Posts by kavejo

    Same here,


    I did a fresh install of OMV 3 and while this picked up all the drives, raid, etc.
    lex was not working as expected sadly.


    I did select an internal drive on the Plex plug-in (the same drive containing the Plex DB) on my OMV 2 installation, however it was starting as a fresh Plex Server and did have any data.
    It prompted to add libraries and did not show any movie/music/tv show.


    I have checked and it seems it was starting from /var/lib/plexmediaserver as opposed to /media/UUID/plexmediaserver.
    I was tempted to create a symlink in /var/lib so that plexmediaserver pointed to /media/UUID/plexmediaserver however I was unsure if this was going to break any functionality or mess up the upgrade.


    I ended up re-imaging the OS drive using a back-up from last month, made with Clonezilla.


    Regards,
    Tommy

    Hello everuone!


    I've just tried to implement that so to get notifications via PushOver.


    I have created a Python script as follows.



    Unfortunately the variables does not seem to exist.
    I did try to run python PushOver.py and I get the following error.



    Code
    Traceback (most recent call last):
    File "PushOver.py", line 8, in <module>
    "subject": os.environ["OMV_NOTIFICATION_SUBJECT"],
    File "/usr/lib/python2.7/UserDict.py", line 23, in __getitem__
    raise KeyError(key)
    KeyError: 'OMV_NOTIFICATION_SUBJECT'


    Would anyone have any suggestion?


    Thanks,
    Tommy

    Hi @gderf,


    Not doing anything special.


    I just happen to have a server with 2 1Gbps NIC's so I have configured both of them as if I have to move data to/from 2 clients I can achieve better performances (1Gbps per client).
    Also, this is helpful as, worst case scenario, should one NIC die, I can always reach the server on the other one.


    I was looking to team them up but the router (a BT Home Hub 5) would not support teaming.


    Regards,
    Tommy

    Hi @ryecoaaron,


    Thanks for the hint. I have just tried removing the gateway from one and the other NIC, one at a time and that seems to resolve the problem.


    That is quite odd as I have been running with 2 NIC's with the gateway configured on both for some time (more than an year) and have never had problems with ifdown and ifup.


    Thanks again.


    Kudos to you as you seem to know the answer to all the issue I have faced so far ;)


    Thanks,
    Tommy

    Hi guys,


    I am facing a very strange issue.


    Today I have started my NAS and it wouldn't be reachable (neither the web interface nor smb nor Plex).
    I have rebooted the server once more (an HP Gen 8 MicroServer) and still no client would be able to connect.


    At that point I have restored the OS from a backup (I clone the OS drive weekly).
    Now I do have network connectivity but I am seeing very strange behaviours for eth0.



    On boot I can see the following.

    Code
    Mon Aug 1 19:48:08 2016: Setting up resolvconf.../etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf
    Mon Aug 1 19:48:09 2016: done.Mon Aug 1 19:48:09 2016: Configuring network interfaces.../etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf
    Mon Aug 1 19:48:09 2016: RTNETLINK answers: File exists
    Mon Aug 1 19:48:09 2016: Failed to bring up eth0.Mon Aug 1 19:48:09 2016: done.





    The same error, though, is not logged for eth1 (configured in the same way - static IP, different IP address in the same range).


    If I try to run ifup & ifdown for eth0 I see the following:


    Instead, if I do the same for eth1 I get a totally different output:



    Then again, checking the ifstate file, it seems eth0 is not listed, adding it manually or removing the file, though does not seem to make any change.


    Code
    root@OMV:~# cat /etc/network/run/ifstate
    lo=lo
    eth1=eth1
    root@OMV:~#


    I can't see anything wrong on /etc/network/interfaces.



    I have also tried disabling and re-enabling eth0 from the WebUI (bearing in mind that the UI can be reached on the IP associated to the misbehaving interface).
    I have tried to make amendments (as well as delete (/etc/network/run/ifstate) and reboot. Still I can't get out of this situation.


    Does anyone have any idea/suggestion?


    Thanks,
    Tommy

    Good evening,


    I'm trying to harden the OMV WebUI by enforcing only strong ciphers and drop the plain Diffle Hellman key exchange.
    In the same way I wish to enforce TLS 1.2 and drop any previous/weaker protocol.


    I have checked /usr/share/openmediavault/mkconf/nginx.d/10webgui and I can see entries specifying TLS versio and ciphers via variables, how can I set/customize these values?


    Thank you.

    Hi @ryecoaaron,


    OMV is running from an high-end SD card (32 GB Samsung Pro) which has never ever got a problem (I was running OMV Sardukar just fine from the same).


    monit stop omv-engined and omv-engined -df does not seem to help.


    I have tried to look at /var/log/messages but I cannot grep any error.


    Thanks,
    Tommy

    Hello everyone,


    I have just re-installed OMV on my Nas box (HP MicroServer Getn 8).
    I was running Kralizec and I decided to do a fresh install using Stone Burner.


    Unfortunately I am having some issues with the web interface.
    After boot this is not accessible, actually I cannot even telnet to the NAS IP:443 or IP:80; the connection times out.


    This is a blank installation, all I have is Transmission + SMB + SSH, nothing else is running or installed.


    I have searched the forum and have seen that this may be common when installing OwnCloud or Apache2, which, in my case are not installed.
    I have tried to change ports, moving from 80/443 to 8080/9443 but I cannot make it work.


    Sometimes it does work after a service nginx restart plus a omv-firstaid, some other times I cannot get it to work.
    Sometimes all it needs is a service openmediavault-engined restart.


    At the same time all the other protocols (SSH, SMB) works like a charm.


    Has anyone got any suggestion?


    Thanks,
    Tommy

    Hello everyone,


    I'm trying to import a couple of keys from PuttyGen (exported private key and public key from PuttyGen) but I keep getting an error.


    The private Key I use is the one from "Export OpenSSH Key" and has a format like:

    Code
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,5FEA76B59894B00C
    [Content]
    -----END RSA PRIVATE KEY-----


    The public key instead comes from "Public key for pasting into OpenSSH authorized_keys file" and has a format like:

    Code
    ssh-rsa [Content] {Comment]


    Despite that I keep getting the following error:


    Can I kindly ask for some directions please?


    Thank you.


    Best regards,

    Yeah, I have been using knockd when on a CentOS VM on DigitalOcean.
    That was quite good and I was using a sequence to open the port and another to close the port (when a short open-time was not an option).


    On Azure is quite different as even if you get a public IP you have n/w ACL's that controls the endpoints (for a max of 255 ports open per IP) which implies the used ports are quite easily guessable.
    This means, I would only have ~ 245 ports available for the knocking with which a 5 port sequence would imply 5^245 combinations; still a lot (5.5*10^174) but far more guessable than 5^65000.


    I will be looking to change the following env variables as a starting point:
    OMV_SSHD_SERVERKEYBITS=768 to 4096
    OMV_SSHD_LOGINGRACETIME=120 to 5


    I will also check if I can find any way to get a more recent version of OpenSSH (like the Wheezy back-port one you suggested).


    Good calla bout the OSX Yosemite limitation due to OpenSSH 6.2.
    Will try to find out if El Capitan has got any update, SSH wise.


    Thanks,
    Tommy

    Hey @subzero79,


    That is an excellent suggestion :-)


    I was not aware of these env variables which actually control the server key size and the grace timeout (2 things I was looking to change):

    Code
    ssh: OMV_SSHD_X11FORWARDING=yes
    ssh: OMV_SSHD_KEYREGENERATIONINTERVAL=3600
    ssh: OMV_SSHD_SERVERKEYBITS=768
    ssh: OMV_SSHD_LOGINGRACETIME=120
    ssh: OMV_SSHD_PUBKEYAUTHENTICATION=yes
    ssh: OMV_SSHD_HOSTBASEDAUTHENTICATION=no


    Nothing wrong with iptables, never thought they're inadequate or bad.
    I found sometimes difficult to work with iptables as given 2 of my OMV are running on Azure I may lock myself out.
    This happened when I tried once to DROP by default and allow 80,443 and 22 but I reckon I had set an incorrect order and that prevented me from using both SSH and the WebUI.
    This why I avoid using them if I can - just to avoid doing something stupid again :-)


    Of course this does not apply to OMV running on the HP Micrsoserver as I can always use ILO to connect via shell.


    Regards,
    Tommy

    @WastlJ, no, no public IP even though it never changes.
    I'm suing a CNAME (for a friendly URL) that via DynDNS points to my OMV as I need to access it from internet from time to time.


    @ryecoaaron, as a workaround I've been turning off SSH and only enable it via the WebUI when I actually need to use it.
    As a workaround it does work as good as changing port I reckon. The only thing is that I was looking to secure the shell as a "best practice".


    Regards,
    Tommy

    LOL :-)


    Yeah, I'd quite like to keep SSH as secure as possible given I get few thousands of random connection attempts from random IP's throughout the day.
    I'm aware this would be superfluous as nobody broke in yet but, given I do not rely on iptables (and therefore I cannot user fail2ban) I think this is the only option left.


    ideally I would also like to reduce the timeout to 5 seconds (from the default 30 seconds) and increase the server key size to 4096 bit but I know the sshd_config file gets re-written at every reboot.


    Tommy

    Hi @WastlJ,


    Thanks for your input.


    I do have Key auth working, and to be fair with common ciphers that is working very good.
    I have got a 4096 bit key and I successfully connect when using:

    • KexAlgorithms diffie-hellman-group-exchange-sha256
    • Ciphers aes256-ctr
    • MACs hmac-sha2-256

    My question is actually, how do you get stronger ciphers working on OMV?
    The ciphers I want to use are stronger and more robust and they guarantee a higher level of encryption/security.


    The one I want to use (and that seems not to work with OMV at this very moment) are:

    Hope that clarifies my question.


    Thanks,
    Tommy

    Hello everyone,


    I'm trying to harden SSH on OMV but I'm hitting a roadblock.


    I've disable root login and forced key authentication only, anyway I'm struggling in hardening the ciphers, the key exchange algorithm and the message auth codes.


    My ideal configuration would be something close to:

    Code
    KexAlgorithms curve25519-sha256@libssh.org
    Ciphers chacha20-poly1305@openssh.com
    MACs hmac-sha2-512-etm@openssh.com


    But with this configuration, when connecting (I only used Putty and the built-in SSH client on the Mac) I get a connection error.


    The most secure configuration I managed to get is instead:

    Code
    KexAlgorithms diffie-hellman-group-exchange-sha256
    Ciphers aes256-ctr
    MACs hmac-sha2-256


    Even simply adding the MAC hmac-sha2-512 prevent Putty from conencting.
    Adding any other Cyphers but aes256-ctr or any other Kex but diffie-hellman-group-exchange-sha256 prevent Putty from connecting as well.


    Do you have any suggestion on how to achieve the desired encryption level (which would get rid of all the less secure ciphers)?


    Thank you.
    Tommy

    Hi @ryecoaaron,


    The adapter type is the same, the MAC (as well as the IP config) won't be the same instead.


    What I do not understand is why with the same config (originally I did not remove the file you highlighted) it worked for weeks.


    I will try the procedure you suggested and will keep you posted :-)