What's new

[DIY] - SmallNetworks - Learning by Doing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Here's a small sample of the re-write/cleanup - this is the OpenSSH and VNC section for Remote Access - this is not final, but an indication that I'm taking it a bit more seriously this time...

(if folks notice - this is in Wiki Markup, so it works with DokuWiki, and might work with other Wiki engines as well)

Code:
====== Remote Access ======

As a server, we don't always need to keep a monitor/keyboard mouse attached - I don't have one attached to my servers except when initially setting up the system - once complete, the keyboard/monitor/mouse are removed as it's one small way of improving security a little bit (difficult physical access to the console)

The following sections will enable us to establish secure remote access to the host - whether on the local network, or remote/offsite

==== SSH Server ====
Let's sort ssh - we have lots of space, so let's use OpenSSH vs Dropbear

//**Comment** - Dropbear, like BusyBox, is awesome software, and great for an small footprint (mem/storage) environment - they're safe and secure to use, but in this walkthru, we have a full linux install, and there are better tools to use//.

**Install OpenSSH Server**

  sudo apt install openssh-server

ssh back into the box

  ssh test@192.168.1.6

or try if you have installed avahi-daemon as noted above

  ssh test@testbox.local

Note - most of the defaults are fine, so we'll hit the high points to improve security

edit the /etc/ssh/sshd_config - save a copy first - 

  sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

and then 

  sudo nano /etc/ssh/sshd_config

edit/change the following:

  LogLevel VERBOSE
  LoginGraceTime 30
  PermitRootLogin no
  MaxAuthTries 3
  X11Forwarding no
  MaxStartups 2:30:10

Add this line - this is for additional security - if the AllowUsers directive is used, then only user accounts that follow will be allowed to authenticate, others, even if they have an account on the system, will not be allowed - this is whether passwords are used or keyfiles.

  AllowUsers test

Save changes - restart ssh keep current session open

  sudo service ssh restart

Try to login to the ssh server again - should work, if not, check your edits...

** SSH Hardening for Security **

We've already done the two best steps - Disabling the Root Login, and the Access Users directive. These two items will block every connect attempt - I've had an SSH server sitting in my home network forwarded out to the public internet for many years, with thousands of attempts a week, and no compromises.

The absolute very best way to secure SSH is to use public/private key based logins. The downside is that keybased logins do incur a bit more effort to set up on the server side, and if one works with many clients, there's the overhead of managing all those key files across the client machines.

//**Comment** - Public/Private Keys by themselves do not offer more security, however they do offer more 'trust' which is just as important - I use them at work, and I think they're a good idea - I'm just not in a position to answer 1000 questions on certificates, key management, client configurations - when username/passphrase (the PW isn't sent in the clear, btw) is sufficient for most folks - the best security is simple security, things break when more steps are added.//

If you want to set up Public/Private Keys for OpenSSH, see the excellent reference on Ubuntu's wiki, the steps there apply pretty much to any linux based OpenSSH server.

**Changing SSHD Ports**

I'm only adding this as folks will say - How to change the sshd port?

Changing ports is not always a good idea, as it's security thru obscurity, which is no security at all as the robots will always find a way.

I've seen posts on the forums where folks are unwisely using port 80 and/or port 443 - without understand the issues with those ports and processes that run as root, or owned by root - bad idea.

If you __must__ change the SSH port keep in mind that port numbers below 1024 are privileged ports that can only be opened by root or processes running as root. 

So pick always port above that - used to be that above TCP port 8000 was good, but many apps are starting to use them.

If you change the SSH port also open the new port you have chosen on the firewall and close port 22.

  sudo vi /etc/ssh/sshd_config

Change or add the following line and save. Again, consider above before doing this.

  Port <ENTER YOUR DESIRED PORT>

Restart SSH server:

  sudo service ssh restart

If you get locked out, you know why. 

OpenSSH is very secure if done right.
==== VNC server ====

Now that we have SSH going, we'll add a secure VNC connection endpoint - and we can scrub using an attached keyboard/mouse/monitor

Remote Desktop - tightvnc with xfce, xfce is a lighteight desktop environment - as an option, if one installed Ubuntu Server addition, it's a good time to consider installing a desktop environment - I recommend Xubuntu-Desktop as it's lightweight enough, and very fast over a VNC connection.

**Install xuBuntu-Desktop and Firefox**

  sudo apt install xubuntu-desktop firefox

**Install VNC**

  sudo apt install xfce4 xfce4-goodies tightvncserver

To complete the VNC server's initial configuration after installation, use the vncserver command to set up a secure password.

  vncserver

**Configuring the VNC Server**

First, we need to tell our VNC server what commands to perform when it starts up. These commands are located in a configuration file called xstartup in the .vnc folder under your home directory. The startup script was created when you ran the vncserver in the previous step, but we need modify some of the commands for the Xfce desktop.

When VNC is first set up, it launches a default server instance on port 5901. This port is called a display port, and is referred to by VNC as :1. VNC can launch multiple instances on other display ports, like :2, :3, etc. When working with VNC servers, remember that :X is a display port that refers to 5900+X.

Because we are going to be changing how the VNC server is configured, we'll need to first stop the VNC server instance that is running on port 5901.

  vncserver -kill :1

The output should look like this, with a different PID:

  Output
  Killing Xtightvnc process ID 17648

Before we begin configuring the new xstartup file, let's back up the original.

  sudo mv ~/.vnc/xstartup ~/.vnc/xstartup.bak

Now create a new xstartup file with nano or your favorite text editor.

  sudo nano ~/.vnc/xstartup

Paste these commands into the file so that they are performed automatically whenever you start or restart the VNC server, then save and close the file.

  #!/bin/bash
  xrdb $HOME/.Xresources
  startxfce4 &

The first command in the file, xrdb $HOME/.Xresources, tells VNC's GUI framework to read the server user's .Xresources file. .Xresources is where a user can make changes to certain settings of the graphical desktop, like terminal colors, cursor themes, and font rendering. The second command simply tells the server to launch Xfce, which is where you will find all of the graphical software that you need to comfortably manage your server.

To ensure that the VNC server will be able to use this new startup file properly, we'll need to grant executable privileges to it.

  sudo chmod +x ~/.vnc/xstartup

Now, restart the VNC server.

  vncserver

The server should be started with an output similar to this:
<code>
test@testbox:~$ vncserver

New 'X' desktop is testbox:1

Starting applications specified in /home/test/.vnc/xstartup
Log file is /home/test/.vnc/testbox:1.log
</code>

**Testing the VNC Desktop**

In this step, we'll test the connectivity of your VNC server.

Next, you may now use a VNC client to attempt a connection to the VNC server at testbox.local:5901 (or 192.168.1.6:5901) 

You'll be prompted to authenticate. The correct password to use is the one you set in the vncserver initial setup

Once you are connected, you should see the default Xfce desktop that was included as part of the TightVNC installation.

**Creating a VNC Service File**

Next, we'll set up the VNC server as a systemd service. This will make it possible to start, stop, and restart it as needed, like any other systemd service.

First, create a new unit file called /etc/systemd/system/vncserver@.service using your favorite text editor:

  sudo nano /etc/systemd/system/vncserver@.service

Copy and paste the following into it. Be sure to change the value of User and the username in the value of PIDFILE to match your username.

<code>
[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=test
PAMName=login
PIDFile=/home/test/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target
</code>

Save and close the file.

Next, make the system aware of the new unit file.

  sudo systemctl daemon-reload

Enable the unit file.

  sudo systemctl enable vncserver@1.service

Stop the current instance of the VNC server if it's still running.

  vncserver -kill :1

Then start it as you would start any other systemd service.

  sudo systemctl start vncserver@1

You can verify that it started with this command:

  sudo systemctl status vncserver@1

To save memory/cpu time, you can turn off the VNC server on the fly, and turn it on when you need it.

  sudo systemctl stop vncserver@1

So again, that's why I ask for your patience...
 
Putting a feeler out - how many would be interesting in having a VMWare Virtual Disk of a machine configured (for the most part, there is a section that can't be) when this series is all done?

Chosing VMWare as VMWare Player for Windows is free - and it'll work with VMWare Workstation or VMWare Fusion (and quite possibly VMWare ESXi) - and there are converters for other VM schemes..

It's going to be a bit on the large size - about 4 to 5 GB expanded out - but if there's enough interest...
 
BTW - for those keeping notes - add this to the bottom of the VNC section - again in DokuWiki markup

Code:
=== Updating VNCServer Password ===
TightVNC uses it's own password scheme as part of the install - to update it, use the **vncpasswd** command - it prefers passwords longer than 8 characters - as part of the big project that this is turning into, pwgen is pretty handy

Generate a good password - note, don't use any of the ones in this post 8-)

<code>
test@testbox:~$ pwgen 12
Aech6aeXupha Avughi7ohf9e vaep7Ahca7ja ueYier4co2Ah DaiGhahwe6Ji Ia9AhSielaey
</code>

Now update the vncpasswd

<code>
test@testbox:~$ vncpasswd
Using password file /home/test/.vnc/passwd
Password: 
Verify:  
Would you like to enter a view-only password (y/n)? n
</code>
 
Putting a feeler out - how many would be interesting in having a VMWare Virtual Disk of a machine configured (for the most part, there is a section that can't be) when this series is all done?

Chosing VMWare as VMWare Player for Windows is free - and it'll work with VMWare Workstation or VMWare Fusion (and quite possibly VMWare ESXi) - and there are converters for other VM schemes..

It's going to be a bit on the large size - about 4 to 5 GB expanded out - but if there's enough interest...
Sfx,

I would certainly be interested. I´m planning on buying a Supermicro Mini-ITX box in a couple of months to set up a pfSense firewall.

What is your opinion on running pfSense in a VM vs bare-bone? I´ve been fiddling with the thought of installing VMWare ESCXi on the new machine and run several VMs on it, e.g. pfSense, Ubuntu etc.

Ole
 
What is your opinion on running pfSense in a VM vs bare-bone? I´ve been fiddling with the thought of installing VMWare ESCXi on the new machine and run several VMs on it, e.g. pfSense, Ubuntu etc.

pfSense on a VM - general consensus is don't - since pfSense is your router, and more importantly, your security as a firewall, if the hypervisor is compromised, then pfSense and the entire network is compromised, and hypervisors are very much under attack these days... because of the cloud, large scale deployments are a sweet target (think hundreds of VM's running on a big Xeon server..

The other issue with pfSense on a VM is latency - while it's FreeBSD, it's a very tuned version, and closely coupled to the hardware - the virtual interfaces don't have the same level of performance from a latency perspective (they can be fast with virtio running at RAM speed between VM's, but latency is still a problem, along with general scheduling issues with the pfSense VM and other guests on the hypervisor.

so my thoughts are no, run pfSense on metal...

(some have flipped this around though - running jails on pfSense - e.g. pfSense running as the base, and then running FreeNAS/nas4Free inside the jail, and some people have done this, but again, it's a bit rough and tumble to do it, and security likes things simple - best way to compromise security is make it complicated.)
 
Please accept my apologies - as I was reviewing some of the sections, I found a few errors, and a lot of assumptions on my part about what the skill levels may be, so some of them, or at least some of the steps were a bit difficult.

I'm well into the rewrite - the storage section alone now is nearly 15 pages long - and is currently in a peer review with a couple of folks (helps to have another set of eyes to see inconsistencies and editorial errors)

All in all, the entire doc set is likely going to be 50 to 60 pages in length.

So be patient - the info will start flowing again soon - if not as posts inside the forum, I will make the information available again.

SFX, I have followed post #1 , #61, and #63 and I am happy to report everything is working as expected on my new Raspberry Pi 3B I only received yesterday. It is up and running Ubuntu-Mate and I can ssh or vnc to it with my MacBook Pro successfully. Many thanks for the excellent tutorial! Looking forward to the next installment. -Cheers
 
Hopefully you've got a case that keeps that little guy cool... they do tend to run warmer than the Pi2 did...

Nice little case with a small fan on top! I checked the temps with pitemp.sh

GPU => temp=48.3'C
CPU => 48'C
 
Cool (pardon the pun) - got a pic to share?

rpi3b.jpg

This product made by Eleduino.
 
@HardCat

The Pi's use broadcom SoC's similar to the 87U/68U in your .sig... wonder if this little script works on them...

testcputemp.sh

Code:
#!/bin/bash
cpu=$(</sys/class/thermal/thermal_zone0/temp)
echo "$(date) @ $(hostname)"
echo "CPU => $((cpu/1000))'C"
 
@HardCat

The Pi's use broadcom SoC's similar to the 87U/68U in your .sig... wonder if this little script works on them...

testcputemp.sh

Code:
#!/bin/bash
cpu=$(</sys/class/thermal/thermal_zone0/temp)
echo "$(date) @ $(hostname)"
echo "CPU => $((cpu/1000))'C"

Works fine on the Pi but not so on the AC87U or AC68U.

There is no "/sys/class/thermal/thermal_zone0/temp" file on the ASUS devices and no "hostname" command in busybox.
 
Here's a small sample of the re-write/cleanup - this is the OpenSSH and VNC section for Remote Access - this is not final, but an indication that I'm taking it a bit more seriously this time...

it's up to 2700+ lines (non line wrapped) - good news is that the rewrite is going very well - and adjusted to the audience...

a bit more time... this little project has blown up into something more that that - but it's good stuff when taken end to end, and scaled well from noob to the experienced admin... there's a lot more I'd like to drop into the doc, but I need to get this done...

That's i suppose what happens when you cross an experienced development engineer with a teacher...
 
**SECURITY NOTE**

Simple NAS setup - there's a config bug that you need to check - If you grabbed an early copy of the setup before I pulled it -

I need you to change a few items to improve security for the SimpleNAS

The new smb.conf file should look similar to below - we've removed the "guest ok = yes" for the shares, and added in an additional restriction for the globals - "restrict anonymous = 2"

NOTE - the workgroup stanza in the globals is not WORKGROUP - this is never good as it's the Windows default, and clients will cache that data - leading to potential usability and security issues...

This workaround addresses a Windows 10 issue, along with a couple of other SMB client issues that might result in unexpected data disclosure outside of approved user accounts. Been digging on this for a bit, and it's not a Samba bug, but a bug in my suggested smb.conf file - I was a bit surprised during cross-platform testing that sometimes the server would let me in with bad/no credentials...

Make the appropriate changes and kick the samba by sending it a "sudo /etc/init.d/samba restart" - and you can confirm by sending a "testparm -s" command.

To test - change the smbpasswd for a good/known user, and you should get an auth prompt...

Jeez I hate samba sometimes - things change over the years... a lot of rust knocked out of the head on this one - this ain't a complete fix, but works well enough for now to address the reason for this post...

/etc/samba/smb.conf

Code:
[global]
workgroup = TESTGROUP
netbios name = TESTBOX
security = user
hosts allow = 192.168.1.0/24
restrict anonymous = 2

[share]
comment = Home File Server
path = /var/share
force user = fileserver901
force group = fileserver901
read only = no
browsable = yes
create mask = 0755

[media]
comment = Home Media Server
path = /var/media
force user = fileserver901
force group = fileserver901
read only = no
browsable = yes
create mask = 0755

This workaround has passed audit via nmap - see below;

Code:
Host script results:
| nbstat: NetBIOS name: TESTBOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   TESTBOX<00>          Flags: <unique><active>
|   TESTBOX<03>          Flags: <unique><active>
|   TESTBOX<20>          Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   TESTGROUP<00>        Flags: <group><active>
|   TESTGROUP<1d>        Flags: <unique><active>
|_  TESTGROUP<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: testbox
|   NetBIOS computer name: TESTBOX
|   Domain name:
|   FQDN: testbox
|_  System time: 2016-05-22T18:45:26-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
[code]
 
Simple NAS setup - there's a config bug that you need to check - If you grabbed an early copy of the setup before I pulled it -

I need you to change a few items to improve security for the SimpleNAS

and it's issues like the one above is why I pulled all the previous config posts - it's not just your SNB Basics server, it's mine as well - I'm replacing an old hotel server inside my home network, and as I was walking thru the various configs, I noticed a few issues that needed to be resolved.

i appreciate your understanding and patience...
 

This will give us temps for the Arm devices:

Code:
#!/bin/sh
# Remove the hex "f8" which was surpressing the "C" for celsius and 2 newlines from the file first
cpu=$(tr -d '\xf8\n' < /proc/dmu/temperature | awk '{printf $4}')
echo "$(date) @ $(uname -n)"
echo "CPU => $cpu"
 
FWIW - think I found a kernel or HW bug in Intel - while writing this, I've actually got multiple machines running - the Pi2, a VM running on VMWare Workstation 10, a Dell i3050 (Baytrail-D J1900 silvermont cores), and a MSI WinBox DC111 (Intel 1037U IvyBridge based).

The two intel boxes are running headless... as is the Pi2

Was seeing really weird timing jitter on the Intel metal, and it wasn't correlating with the VM or the ARM based Pi2 - pulling up powertop and turbostat (part of linux-tools-common), started digging into things...

The latency jitter on the metal - seems that Intel gets overly aggressive on the C-States (save power, reduce temps) - and the C-State timing roughly correlated with the jitter...

So first things first - let's keep the CPU really busy - just on one core I ran the following command line and just let it run...

yes > /dev/null

This will peg a core, and keep it from sleeping - things settled down a bit, but still not where we wanted - so I ran the other core same - and this keeps the package from sleeping, and the behavior stops - and settles down nicely...

So... we're like - let's play around with c-states on the kernel...

On the grub command line, we can add "intel_max_cstate=1", but since the bare metal boxes are headless - we just add it to the grub default...

sudo vi /etc/default/grub

changing the follow line from

GRUB_CMDLINE_LINUX_DEFAULT=""

to

GRUB_CMDLINE_LINUX_DEFAULT="intel_idle.max_cstate=1"

And reboot - and things settled down very nicely indeed... which I thought was odd, as this affects the kernel timing domain, and essentially changes how it "dozes"...

Chasing things back, bisecting the kernel changes...

initially found a checkin on linux 3.16 that suggested this might be a problem - and this is something that the freedesk.org and kernel folks have been chasing - Intel checked in a change for i915 (graphics) that correlated with an increase in freezes - but that change was limited to valleyview only (valleyview is the GPU on the Baytrails, e.g. Intel HD Graphics Gen7-lp) - and the other machine that I was seeing the same problem (the 1037U is IVB, not BYT).

Interesting - and goes to show what measuring the system and network can do.

:cool:

NetGate_last_10800.png
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top