Posts by new4u

    gwrosenbaum: If I may add just my 2cents: Would it not be an option and do the opposite as you inititally stipulated? I have similar requirements as you, and feel very happy using OMV as base system, with all disks and shares under its control, and then running in KVM several machines which I either let access shares, or created dynamic qcow2-files within a share? Many other features of Proxmox I did not feel the need to utilize anyway. By the way, I do not even use the Proxmox-kernel anymore, but run the standard backport kernels, which do a great job (if I am wrong regarding the kernel, I am happy to be corrected from the community here).

    If I may politely suggest considering the following option: setting up a KVM-machine and install subsequently an Ubuntu server, and after that following this instructions:

    https://www.linuxbabe.com/ubun…tu-20-04-nginx-lemp-stack


    Carsten Rieger even provided an installation script, besides his detailed descriptions (which I did not test, I was successful with the explanation of linuxbabe):

    https://www.c-rieger.de/nextcl…ion-mit-nur-einem-skript/

    https://www.c-rieger.de/nextcloud-installationsanleitung/


    It worked for me pretty smooth, keeps me independent of maintainers of containers and snaps, performs quite good, and is easy to backup, and I reduce the risk of messing up my base system which is OMV, hosting all the things I virtualized.

    Hm. With docker I am not firm. But the reason why I asked if you have KVM, and maybe the behaviour is similar in docker, is that I also had random reboots. Machine was up even 2 or 3 days, and suddenly rebooted, as if power would have gone unstable. No logs whatsoever, as if power supply failed, or any other power supplying component failing, causing a cold restart.


    However, the problem was that I did not create a "bridge" device in the OMV-GUI for the assigned network card. As soon as this device has been created with the NIC I intended to assign to my virtual machines, and as soon as it has subsequently been properly referred to "br0" in my Virtual Machine Manager for my virtual machines, all problems resolved, no sporadic unexplainable crashes at all.


    If you have IPv6 activated, maybe try with IPv4 only. Also this caused troubles for me sometimes.


    Maybe verify this is not causing your issues.

    Hello tinh_x7,


    I also suffered from your experience. If you use a linux-platform as desktop-OS: I was much happier installing Virtual Machine Manager, Cockpit does by far not cover what it should do.


    ---

    I installed on the server client:

    sudo apt install -y qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager qemu-utils virtinst libvirt-daemon

    ---


    on the server and on the client:

    sudo apt install ncat -> client and server installing!!

    ---


    In virtual machine manager you can then choose via GUI for RDP the protocol 'spice'. Please note that you need to choose in the Virtual Machine Manager in "Display Spice" the dropdown 'all interfaces', otherwise you run again into the Cockpit-issue. If you specify also a TLS-port you have a fixed address for your external viewer; in my case Remmina.


    Additionally, for Windows there is a helper file from Fedora, which you install when Windows is running:


    https://fedorapeople.org/group…downloads/archive-virtio/


    Choose the latest directory, and run the ISO inside Windows, it will install a lot of useful things.


    If you need/want I can provide you my config-file; in which is in xml cleartext everything visible, and can also easily be imported by virsh define ConfigFileVirtualMachine.xml


    ---

    For _CREATING_ a Qemu-Disk in the terminal, skipping the hellish Cockpit:


    qemu-img create -f qcow2 /srv/dev-disk-by-label-8TBMai2020/VirtualMachines/Win10/Win10.qcow2 500G


    creates a machine in the path /srv/.. , the file is called Win10.qcow2, maximal size 500G (it is dynamically growing, with all its advantages and disadvantages)

    ---


    For _INSTALLING_ the Operating System I used:

    virt-install --name=Win10 --vcpus=1 --ram=8000 --init=/srv/ --os-variant=win10 --cdrom=/srv/dev-disk-by-label-6TBDisk1/Software/Microsoft/Windows_10_Install-ISO/Win10-Install.iso --disk=/srv/dev-disk-by-label-8TBMai2020/VirtualMachines/Win10/Win10.qcow2,format=qcow2


    Obviously, most of the things are self-explanatory. Can all be changed later in the Virtual Machine Manager.


    I personally cancel with Ctrl+c then the installation in the terminal, modify then afterwards in particular the network-interface manually in the network bridge, entering manually the name br0, setting VIRTIO to the HDDs and run the machine again.


    ----

    Hope that helps a bit.

    Dear Volker,


    First of all, thank you for the great product you have created with openmediavault!


    I run currently usul 5.4.6-1 and have made some tests on my servers. Among them was the one of https://pentest-tools.com/home , which (I think correctly, as the suggestions also apply for nextcloud) recommends hardening the NGINX-server-Block:


    Here the relevant part copied from the report which I think might be valid for many users who did not modify their standard files:


    Missing HTTP security headers

    HTTP Security Header Header Role Status

    X-Frame-Options Protects against Clickjacking attacks Not set

    X-XSS-Protection Mitigates Cross-Site Scripting (XSS) attacks Not set

    Strict-Transport-Security Protects against man-in-the-middle attacks Not set

    X-Content-Type-Options Prevents possible phishing or XSS attacks



    Risk description:

    Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By

    manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus

    performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described

    in detail here:

    https://www.owasp.org/index.php/Clickjacking


    The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS)

    attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.


    The HTTP Strict-Transport-Security header instructs the browser not to load the website via plain HTTP connection but always use HTTPS. Lack of

    this header exposes the application users to the risk of data theft or unauthorized modification in case the attacker implements a man-in-the-

    middle attack and intercepts the communication between the user and the server.


    The HTTP X-Content-Type-Options header is addressed to Internet Explorer browser and prevents it from reinterpreting the content of a web

    page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site

    Scripting or phishing.


    Recommendation:

    We recommend you to add the X-Frame-Options HTTP response header to every page that you want to be protected against Clickjacking

    attacks.

    More information about this issue:

    https://www.owasp.org/index.ph…cking_Defense_Cheat_Sheet


    We recommend setting the X-XSS-Protection header to "X-XSS-Protection: 1; mode=block".

    More information about this issue:

    https://developer.mozilla.org/…/Headers/X-XSS-Protection


    We recommend setting the Strict-Transport-Security header.

    More information about this issue:

    https://www.owasp.org/index.ph…port_Security_Cheat_Sheet


    We recommend setting the X-Content-Type-Options header to "X-Content-Type-Options: nosniff".

    More information about this issue:

    https://developer.mozilla.org/…rs/X-Content-Type-Options


    Thank you for your time and consideration.


    Kind regards,

    Markus

    Hello to everybody!


    I used to install OMV 2 and OMV 3 with a graphics card during the installation process, and removed it afterwards to save energy. All went well.


    2 days ago, I installed on the very same platform a clean OMV 4, did all the updates and so on, and when removing the graphics adapter, the system boots until a certain point, but consequently refuses to accept logins via web-GUI or ssh (both not reachable at all).


    I compared the syslog-file when booting _with_ and _without_ installed graphics card, and saw that they are more or less (not exactly) identical until the point:


    Apr 15 11:52:47 openmediavault proftpd[967]: 127.0.1.1 - ProFTPD 1.3.5b (maint) (built Wed Apr 5 2017 13:57:53 UTC) standalone mode STARTUP
    Apr 15 11:52:47 openmediavault proftpd[823]: .
    Apr 15 11:52:47 openmediavault systemd[1]: Started LSB: Starts ProFTPD daemon.
    Apr 15 11:52:47 openmediavault systemd[1]: Started Generate the prelogin message.
    Apr 15 11:52:47 openmediavault systemd[1]: Started LSB: minidlna server.
    Apr 15 11:53:14 openmediavault monit[935]: 'openmediavault' Monit 5.20.0 started
    Apr 15 11:53:14 openmediavault monit[935]: HTTP server -- Cannot translate IPv4 socket [localhost]:2812 -- Name or service not known
    Apr 15 11:53:14 openmediavault monit[935]: HTTP server -- Cannot translate IPv6 socket [localhost]:2812 -- Name or service not known


    There it stops, whereas with installed graphics adapter also SMB and other services get started.


    Nota bene: When installing OMV 3, and consequently upgrading to OMV 4, no problem removing graphics card, all works as expected.


    Thank you in advance for your ideas.


    Kind regards,
    Markus

    Thank you for your quick reply again.


    I just tried to re-produce it exactly as I did before, and see now to my surprise the correct Austrian DNS-servers. I am not sure how this is possible, because when I created the initial post, I have seen my Austrian server but the Algerian (where I am located at the moment) DNS-Servers when I tested it with F-secure (link below). I assume my question is resolved, but since I have no explication for this, I put below what I actually already prepared for replying to you when I executed in the background the f-secure-test and was surprised by the results. However, the network-manager still shows the local Algerian DNS-server as in use.


    I will also do some further testing, because I did not change anything during my first post and this one now.


    edit: I forgot to answer the question regarding CPU: It is an i3-2100, and memory I use 4 GB RAM.


    --


    Please find enclosed 3 screenshots:


    * One is the picture
    of OMV, with my public IP-address removed as requested, but it is correctly set in real life.


    * One is the system-view
    of the Ubuntu network manager, where you can see that it is using the local (Algerian) address, despite it is successfully connected to my server in Austria. When I do a „how is my ip-address“-request while using OpenVPN, I see my Austrian IP-address as well as the location 'Austria'.


    * The third screenshot,
    which brings [NOW: brought] me to the assumption that local DNS-servers are used despite a working OpenVPN-connection is from


    https://campaigns.f-secure.com/router-checker/


    where it displays [now: displayED] my Austrian server, but still reflects [now: reflected] to Algerian DNS-servers.

    Thank you for your quick reply tekkb.


    Sorry for not having expressed myself clearly enough.


    Regarding DNS-server:
    If I am using the OpenVPN-connection, it seems it is connecting to the server, but somehow seems to still use the local DNS-server. If I am mistaken, and the OpenVPN-server-DNS-entries are used, then of course this topic is resolved.


    Regarding VPN through SSH:
    Some countries who censor the internet also do deep-packet-inspection in order to determine if an OpenVPN-connection is established. If an OpenVPN-connection is detected, then the connection will be terminated. So it seems to help to add an additional layer around in order to complicate the identification of an OpenVPN-usage in the first place.

    Dear Developers,


    First of all, thank you for making OMV such a valuable and versatile platform with your plug-ins.


    In particular I have a question to OpenVPN: Do you think it would be possible to enable in the GUI the pushing of DNS-servers to the client, and also using ssh or other methods to hide the OpenVPN-traffic, by using checkboxes in the GUI?


    The reasoning behind my question: If one needs OpenVPN-access in countries where the internet is censored, then usually one needs also uncensored/unblocked DNS-servers, as well as might be needed to hide OpenVPN-traffic at all, like for China.


    I assume many people are interested in using OpenVPN while being noobs like me, and these features in the GUI could bring more liberty to noobs, too.


    Thank you for considering my request, and thank you for your very much appreciated work.


    Kind regards,
    Markus