Posts by new4u

    Hello tinh_x7,


    I also suffered from your experience. If you use a linux-platform as desktop-OS: I was much happier installing Virtual Machine Manager, Cockpit does by far not cover what it should do.


    ---

    I installed on the server client:

    sudo apt install -y qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager qemu-utils virtinst libvirt-daemon

    ---


    on the server and on the client:

    sudo apt install ncat -> client and server installing!!

    ---


    In virtual machine manager you can then choose via GUI for RDP the protocol 'spice'. Please note that you need to choose in the Virtual Machine Manager in "Display Spice" the dropdown 'all interfaces', otherwise you run again into the Cockpit-issue. If you specify also a TLS-port you have a fixed address for your external viewer; in my case Remmina.


    Additionally, for Windows there is a helper file from Fedora, which you install when Windows is running:


    https://fedorapeople.org/group…downloads/archive-virtio/


    Choose the latest directory, and run the ISO inside Windows, it will install a lot of useful things.


    If you need/want I can provide you my config-file; in which is in xml cleartext everything visible, and can also easily be imported by virsh define ConfigFileVirtualMachine.xml


    ---

    For _CREATING_ a Qemu-Disk in the terminal, skipping the hellish Cockpit:


    qemu-img create -f qcow2 /srv/dev-disk-by-label-8TBMai2020/VirtualMachines/Win10/Win10.qcow2 500G


    creates a machine in the path /srv/.. , the file is called Win10.qcow2, maximal size 500G (it is dynamically growing, with all its advantages and disadvantages)

    ---


    For _INSTALLING_ the Operating System I used:

    virt-install --name=Win10 --vcpus=1 --ram=8000 --init=/srv/ --os-variant=win10 --cdrom=/srv/dev-disk-by-label-6TBDisk1/Software/Microsoft/Windows_10_Install-ISO/Win10-Install.iso --disk=/srv/dev-disk-by-label-8TBMai2020/VirtualMachines/Win10/Win10.qcow2,format=qcow2,500G


    Obviously, most of the things are self-explanatory. Can all be changed later in the Virtual Machine Manager.


    I personally cancel with Ctrl+c then the installation in the terminal, modify then afterwards in particular the network-interface manually in the network bridge, entering manually the name br0, setting VIRTIO to the HDDs and run the machine again.


    ----

    Hope that helps a bit.

    Dear Volker,


    First of all, thank you for the great product you have created with openmediavault!


    I run currently usul 5.4.6-1 and have made some tests on my servers. Among them was the one of https://pentest-tools.com/home , which (I think correctly, as the suggestions also apply for nextcloud) recommends hardening the NGINX-server-Block:


    Here the relevant part copied from the report which I think might be valid for many users who did not modify their standard files:


    Missing HTTP security headers

    HTTP Security Header Header Role Status

    X-Frame-Options Protects against Clickjacking attacks Not set

    X-XSS-Protection Mitigates Cross-Site Scripting (XSS) attacks Not set

    Strict-Transport-Security Protects against man-in-the-middle attacks Not set

    X-Content-Type-Options Prevents possible phishing or XSS attacks



    Risk description:

    Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By

    manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus

    performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described

    in detail here:

    https://www.owasp.org/index.php/Clickjacking


    The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS)

    attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.


    The HTTP Strict-Transport-Security header instructs the browser not to load the website via plain HTTP connection but always use HTTPS. Lack of

    this header exposes the application users to the risk of data theft or unauthorized modification in case the attacker implements a man-in-the-

    middle attack and intercepts the communication between the user and the server.


    The HTTP X-Content-Type-Options header is addressed to Internet Explorer browser and prevents it from reinterpreting the content of a web

    page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site

    Scripting or phishing.


    Recommendation:

    We recommend you to add the X-Frame-Options HTTP response header to every page that you want to be protected against Clickjacking

    attacks.

    More information about this issue:

    https://www.owasp.org/index.ph…cking_Defense_Cheat_Sheet


    We recommend setting the X-XSS-Protection header to "X-XSS-Protection: 1; mode=block".

    More information about this issue:

    https://developer.mozilla.org/…/Headers/X-XSS-Protection


    We recommend setting the Strict-Transport-Security header.

    More information about this issue:

    https://www.owasp.org/index.ph…port_Security_Cheat_Sheet


    We recommend setting the X-Content-Type-Options header to "X-Content-Type-Options: nosniff".

    More information about this issue:

    https://developer.mozilla.org/…rs/X-Content-Type-Options


    Thank you for your time and consideration.


    Kind regards,

    Markus

    Hello to everybody!


    I used to install OMV 2 and OMV 3 with a graphics card during the installation process, and removed it afterwards to save energy. All went well.


    2 days ago, I installed on the very same platform a clean OMV 4, did all the updates and so on, and when removing the graphics adapter, the system boots until a certain point, but consequently refuses to accept logins via web-GUI or ssh (both not reachable at all).


    I compared the syslog-file when booting _with_ and _without_ installed graphics card, and saw that they are more or less (not exactly) identical until the point:


    Apr 15 11:52:47 openmediavault proftpd[967]: 127.0.1.1 - ProFTPD 1.3.5b (maint) (built Wed Apr 5 2017 13:57:53 UTC) standalone mode STARTUP
    Apr 15 11:52:47 openmediavault proftpd[823]: .
    Apr 15 11:52:47 openmediavault systemd[1]: Started LSB: Starts ProFTPD daemon.
    Apr 15 11:52:47 openmediavault systemd[1]: Started Generate the prelogin message.
    Apr 15 11:52:47 openmediavault systemd[1]: Started LSB: minidlna server.
    Apr 15 11:53:14 openmediavault monit[935]: 'openmediavault' Monit 5.20.0 started
    Apr 15 11:53:14 openmediavault monit[935]: HTTP server -- Cannot translate IPv4 socket [localhost]:2812 -- Name or service not known
    Apr 15 11:53:14 openmediavault monit[935]: HTTP server -- Cannot translate IPv6 socket [localhost]:2812 -- Name or service not known


    There it stops, whereas with installed graphics adapter also SMB and other services get started.


    Nota bene: When installing OMV 3, and consequently upgrading to OMV 4, no problem removing graphics card, all works as expected.


    Thank you in advance for your ideas.


    Kind regards,
    Markus

    Thank you for your quick reply again.


    I just tried to re-produce it exactly as I did before, and see now to my surprise the correct Austrian DNS-servers. I am not sure how this is possible, because when I created the initial post, I have seen my Austrian server but the Algerian (where I am located at the moment) DNS-Servers when I tested it with F-secure (link below). I assume my question is resolved, but since I have no explication for this, I put below what I actually already prepared for replying to you when I executed in the background the f-secure-test and was surprised by the results. However, the network-manager still shows the local Algerian DNS-server as in use.


    I will also do some further testing, because I did not change anything during my first post and this one now.


    edit: I forgot to answer the question regarding CPU: It is an i3-2100, and memory I use 4 GB RAM.


    --


    Please find enclosed 3 screenshots:


    * One is the picture
    of OMV, with my public IP-address removed as requested, but it is correctly set in real life.


    * One is the system-view
    of the Ubuntu network manager, where you can see that it is using the local (Algerian) address, despite it is successfully connected to my server in Austria. When I do a „how is my ip-address“-request while using OpenVPN, I see my Austrian IP-address as well as the location 'Austria'.


    * The third screenshot,
    which brings [NOW: brought] me to the assumption that local DNS-servers are used despite a working OpenVPN-connection is from


    https://campaigns.f-secure.com/router-checker/


    where it displays [now: displayED] my Austrian server, but still reflects [now: reflected] to Algerian DNS-servers.

    Thank you for your quick reply tekkb.


    Sorry for not having expressed myself clearly enough.


    Regarding DNS-server:
    If I am using the OpenVPN-connection, it seems it is connecting to the server, but somehow seems to still use the local DNS-server. If I am mistaken, and the OpenVPN-server-DNS-entries are used, then of course this topic is resolved.


    Regarding VPN through SSH:
    Some countries who censor the internet also do deep-packet-inspection in order to determine if an OpenVPN-connection is established. If an OpenVPN-connection is detected, then the connection will be terminated. So it seems to help to add an additional layer around in order to complicate the identification of an OpenVPN-usage in the first place.

    Dear Developers,


    First of all, thank you for making OMV such a valuable and versatile platform with your plug-ins.


    In particular I have a question to OpenVPN: Do you think it would be possible to enable in the GUI the pushing of DNS-servers to the client, and also using ssh or other methods to hide the OpenVPN-traffic, by using checkboxes in the GUI?


    The reasoning behind my question: If one needs OpenVPN-access in countries where the internet is censored, then usually one needs also uncensored/unblocked DNS-servers, as well as might be needed to hide OpenVPN-traffic at all, like for China.


    I assume many people are interested in using OpenVPN while being noobs like me, and these features in the GUI could bring more liberty to noobs, too.


    Thank you for considering my request, and thank you for your very much appreciated work.


    Kind regards,
    Markus