables and long URLs. Wouldn’t you rather have http://yoursite.com/about rather than http://yoursite.com/modules/plugins/index.php?mod=about? Some may argue that such an example is over stretching things a bit, but the point is getting across.

Line 6 is a lot like line 4. If something after folder-c matches the numbers 0 through 9, grab the data from hidden-c/?id=$1 and replace $1 with the numbers we grabbed after folder-c.

So mod_rewrite is a great way to have clean URLs. Can it also improve your script security? To a point, yes. Now as I mentioned above earlier, I am really just a beginner to mod_rewrite — I’ve only been using it less than a week. However so far I have not found a way to find out the true URL of a script that is hiding behind mod_rewrite. I know a few sites that use it and the only way I have been able to find the true URL was to have direct access over SFTP. Because of this advantage, you can use mod_rewrite to help secure input validation. By no means am I suggesting you should depend on mod_rewrite to validate all variables passed through the URL, but every extra bit helps.

Lets look at like 6 as an example. In this line I am telling the code to only pass information along to my hidden-c folder if the data after folder-c is a number. It doesn’t matter how long or short the number is, it just has to be a number. If someone were going to attempt a SQL injection attack, mod_rewrite would not pass the data along as the conditions in the string would not match what we have setup.

I hope that helped some of you better understand mod_rewrite. For more detailed information, please check out this full document on the mod_rewrite feature.