Posts by ptruman

    Crashplan have just introduced a set of mandatory exclusions on both file extensions AND folder locations.
    Anything deemed as operating system related (i.e. /srv - where the OMV3 data drive gets mounted) is no longer backed up.


    Reddit /r/Crashplan has various posts of "Where are my backups?" from people, and I've now started the transition to Backblaze via Duplicati (install plugin, go...)


    I will add that on OMV4, the /sharedfolders folder is not excluded - so you can switch backup src location to that folder and it will work - but your file extensions might still be subjected to exclusion (i.e. any .vmdk files are now excluded and so forth).


    Hopefully this saves some of you a headache :)


    (Mods : depending on your view, this might want a sticky or post in a "higher?" announcement forum - I'm not sure who may be using Crashplan here - but one other guy on Reddit is clearly also an OMV user) :)

    Those are the pointers I was after, ta.


    Re: changing port, I have - but if you check out shodan.io - you will find that your machine (if exposed) has probably been fingerprinted, so all a port change does is stop drive-by scripted attacks. Anyone running nmap/fingerprinting will find the ssh service and what protocols it's willing to deal with. Fail2ban does help but as it's not saving to a DB it resets on any reboot and some clustered hacks just rotate to another IP


    Also, having had two passwords lost (and confirmed on haveibeenpwned.com) I don't want to leave any exposed service down to just user/pass - so Google/OTP helps there.


    I've got another layer on top of that which arguably makes it more secure, but that's away from the OMV box :)

    Basically this


    From the GUI - denying root login, enabling compression and enabling PubKeyAuthentication (which are all retained)


    Then:

    • Installing Google Authenticator (for OpenVPN AS also)
    • Generating an appropriate account Google Auth file
    • Removing/commenting out

      • HostKey /etc/ssh/ssh_host_rsa_key
      • HostKey /etc/ssh/ssh_host_dsa_key
      • HostKey /etc/ssh/ssh_host_ecdsa_key
    • Adding the lines:

      • HostKey /etc/ssh/ssh_host_ed25519_key
      • ChallengeResponseAuthentication yes
      • Banner /etc/issue.net
    • Amending the line:

      • LoginGraceTimer (change from 120 to 60)
    • Editing issue.net appropriately with message of choice
    • Then running
    Code
    cp /etc/ssh/moduli /etc/ssh/moduli.orig
    ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
    ssh-keygen -G /etc/ssh/moduli.all -b 4096
    ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
    awk '$5 >= 3071' /etc/ssh/moduli.all > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli
    rm /etc/ssh/moduli.all
    systemctl restart sshd


    I've generated (and been using) an ed25519 key with PuttyGen.


    That basically gives me the best possible cypherset (removing legacy ones) 3 factor auth (public/private key with appropriate username in cert, Google Auth code, plus account password matching the underlying Debian account) and regenerates custom moduli files (removing unsafe/lower value ones) and regens the system keys.

    Where does OMV hide it's default sshd_config, or what script does it run on save config?
    I'm hardening my config manually, but if I touch any thing in OMV, it resets it - and re-includes lines I've removed.
    Adding NEW lines via OMV is fine, but I can't "occlude" stuff from there. Ideally I'd like to use the GUI but so far have to avoid it - unless I can fudge it's defaults :)

    I would probably agree, however FreePBX is about the best GUI for asterisk going, and I'd rather that than bugger with the CLI :)


    Alternately you could create a new usergroup and add apache2 and asterisk to it, and just set the perms on the php5.6 exe to be for that group alone - which would limit the exposure somewhat. As mentioned in the article, tampering with the php code trips a signature alarm, so as it's only one apache2 site, one (nologin) user and a php-fm instance using php5.6, the attack surface is limited.


    *Most* but not all the FreePBX scripts run if you just edit them to run php7.0 instead of 5.6, but they will trigger signature check alerts in FreePBX, and not all of them yet do - although the FreePBX team say they are trying to get moved to php7, I don't think it's a priority for them yet :(

    Quick one - I have heavily customised my sshd_config - including changing default algorithms.
    If I change the config in the UI, it always replaces my config with the default - is there a template "base" config hiding that can be fettled?

    Hi all


    I've rebuilt OMV3 from ISO on my N54L and everything is now working, EXCEPT OpenVPNAS.
    I've installed the plugin, and openvpn-as


    There are two users it setup, openvpn and openvpn_as


    From what I see in the as.conf those users are set to run the process.
    systemctl start openvpnas works (or seems to) but if I login to the admin GUI, or connect a client, after a minute or so, it restarts, although systemctl status openvpnas shows:


    Apr 17 21:48:03 MediaVault systemd[1]: PID file /var/run/openvpnas.pid not readable (yet?) after start.
    Apr 17 21:48:03 MediaVault systemd[1]: Started OpenVPN Access Server Service.


    Partial log below. What is going on? From my previous running drive, I can't see any sticky/SETUID bits on anything. The two users are just members of their own group (same as the username). This is clearly a perms issue but I'm damned if I can figure out what...


    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "iptables_openvpn": "started",
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "iptables_web": "started",
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "license": "started",
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "log": "started",
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "openvpn_0": "started",
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "openvpn_1": "started",
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "openvpn_2": "started",
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "openvpn_3": "started",
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "user": "started",
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] "web": "started"
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] }
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] }
    2018-04-17 21:28:07+0100 [OMIClientAuth,0,] Server Agent started
    2018-04-17 21:28:12+0100 [-] License Info {'apc': False, 'concurrent_connections': 2}
    2018-04-17 21:29:02+0100 [OMIClientAuth,0,] OMI Cancel pending deferred ['exit']
    2018-04-17 21:29:02+0100 [-] OVPN 3 OUT: "Tue Apr 17 20:29:02 2018 MANAGEMENT: CMD 'exit'"
    2018-04-17 21:29:02+0100 [-] OVPN 3 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: Client disconnected'
    2018-04-17 21:29:02+0100 [-] OVPN 3 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: Triggering management exit'
    2018-04-17 21:29:02+0100 [-] OVPN 3 OUT: 'Tue Apr 17 20:29:02 2018 Closing TUN/TAP interface'
    2018-04-17 21:29:02+0100 [-] OVPN 3 OUT: 'Tue Apr 17 20:29:02 2018 /sbin/ifconfig as0t3 0.0.0.0'
    2018-04-17 21:29:02+0100 [-] OVPN 3 OUT: 'Tue Apr 17 20:29:02 2018 Linux ip addr del failed: could not execute external program'
    2018-04-17 21:29:02+0100 [-] OVPN 3 OUT: 'Tue Apr 17 20:29:02 2018 SIGTERM[soft,management-exit] received, process exiting'
    2018-04-17 21:29:02+0100 [-] OVPN 3 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: >STATE:1523996942,EXITING,management-exit,,,,,'
    2018-04-17 21:29:02+0100 [-] OVPN 2 OUT: "Tue Apr 17 20:29:02 2018 MANAGEMENT: CMD 'exit'"
    2018-04-17 21:29:02+0100 [-] OVPN 2 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: Client disconnected'
    2018-04-17 21:29:02+0100 [-] OVPN 2 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: Triggering management exit'
    2018-04-17 21:29:02+0100 [-] OVPN 2 OUT: 'Tue Apr 17 20:29:02 2018 Closing TUN/TAP interface'
    2018-04-17 21:29:02+0100 [-] OVPN 2 OUT: 'Tue Apr 17 20:29:02 2018 /sbin/ifconfig as0t2 0.0.0.0'
    2018-04-17 21:29:02+0100 [OMIClientAuth,0,] OMI Cancel pending deferred ['exit']
    2018-04-17 21:29:02+0100 [-] OVPN 2 OUT: 'Tue Apr 17 20:29:02 2018 Linux ip addr del failed: could not execute external program'
    2018-04-17 21:29:02+0100 [-] OVPN 2 OUT: 'Tue Apr 17 20:29:02 2018 SIGTERM[soft,management-exit] received, process exiting'
    2018-04-17 21:29:02+0100 [-] OVPN 2 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: >STATE:1523996942,EXITING,management-exit,,,,,'
    2018-04-17 21:29:02+0100 [-] OVPN 1 OUT: "Tue Apr 17 20:29:02 2018 MANAGEMENT: CMD 'exit'"
    2018-04-17 21:29:02+0100 [-] OVPN 1 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: Client disconnected'
    2018-04-17 21:29:02+0100 [-] OVPN 1 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: Triggering management exit'
    2018-04-17 21:29:02+0100 [-] OVPN 1 OUT: 'Tue Apr 17 20:29:02 2018 Closing TUN/TAP interface'
    2018-04-17 21:29:02+0100 [-] OVPN 1 OUT: 'Tue Apr 17 20:29:02 2018 /sbin/ifconfig as0t1 0.0.0.0'
    2018-04-17 21:29:02+0100 [OMIClientAuth,0,] OMI Cancel pending deferred ['exit']
    2018-04-17 21:29:02+0100 [-] OVPN 1 OUT: 'Tue Apr 17 20:29:02 2018 Linux ip addr del failed: could not execute external program'
    2018-04-17 21:29:02+0100 [-] OVPN 1 OUT: 'Tue Apr 17 20:29:02 2018 SIGTERM[soft,management-exit] received, process exiting'
    2018-04-17 21:29:02+0100 [-] OVPN 1 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: >STATE:1523996942,EXITING,management-exit,,,,,'
    2018-04-17 21:29:02+0100 [-] OVPN 1 OUT: 'Tue Apr 17 20:29:02 2018 PORT SHARE PROXY: proxy exiting'
    2018-04-17 21:29:02+0100 [OMIClientAuth,0,] OMI Cancel pending deferred ['exit']
    2018-04-17 21:29:02+0100 [-] OVPN 0 OUT: "Tue Apr 17 20:29:02 2018 MANAGEMENT: CMD 'exit'"
    2018-04-17 21:29:02+0100 [-] OVPN 0 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: Client disconnected'
    2018-04-17 21:29:02+0100 [-] OVPN 0 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: Triggering management exit'
    2018-04-17 21:29:02+0100 [-] OVPN 0 OUT: 'Tue Apr 17 20:29:02 2018 Closing TUN/TAP interface'
    2018-04-17 21:29:02+0100 [-] OVPN 0 OUT: 'Tue Apr 17 20:29:02 2018 /sbin/ifconfig as0t0 0.0.0.0'
    2018-04-17 21:29:02+0100 [-] OVPN 0 OUT: 'Tue Apr 17 20:29:02 2018 Linux ip addr del failed: could not execute external program'
    2018-04-17 21:29:02+0100 [-] OVPN 0 OUT: 'Tue Apr 17 20:29:02 2018 SIGTERM[soft,management-exit] received, process exiting'
    2018-04-17 21:29:02+0100 [-] OVPN 0 OUT: 'Tue Apr 17 20:29:02 2018 MANAGEMENT: >STATE:1523996942,EXITING,management-exit,,,,,'
    2018-04-17 21:29:02+0100 [-] OVPN 0 OUT: 'Tue Apr 17 20:29:02 2018 PORT SHARE PROXY: proxy exiting'
    2018-04-17 21:29:02+0100 [-] IPTABLES_LIVE ERR: 'IPTABLES_RESTORE: Sending SIGTERM to pid 22702'
    2018-04-17 21:29:02+0100 [-] PROC RESTORE /proc/sys/net/ipv4/ip_forward -> 1
    2018-04-17 21:29:02+0100 [-] PROC RESTORE /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal -> 1
    2018-04-17 21:29:02+0100 [-] WEB: Sending SIGTERM to pid 22648
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] Received SIGTERM, shutting down.'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] (Port 909 Closed)'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] (Port 908 Closed)'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] (Port 907 Closed)'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] (Port 906 Closed)'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] (Port 905 Closed)'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] (Port 904 Closed)'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] (Port 11194 Closed)'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] (Port 943 Closed)'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] Main loop terminated.'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] Warning: No permission to delete pid file'
    2018-04-17 21:29:02+0100 [-] WEB OUT: '2018-04-17 21:29:02+0100 [-] Server Shut Down.'
    2018-04-17 21:29:02+0100 [-] Server Agent shutting down, stop status: {'errors': {}, 'service_status': {'bridge': 'off', 'log': 'off', 'license': 'off', 'ip$
    2018-04-17 21:29:02+0100 [-] (Port None Closed)
    2018-04-17 21:29:02+0100 [-] (Port None Closed)
    2018-04-17 21:29:02+0100 [-] (Port None Closed)
    2018-04-17 21:29:02+0100 [-] Received SIGTERM, shutting down.
    2018-04-17 21:29:02+0100 [-] Main loop terminated.
    2018-04-17 21:29:02+0100 [-] Server Shut Down.
    2018-04-17 21:29:04+0100 [-] Log opened.
    2018-04-17 21:29:04+0100 [-] twistd 9.0.0 (/usr/local/openvpn_as/bin/python 2.7.11) starting up.
    2018-04-17 21:29:04+0100 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
    2018-04-17 21:29:04+0100 [-] rmdir /usr/local/openvpn_as/etc/db_push
    2018-04-17 21:29:04+0100 [-] ACCESS SERVER starting, version=2.5
    2018-04-17 21:29:04+0100 [-] Max open files set to (4096, 4096)
    2018-04-17 21:29:04+0100 [-] /etc/resolv.conf changed, reparsing
    2018-04-17 21:29:04+0100 [-] Resolver added ('127.0.0.1', 53) to server list
    2018-04-17 21:29:05+0100 [-] twisted.web.server.Site starting on "u'/usr/local/openvpn_as/etc/sock/sagent'"
    2018-04-17 21:29:05+0100 [-] twisted.web.server.Site starting on "u'/usr/local/openvpn_as/etc/sock/sagent.localroot'"
    2018-04-17 21:29:05+0100 [-] twisted.web.server.Site starting on "u'/usr/local/openvpn_as/etc/sock/sagent.api'"

    I've just gone from an N40L to an N54L (due to a dead PSU).
    Moved all the drives as is, and OMV started fine - this is good.


    My data is on a RAID-1, as is my boot drive.


    I've then swapped out my data drive from the 500GB drives they were on, to 2 x 1TB drives - that worked (pull old drive, plug new drive, rebuild - repeat with other drive). Reboots all working.


    I've tried to do this with the OpSys drive, but have run afoul of the old disks being 512KB sectors, versus 4096K on the new 1TB drives - trying to boot results in a black screen with a flashing cursor - no OMV screen. Putting the old drives back in works again.


    So, to save much argument, I suspect the easiest thing to do is re-install OMV on the new disks, but I have forgotten a couple of things...


    a) If I rebuild the system disks, how do I reattach my data mirror? (I would remove the physical disks before working on anything to ensure they are safe).
    b) Can I backup my existing operating system drive folder and just copy them back? I was considering copying all folders (except /srv/) to the data drive so I could copy them back... (with cp -a)


    I ask (b) as I have a lot of custom stuff running - Asterisk, DNSCrypt, OpenRemote, Crashplan etc....and it would be lovely to just get it to go!

    Lo there


    Thought I'd give the remote desktop plugin a whirl. It installed ok, and I can run mstsc to connect, and login as my admin user - and get an X screen, but I then get this:


    Unable to load a failsafe session Unable to determine failsafe session name. Possible causes: xfconfd isn't running (D-bus setup problem); environment variable $XDG_CONFIG_DIRS is set incorrectly (must include "/etc"), or xfce4-session is installed incorrectly."

    Any clues?

    Genuinely didn't spot that, I think there are always some announcements that are there and get glossed over - but I'll def keep my eyes more open :)

    Hi there


    Running omv-update today, I'm getting:


    Code
    Get:106 http://httpredir.debian.org jessie-backports/non-free amd64 Packages [27.7 kB]
    Fetched 21.7 MB in 7s (2,850 kB/s)
    W: Failed to fetch https://dl.bintray.com/openmediavault-plugin-developers/erasmus-plex/dists/jessie/Release Unable to find expected entry 'main/binary-amd64/Packages' in Release file (Wrong sources.list entry or malformed file)
    E: Some index files failed to download. They have been ignored, or old ones used instead.


    Any clues?

    Right - god knows why I didn't check the nginx logs, but this is hiding in there:


    Code
    2017/10/21 19:01:23 [error] 12549#0: *15 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): open(/var/lib/php5/sessions/sess_cg9bvqt33fvfr22h449cn4f703, O_RDWR) failed: Permission denied (13) in /usr/share/php/openmediavault/session.inc on line 43" while reading response header from upstream, client: 127.0.0.1, server: openmediavault-webgui, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm-openmediavault-webgui.sock:", host: "127.0.0.1:444"


    Clues?

    Update : RRD is getting errors in syslog still, as seen below....although it only seems to get those if I run the omv-firstaid rrd checker....


    You can see my check of omv-engined, then an rrd restart, but then they resume barfing.
    What have I/it done?!


    The drives are not out of space (df -h below)


    Code
    Filesystem Size Used Avail Use% Mounted on
    udev 10M 0 10M 0% /dev
    tmpfs 1.2G 16M 1.2G 2% /run
    /dev/md0 70G 8.2G 59G 13% /
    tmpfs 2.8G 4.0K 2.8G 1% /dev/shm
    tmpfs 5.0M 0 5.0M 0% /run/lock
    tmpfs 2.8G 0 2.8G 0% /sys/fs/cgroup
    tmpfs 2.8G 568K 2.8G 1% /tmp
    /dev/md127 459G 285G 151G 66% /sftp/pete/Pete

    syslog tail below:



    In case something is blocking a port, here is netstatn -tulpen : https://pastebin.com/aZHsuJrL
    (note that I run Java for CrashPlan and OpenRemote)