Beiträge von kavejo

Good evening,

This evening I started to deploy OMV on a RPi3 using the latest image available.
Once deployed I have added testing & community repo's and update the system.

I am facing a very strange behaviour with the on-board networks though.
I have enabled both eth0 and wlan0. If I leave the ethernet cable plugged in (and connected) then I can browse to both the RPi IP's (the LAN and the WLAN ones).
As soon as I unplug the ethernet cable, OMV becomes unreachable and I cannot browse to its webpage or connect via SSH.
If I re-plug the ethernet cable all return functional and I can connect via HTTPS or SSH on both the IP's.

I thought it might have been losing the connection however checking the router administration page I can see the RPI connected and transmitting/receiving data.
Even after a reboot (that would disconnect and re-connect from the Wireless LAN), I can see it connects successfully to the router however for some reason it is unreachable via SSH or HTTPS.

Just to tule out the obvious I have tried with different clients as well, some wired, other wireless.

I have tried with both static and dynamic IP's, that made no difference.

I might plug in another Wireless dongle (I have a spare D-Link DWA-121) just to see if it works using that one.
Nevertheless I thought to post on the board, just to see if anyone else has seen this odd behaviour?

Regards,
Tommy

This is discussed also here.

Same here,

I did a fresh install of OMV 3 and while this picked up all the drives, raid, etc.
lex was not working as expected sadly.

I did select an internal drive on the Plex plug-in (the same drive containing the Plex DB) on my OMV 2 installation, however it was starting as a fresh Plex Server and did have any data.
It prompted to add libraries and did not show any movie/music/tv show.

I have checked and it seems it was starting from /var/lib/plexmediaserver as opposed to /media/UUID/plexmediaserver.
I was tempted to create a symlink in /var/lib so that plexmediaserver pointed to /media/UUID/plexmediaserver however I was unsure if this was going to break any functionality or mess up the upgrade.

I ended up re-imaging the OS drive using a back-up from last month, made with Clonezilla.

Regards,
Tommy

Hello everuone!

I've just tried to implement that so to get notifications via PushOver.

I have created a Python script as follows.

import httplib, urllib, os
conn = httplib.HTTPSConnection("api.pushover.net:443")
conn.request("POST", "/1/messages.json",
  urllib.urlencode(
  {
    "token": "APP TOKEN",
    "user": "USER TOKEN",
    "subject": os.environ["OMV_NOTIFICATION_SUBJECT"],
    "message": os.environ["OMV_NOTIFICATION_MESSAGE_FILE"],
  }),
  { "Content-type": "application/x-www-form-urlencoded" }
)
conn.getresponse()

Unfortunately the variables does not seem to exist.
I did try to run python PushOver.py and I get the following error.

Traceback (most recent call last):
  File "PushOver.py", line 8, in <module>
    "subject": os.environ["OMV_NOTIFICATION_SUBJECT"],
  File "/usr/lib/python2.7/UserDict.py", line 23, in __getitem__
    raise KeyError(key)
KeyError: 'OMV_NOTIFICATION_SUBJECT'

Would anyone have any suggestion?

Thanks,
Tommy

Hi guys,

I am testing OMV 3 in Azure before upgrading my NAS.
Has anyone got any sample script for sending push notification to PushOver via sink.d?

Thanks,
Tommy

Hi @gderf,

Not doing anything special.

I just happen to have a server with 2 1Gbps NIC's so I have configured both of them as if I have to move data to/from 2 clients I can achieve better performances (1Gbps per client).
Also, this is helpful as, worst case scenario, should one NIC die, I can always reach the server on the other one.

I was looking to team them up but the router (a BT Home Hub 5) would not support teaming.

Regards,
Tommy

Hi @ryecoaaron,

Thanks for the hint. I have just tried removing the gateway from one and the other NIC, one at a time and that seems to resolve the problem.

That is quite odd as I have been running with 2 NIC's with the gateway configured on both for some time (more than an year) and have never had problems with ifdown and ifup.

Thanks again.

Kudos to you as you seem to know the answer to all the issue I have faced so far

Thanks,
Tommy

Hi guys,

I am facing a very strange issue.

Today I have started my NAS and it wouldn't be reachable (neither the web interface nor smb nor Plex).
I have rebooted the server once more (an HP Gen 8 MicroServer) and still no client would be able to connect.

At that point I have restored the OS from a backup (I clone the OS drive weekly).
Now I do have network connectivity but I am seeing very strange behaviours for eth0.

On boot I can see the following.

Mon Aug  1 19:48:08 2016: Setting up resolvconf.../etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf
Mon Aug  1 19:48:09 2016: done.Mon Aug  1 19:48:09 2016: Configuring network interfaces.../etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf
Mon Aug  1 19:48:09 2016: RTNETLINK answers: File exists
Mon Aug  1 19:48:09 2016: Failed to bring up eth0.Mon Aug  1 19:48:09 2016: done.

The same error, though, is not logged for eth1 (configured in the same way - static IP, different IP address in the same range).

If I try to run ifup & ifdown for eth0 I see the following:

Instead, if I do the same for eth1 I get a totally different output:

root@OMV:~# ifdown eth1 -v
Configuring interface eth1=eth1 (inet)
run-parts --verbose /etc/network/if-down.d
run-parts: executing /etc/network/if-down.d/postfix
run-parts: executing /etc/network/if-down.d/resolvconf
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf
run-parts: executing /etc/network/if-down.d/upstart
run-parts: executing /etc/network/if-down.d/wpasupplicant
 ip route del default via 192.168.1.254  dev eth1 2>&1 1>/dev/null || true
ip -4 addr flush dev eth1 label eth1
ip link set dev eth1 down
run-parts --verbose /etc/network/if-post-down.d
run-parts: executing /etc/network/if-post-down.d/avahi-daemon
run-parts: executing /etc/network/if-post-down.d/ifenslave
+ BOND_PARAMS=/sys/class/net/eth1/bonding
+ IFSTATE=/etc/network/run/ifstate
+ [ -f /sys/class/net/eth1/master/bonding/slaves ]
+ [ ! -f /sys/class/net/eth1/bonding/slaves ]
+ exit
run-parts: executing /etc/network/if-post-down.d/openmediavault-issue
run-parts: executing /etc/network/if-post-down.d/wireless-tools
run-parts: executing /etc/network/if-post-down.d/wpasupplicant
Configuring interface eth1=eth1 (inet6)
run-parts --verbose /etc/network/if-down.d
run-parts: executing /etc/network/if-down.d/postfix
run-parts: executing /etc/network/if-down.d/resolvconf
run-parts: executing /etc/network/if-down.d/upstart
run-parts: executing /etc/network/if-down.d/wpasupplicant
ip -6 addr flush dev $IFACE
run-parts --verbose /etc/network/if-post-down.d
run-parts: executing /etc/network/if-post-down.d/avahi-daemon
run-parts: executing /etc/network/if-post-down.d/ifenslave
+ BOND_PARAMS=/sys/class/net/eth1/bonding
+ IFSTATE=/etc/network/run/ifstate
+ [ -f /sys/class/net/eth1/master/bonding/slaves ]
+ [ ! -f /sys/class/net/eth1/bonding/slaves ]
+ exit
run-parts: executing /etc/network/if-post-down.d/openmediavault-issue
run-parts: executing /etc/network/if-post-down.d/wireless-tools
run-parts: executing /etc/network/if-post-down.d/wpasupplicant
root@OMV:~# ifup eth1 -v
Configuring interface eth1=eth1 (inet)
run-parts --verbose /etc/network/if-pre-up.d
run-parts: executing /etc/network/if-pre-up.d/ethtool
run-parts: executing /etc/network/if-pre-up.d/ifenslave
+ IFSTATE=/etc/network/run/ifstate
+ IF_BOND_SLAVES=
+ [  ]
+ [  ]
+ [ -z  ]
+ exit
run-parts: executing /etc/network/if-pre-up.d/wireless-tools
run-parts: executing /etc/network/if-pre-up.d/wpasupplicant
ip addr add 192.168.1.15/255.255.255.0 broadcast 192.168.1.255    dev eth1 label eth1
ip link set dev eth1   up
 ip route add default via 192.168.1.254  dev eth1
run-parts --verbose /etc/network/if-up.d
run-parts: executing /etc/network/if-up.d/000resolvconf
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf
run-parts: executing /etc/network/if-up.d/avahi-daemon
run-parts: executing /etc/network/if-up.d/ethtool
run-parts: executing /etc/network/if-up.d/ifenslave
+ [  ]
run-parts: executing /etc/network/if-up.d/mountnfs
run-parts: executing /etc/network/if-up.d/openmediavault-issue
run-parts: executing /etc/network/if-up.d/openssh-server
run-parts: executing /etc/network/if-up.d/postfix
run-parts: executing /etc/network/if-up.d/upstart
run-parts: executing /etc/network/if-up.d/wpasupplicant
Configuring interface eth1=eth1 (inet6)
run-parts --verbose /etc/network/if-pre-up.d
run-parts: executing /etc/network/if-pre-up.d/ethtool
run-parts: executing /etc/network/if-pre-up.d/ifenslave
+ IFSTATE=/etc/network/run/ifstate
+ IF_BOND_SLAVES=
+ [  ]
+ [  ]
+ [ -z  ]
+ exit
run-parts: executing /etc/network/if-pre-up.d/wireless-tools
run-parts: executing /etc/network/if-pre-up.d/wpasupplicant
run-parts --verbose /etc/network/if-up.d
run-parts: executing /etc/network/if-up.d/000resolvconf
run-parts: executing /etc/network/if-up.d/avahi-daemon
run-parts: executing /etc/network/if-up.d/ethtool
run-parts: executing /etc/network/if-up.d/ifenslave
+ [  ]
run-parts: executing /etc/network/if-up.d/mountnfs
run-parts: executing /etc/network/if-up.d/openmediavault-issue
run-parts: executing /etc/network/if-up.d/openssh-server
run-parts: executing /etc/network/if-up.d/postfix
run-parts: executing /etc/network/if-up.d/upstart
run-parts: executing /etc/network/if-up.d/wpasupplicant
root@OMV:~#

Then again, checking the ifstate file, it seems eth0 is not listed, adding it manually or removing the file, though does not seem to make any change.

root@OMV:~# cat /etc/network/run/ifstate
lo=lo
eth1=eth1
root@OMV:~#

I can't see anything wrong on /etc/network/interfaces.

# The loopback network interface
auto lo
iface lo inet loopback


# eth1 network interface
auto eth1
allow-hotplug eth1
iface eth1 inet static
    address 192.168.1.15
    gateway 192.168.1.254
    netmask 255.255.255.0
    dns-nameservers 192.168.1.254
    dns-search home
iface eth1 inet6 manual
    pre-down ip -6 addr flush dev $IFACE


# eth0 network interface
auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.1.10
    gateway 192.168.1.254
    netmask 255.255.255.0
    dns-nameservers 192.168.1.254
    dns-search home
iface eth0 inet6 manual
    pre-down ip -6 addr flush dev $IFACE

I have also tried disabling and re-enabling eth0 from the WebUI (bearing in mind that the UI can be reached on the IP associated to the misbehaving interface).
I have tried to make amendments (as well as delete (/etc/network/run/ifstate) and reboot. Still I can't get out of this situation.

Does anyone have any idea/suggestion?

Thanks,
Tommy

Good evening,

I'm trying to harden the OMV WebUI by enforcing only strong ciphers and drop the plain Diffle Hellman key exchange.
In the same way I wish to enforce TLS 1.2 and drop any previous/weaker protocol.

I have checked /usr/share/openmediavault/mkconf/nginx.d/10webgui and I can see entries specifying TLS versio and ciphers via variables, how can I set/customize these values?

Thank you.

I'd be very much interested too if this is achievable.
Nowadays OneDrive allows easily up to 1TB and can let you stream your music library (if in sync).

Yup,

Have been using flashmemory since day 1
The average data written per day was about 30 Mb so I strongly doubt there is any wear on the card.

Hi @ryecoaaron,

OMV is running from an high-end SD card (32 GB Samsung Pro) which has never ever got a problem (I was running OMV Sardukar just fine from the same).

monit stop omv-engined and omv-engined -df does not seem to help.

I have tried to look at /var/log/messages but I cannot grep any error.

Thanks,
Tommy

Hello everyone,

I have just re-installed OMV on my Nas box (HP MicroServer Getn 8).
I was running Kralizec and I decided to do a fresh install using Stone Burner.

Unfortunately I am having some issues with the web interface.
After boot this is not accessible, actually I cannot even telnet to the NAS IP:443 or IP:80; the connection times out.

This is a blank installation, all I have is Transmission + SMB + SSH, nothing else is running or installed.

I have searched the forum and have seen that this may be common when installing OwnCloud or Apache2, which, in my case are not installed.
I have tried to change ports, moving from 80/443 to 8080/9443 but I cannot make it work.

Sometimes it does work after a service nginx restart plus a omv-firstaid, some other times I cannot get it to work.
Sometimes all it needs is a service openmediavault-engined restart.

At the same time all the other protocols (SSH, SMB) works like a charm.

Has anyone got any suggestion?

Thanks,
Tommy

Hello everyone,

I'm trying to import a couple of keys from PuttyGen (exported private key and public key from PuttyGen) but I keep getting an error.

The private Key I use is the one from "Export OpenSSH Key" and has a format like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5FEA76B59894B00C
[Content]
-----END RSA PRIVATE KEY-----

The public key instead comes from "Public key for pasting into OpenSSH authorized_keys file" and has a format like:

ssh-rsa [Content] {Comment]

Despite that I keep getting the following error:

Invalid private key: error:0906A068:PEM routines:PEM_do_header:bad password read


Error #6000:
exception 'OMVException' with message 'Invalid private key: error:0906A068:PEM routines:PEM_do_header:bad password read' in /usr/share/openmediavault/engined/rpc/certificatemgmt.inc:552
Stack trace:
#0 [internal function]: OMVRpcServiceCertificateMgmt->setSsh(Array, Array)
#1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array)
#2 /usr/share/php/openmediavault/rpc.inc(79): OMVRpcServiceAbstract->callMethod('setSsh', Array, Array)
#3 /usr/sbin/omv-engined(500): OMVRpc::exec('CertificateMgmt', 'setSsh', Array, Array, 1)
#4 {main}

Can I kindly ask for some directions please?

Thank you.

Best regards,

Yeah, I have been using knockd when on a CentOS VM on DigitalOcean.
That was quite good and I was using a sequence to open the port and another to close the port (when a short open-time was not an option).

On Azure is quite different as even if you get a public IP you have n/w ACL's that controls the endpoints (for a max of 255 ports open per IP) which implies the used ports are quite easily guessable.
This means, I would only have ~ 245 ports available for the knocking with which a 5 port sequence would imply 5^245 combinations; still a lot (5.5*10^174) but far more guessable than 5^65000.

I will be looking to change the following env variables as a starting point:
OMV_SSHD_SERVERKEYBITS=768 to 4096
OMV_SSHD_LOGINGRACETIME=120 to 5

I will also check if I can find any way to get a more recent version of OpenSSH (like the Wheezy back-port one you suggested).

Good calla bout the OSX Yosemite limitation due to OpenSSH 6.2.
Will try to find out if El Capitan has got any update, SSH wise.

Thanks,
Tommy

Hey @subzero79,

That is an excellent suggestion

I was not aware of these env variables which actually control the server key size and the grace timeout (2 things I was looking to change):

ssh: OMV_SSHD_X11FORWARDING=yes
ssh: OMV_SSHD_KEYREGENERATIONINTERVAL=3600
ssh: OMV_SSHD_SERVERKEYBITS=768
ssh: OMV_SSHD_LOGINGRACETIME=120
ssh: OMV_SSHD_PUBKEYAUTHENTICATION=yes
ssh: OMV_SSHD_HOSTBASEDAUTHENTICATION=no

Nothing wrong with iptables, never thought they're inadequate or bad.
I found sometimes difficult to work with iptables as given 2 of my OMV are running on Azure I may lock myself out.
This happened when I tried once to DROP by default and allow 80,443 and 22 but I reckon I had set an incorrect order and that prevented me from using both SSH and the WebUI.
This why I avoid using them if I can - just to avoid doing something stupid again

Of course this does not apply to OMV running on the HP Micrsoserver as I can always use ILO to connect via shell.

Regards,
Tommy

@WastlJ, no, no public IP even though it never changes.
I'm suing a CNAME (for a friendly URL) that via DynDNS points to my OMV as I need to access it from internet from time to time.

@ryecoaaron, as a workaround I've been turning off SSH and only enable it via the WebUI when I actually need to use it.
As a workaround it does work as good as changing port I reckon. The only thing is that I was looking to secure the shell as a "best practice".

Regards,
Tommy

LOL

Yeah, I'd quite like to keep SSH as secure as possible given I get few thousands of random connection attempts from random IP's throughout the day.
I'm aware this would be superfluous as nobody broke in yet but, given I do not rely on iptables (and therefore I cannot user fail2ban) I think this is the only option left.

ideally I would also like to reduce the timeout to 5 seconds (from the default 30 seconds) and increase the server key size to 4096 bit but I know the sshd_config file gets re-written at every reboot.

Tommy

Hi @WastlJ,

Thanks for your input.

I do have Key auth working, and to be fair with common ciphers that is working very good.
I have got a 4096 bit key and I successfully connect when using:

• KexAlgorithms diffie-hellman-group-exchange-sha256
• Ciphers aes256-ctr
• MACs hmac-sha2-256

My question is actually, how do you get stronger ciphers working on OMV?
The ciphers I want to use are stronger and more robust and they guarantee a higher level of encryption/security.

The one I want to use (and that seems not to work with OMV at this very moment) are:

• KexAlgorithms curve25519-sha256@libssh.org
• Ciphers chacha20-poly1305@openssh.com
• MACs hmac-sha2-512-etm@openssh.com

Hope that clarifies my question.

Thanks,
Tommy

Hello everyone,

I'm trying to harden SSH on OMV but I'm hitting a roadblock.

I've disable root login and forced key authentication only, anyway I'm struggling in hardening the ciphers, the key exchange algorithm and the message auth codes.

My ideal configuration would be something close to:

KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com

But with this configuration, when connecting (I only used Putty and the built-in SSH client on the Mac) I get a connection error.

The most secure configuration I managed to get is instead:

KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr
MACs hmac-sha2-256

Even simply adding the MAC hmac-sha2-512 prevent Putty from conencting.
Adding any other Cyphers but aes256-ctr or any other Kex but diffie-hellman-group-exchange-sha256 prevent Putty from connecting as well.

Do you have any suggestion on how to achieve the desired encryption level (which would get rid of all the less secure ciphers)?

Thank you.
Tommy