Best way to do secure, private phone backup/sync using omv?

1. offizieller Beitrag

    Task objective:

    - backup (or perhaps syncing) phone photos, contacts, calendar, 2FA, password manager to omv


    Context:

    - one user

    - omv main use is LAN media server

    - OpenWRT router

    - static IP

    - bluetooth/wi-fi off (WPA3 is available in phone/router but not used due to security risks. But perhaps turning it on once a day to sync would be more secure than opening ports to the entire world 24/7?)

    - phone uses self-maintained wireguard vpn (deployed on my externally hosted cloud VPS 'server' - I know wireguard is peer-to-peer but you get what I mean), and is available for any device


    Considerations:

    - apparently usb flash drives are not a secure mediums for file transfers, neither is wi-fi, so via internet is more secure, unless perhaps, I plugin phone to server using a usb cable?

    - I have no need to access to my server from outside the house (or example, to administer it or access files).

    - On my previous practise server, I successfully deployed dockers nextcloud AIO, nginx pm, fail2ban, and opened ports 80, 443 (and another for nextcloud talk but could not connect the app, perhaps because I didn't forward it in npm).

    - I have successfully used npm to limit incoming connections to the IP address of my wireguard server (I think I can also do this in the router). So nextcloud was able to do instant-uploads from phone to omv via my wireguard VPS, and sync's calendar and contacts.


    So, functionally, above is just what I want, but...


    All info sources I've seen warn of the risks of opening ports, and I've heard of un-patched longstanding vulnerabilities in nginx npm (now since patched). So I'm starting to worry and wonder if there is a better way?


    Eg:

    - syncthing

    - headscale/tailscale - but port-forwarding?

    - just wireguard - port forwarding?


    Syncthing looks good due to not having to open ports, but privacy is also a desire of mine, and the public relays know which devices are talking to which. I'm not sure how much of an issue this is, but the solution is to run your own relay, which brings me back to the same problem; opening ports.


    I have to laugh, I'm staring at my phone and omv server right next to each other and all I want to do is get files from one to the other. Surely I'm making this far harder than is should be? Just looking for a simple, secure, private method.


    Thanks for taking the time to read this. Any advice would be greatly appreciated.

    • Offizieller Beitrag

    What NPM vulnerabilities are you referring to? Can you put a link?


    I use Syncthing to transfer files from smartphone to server. I do this only with wifi, without using external relays. Don't trust your Wi-Fi network?

    Zitat von chente

    What NPM vulnerabilities are you referring to? Can you put a link?


    I use Syncthing to transfer files from smartphone to server. I do this only with wifi, without using external relays. Don't trust your Wi-Fi network?


    I edited my original post - as the security vulnerabilities I think have since been fixed:


    See link here:

    Externer Inhalt www.youtube.com
    Inhalte von externen Seiten werden ohne Ihre Zustimmung nicht automatisch geladen und angezeigt.
    Durch die Aktivierung der externen Inhalte erklären Sie sich damit einverstanden, dass personenbezogene Daten an Drittplattformen übermittelt werden. Mehr Informationen dazu haben wir in unserer Datenschutzerklärung zur Verfügung gestellt.


    And wi-fi issues (VPNFilter virus?):

    What is WPA3? Is WPA3 secure and should i use it? | Comparitech
    Is WPA3 secure? This is an important question in wi-fi security after a serious vulnerability was found in Wi-fi Protected Access 2 (WPA2), the security…
    www.comparitech.com


    At the end of the above article the author suggests for home networks 'Stop using wi-fi: Connect to the internet via an ethernet or data (3/4G) connection at home, or use mobile data, particularly for sensitive transactions.' and 'turn off your wifi connection if not using it'.


    Anyway, perhaps periodically using wi-fi would be more secure than 24/7.

    Zitat von unsoiled_iciness

    security vulnerabilities

    welcome to any sort of software. We use it all at are own risk.

    Dell 3050 Micro, i5-6500T, 8GB Ram

    Plugins - compose, cputemp, omv-extras, sharerootfs.

    Drives - 512gb SSD Boot, 1tb nvme Data, 16TB (8tbx 2 merg) Media,

    Docker - dozzle, netdata, nginx-proxy-manager, plex, prowlarr, qbittorrentvpn, radarr, sonarr, watchtower.

    • Offizieller Beitrag
    Zitat von unsoiled_iciness

    At the end of the above article the author suggests for home networks 'Stop using wi-fi: Connect to the internet via an ethernet or data (3/4G) connection at home, or use mobile data, particularly for sensitive transactions.' and 'turn off your wifi connection if not using it'.

    That's the same as saying, "If your server is turned off, you can't be hacked."


    If you think your neighbor is going to try to hack your Wi-Fi, there are many other measures you can take, starting with having a modern and updated router, for example, or creating a VLAN for IoT devices. In my opinion that article is a bit sensationalist in the effort to attract readers.

    Zitat von chente

    In my opinion that article is a bit sensationalist in the effort to attract readers.

    This say's it all.


    Spot on. :thumbup: :thumbup: :thumbup:

    I can access the Samba shares from my OMV with my Android phone in two different ways:

    - The app Tothal Commander and here the LAN plugin offers the possibility to more or less mount Samba shares. You get a file manager with two columns and can easily move/copy everything back and forth.

    - With the SMBSYNC2 app, I am able to automatically synchronize folders between my phone and my Samba share on my server. I use the app to back up the pictures and some other folders from my phone every night. This saved me once when we had to reset my wife's phone and of course all her pictures disappeared and she takes a lot of pictures.

    Ah yes. The typical fear mongoring for the views.

    At some point every content creator has to do it for the big views otherwise you'll stick with 30k views or so with too advanced stuff or they simply don't know much more.


    Better watch this from some guy who is in partnership with Google when it comes to security.


    Externer Inhalt www.youtube.com
    Inhalte von externen Seiten werden ohne Ihre Zustimmung nicht automatisch geladen und angezeigt.
    Durch die Aktivierung der externen Inhalte erklären Sie sich damit einverstanden, dass personenbezogene Daten an Drittplattformen übermittelt werden. Mehr Informationen dazu haben wir in unserer Datenschutzerklärung zur Verfügung gestellt.



    Heres the spreadsheet from the beginning, funny how all tips from NetworkChuck are in the red category.

    Linux Server Harderning
    Sheet1 OS,Networking,SSH,???,Fine sudo User,Auto Updates,Ports/IP FW,fail2ban,Change Ports,No root Login,Only IPv4,SSH Key,Boot/USB,disable cron,unused…
    docs.google.com

    Thanks everyone for your advice. That last video link was really great - I'll be watching that many times I think.


    I'm probably suffering from some sort of 'medical student disease' as I learn about security practices/issues.


    I think perhaps syncthing, using their relay service, might be the best for my case. I don't have to use wi-fi or open ports and data is e2e encrypted.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden