Posts Tagged ‘Networking’

Using PSCredentials

June 2, 2011

I’ve been working on a small project that shuts down machines attached by network and of course power feed to an APC Smart-UPS.
The code that was shutting down the guests required authentication to be passed to the receiving services.

I decided to give the following PowerShell cmdlets a try.

  • Get-Credential
  • ConvertTo-SecureString

———————————————————————————-

Script that creates the password file

(Set-Credential.ps1) looks like this:

Param($file)
$credential = Get-Credential
$credential.Password | ConvertFrom-SecureString | Set-Content $file

Get-Credential prompts for a username and password and creates the PSCredential associating the password with the username.
ConvertFrom-SecureString from the PS documentation…
The ConvertFrom-SecureString cmdlet converts a secure string
(System.Security.SecureString) into an encrypted standard string (System.String).
Then writes the string to the file specified.

Set-Credential can be invoked like this:

C:\Scripts\UPS\Set-myCredential.ps1 C:\Scripts\UPS\mp.txt

———————————————————————————-

Script that reads the password file

(Get-Credential.ps1) into a SecureString.
Then creates the PSCredential based on the username provided and the password as a SecureString.
Then returns the PSCredential:

Param($user,$passwordFile)
$password = Get-Content $passwordFile | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential($user,$password)
$credential

———————————————————————————-

By the look of it, when creating the encrypted password Get-Credential adds some machine specific information.
As the password file is not machine agnostic (can’t be shared or tranfered).

From my PowerShell script that loaded the assembly into memory and started the shutdown procedure, it looked something like this.

param (
   [parameter(Mandatory=$true, position=0)][string] $scriptPath,
   [parameter(Mandatory=$true, position=1)][string] $fileServerName,
   [parameter(Mandatory=$true, position=2)][string] $fileServerUser,
   [parameter(Mandatory=$true, position=3)][string] $vSphereServerName,
   [parameter(Mandatory=$true, position=4)][string] $vSphereServerUser
)

Set-StrictMode -Version 2.0
# Creates a .net assembly in memory containing the PowerOffUPSGuests class.
# Then we call the InitShutdown passing the details of the machines that need to be shutdown.

$credentialRetrievalScript = Join-Path -Path $scriptPath -ChildPath 'Get-Credential.ps1'
$fileServerUserPwLocation = Join-Path -Path $scriptPath -ChildPath 'FileServerPw.txt'
$vSphereServerUserPwLocation = Join-Path -Path $scriptPath -ChildPath 'VMHostPw.txt'

# names of the ServerController's I.E. the collection of servers that will be shutdown
# these class's need to exist in the $scriptPath and derive from ServerController
$freeNASController = 'FreeNASController'
$vMServerController = 'VMServerController'

# instantiate the credential objects
$fileServerCredential = & $credentialRetrievalScript $fileServerUser $fileServerUserPwLocation
$vSphereServerCredential = & $credentialRetrievalScript $vSphereServerUser $vSphereServerUserPwLocation

# add the assembly that does the work.
Add-Type -Path .\PowerOffUPSGuests.dll

# instantiate a ServerAdminDetails for each server we want to shutdown
$fileServerAdminDetailsInstance = New-Object -TypeName BinaryMist.Networking.Infrastructure.ServerAdminDetails -ArgumentList $freeNASController, $fileServerName, $fileServerCredential
$vSphereServerAdminDetailsInstance = New-Object -TypeName BinaryMist.Networking.Infrastructure.ServerAdminDetails -ArgumentList $vMServerController, $vSphereServerName, $vSphereServerCredential

# instantiate a PowerOffUPSGuests
$powerOffUPSGuestsInstance = New-Object -TypeName BinaryMist.Networking.Infrastructure.PowerOffUPSGuests

# create generic queue and populate with each of the ServerAdminDetail items
# ServerAdminDetails is the base class of FileServerAdminDetails and vSphereServerAdminDetails
$serverAdminDetailsQueueInstance = .\New-GenericObject System.Collections.Generic.Queue BinaryMist.Networking.Infrastructure.ServerAdminDetails
$serverAdminDetailsQueueInstance.Enqueue($fileServerAdminDetailsInstance)
$serverAdminDetailsQueueInstance.Enqueue($vSphereServerAdminDetailsInstance)

$powerOffUPSGuestsInstance.InitShutdownOfServers($serverAdminDetailsQueueInstance)

To debug my library code, I needed to run it somehow.
So I just wrote a small test which passed the PSCredential instance to the code that was going to shutdown the UPS guest.

private PSCredential GetMyCredential(string userName, string pWFileName) {

   string encryptedPw;
   using (StreamReader sR = new StreamReader(pWFileName)) {
   //read the encrypted bytes into a string
   encryptedPw = sR.ReadLine();
   }

   PSCredential pSCredential;
   using(SecureString pW = new SecureString()) {
      char[] pWChars = encryptedPw.ToCharArray();
      foreach(char pWChar in pWChars) {
         pW.AppendChar(pWChar);
      }
      pSCredential = new PSCredential(userName, pW);
   }
   return pSCredential;
}

[TestMethod]
public void TestInitFileServerShutdown() {
   _powerOffUPSGuests = new PowerOffUPSGuests(ConfigurationManager.AppSettings[LogFilePath]);

   PSCredential fileServerCredential = GetMyCredential(
      ConfigurationManager.AppSettings[FileServerUser],
      Path.GetFullPath(ConfigurationManager.AppSettings[FileServerUserPwFile])
   );

   _powerOffUPSGuests.InitFileServerShutdown(ConfigurationManager.AppSettings[FileServer], fileServerCredential);
}

Inspiration

Advertisements

LAN Manager Authentication in EStrongs File Explorer

December 5, 2010

I started looking for a Graphical File Explorer to use on my Nexus One a few weeks ago.
My requirements were:

Needed to be able to manage files on the internal and external storage (micro SD).
Create new files, directories.
Support SMB in order to access shares on file servers, and possibly FTP.
Support different file views (list view, detail view).
Clipboard support (copy, move).
Root support.
Grep or some other file Search mechanism.
Multi select.
Easy directory and file navigation.
Needed to be intuitive.
Rename files / directories.
Accelerometer support.
Similar functionality to the *nix df command.
Secure authentication between client server.

EStrongs File Explorer satisfied all these requirements and more, except I wasn’t sure about the last one.
Couldn’t find any documentation about it either.
If I had of spent more time searching the forum I may have stumbled onto something.
I did a little bit of reading and decided to make a post on EStrongs.
I didn’t receive any answers in the few days that I waited, so decided to do my own experimentation.
Which brings me to the little bit of research I carried out on how EStrongs authenticates with SMB shares.

I followed up my original post with my findings.
Check them out.

Following are some links I’ve used quite a few times before and also came in useful for this experiment.

the LAN Manager Authentication Level setting and where to find it in your windows clients
Some easy steps to securing Samba
The all mighty smb.conf man page

EStrongs also have a selection of other useful utilities.

 

 

Which can also be found in Androids App Store.

Setting up 802.11g Wi-fi on Google’s Nexus One

November 21, 2010

I thought this was going to be a really simple, quick and drama free setup.
This wasn’t to be the case.

Process of events

Added a DHCP lease to my routers ARP table… with the MAC address of the Nexus and giving it an IP of 192.168.0.15.
Had quite a bit of trouble getting my Nexus One to establish connection with my Netgear WG102 AP.

 

 

 

 

 

 

 

The connection using WPA2-PSK with AES encryption most of the time wouldn’t work.
There was allot of posts about this on the net, especially on the Nexus forum.

 

 

I tried most things mentioned in the following posts, including giving Nexus a static IP.

http://www.google.com/support/forum/p/android/thread?tid=670e46135cadce1e&hl=en
http://www.google.fi/support/forum/p/android/thread?tid=0bb4d777a20330c3&hl=en
http://www.google.com/support/forum/p/android/thread?tid=07bbaac95aef0a15&hl=en&start=40

After quite a lot of reading, it seemed that the Nexus One’s support of WPA2 was flaky at best.
It also sounds like quite a few other mobile devices only support WPA1 which uses the older TKIP encryption technology.
In saying that, it’s still considered secure so long as you use a decent sized PSK. 256 bit for example.

Using the following sites, I decided to setup another wireless network on the same AP using a different SSID, using WPA-PSK with TKIP.
This worked fine. I then tried to connect to the previous WPA2 network and it worked flawlessly.
So yes, I was a little confused.
The next day after a shutdown / restart of the Nexus, comms still seems fine.
So at the point of making this post, the confusion remains, but it works :-).
If it stops working again, at least we know we still have the other option of using WPA1 with a decent PSK.

This site does a good job of explaining the differences in the wireless protocols I’ve talked about.
http://compudent.blogspot.com/2006/09/wireless-wep-vs-wpa-vs-wpa2.html
Also has a link to…
https://www.grc.com/passwords.htm

Which generates 256 bit random keys, ideal for AP WPA1 and WPA2 encryption.

If anyone has any trouble in this area, sing out and I’ll do my best to lend a hand.

A bit of an update on this

After a week the N1’s wireless interface apparently stopped trying to connect to my Wifi.
I tried the WPA1 network again, with no joy.

I talked to a friend that also has a N1 bought through Google, rather than Vodafone.
He has had the 2.2.1 ota update for a few months.

http://en.wikipedia.org/wiki/Nexus_One states:
“Although the European, Australian and New Zealand Nexus One phones sold by Vodafone are not locked to the network of the provider, they are locked to a special Vodafone-specific system software, making it impossible to receive updates from Google.”

If you for some reason haven’t received your update yet, and are still running the stock ROM, you can follow the directions here and here to get onto 2.2.1 FRG83D.

Since the update, I haven’t had any Wifi comms issues.

Distributed Version Control the solution?

October 3, 2010

Due to the fact that I am starting to need a Version Control System at home for my own work and the company I currently work for during the day could potentially benefit from a real Version Control System.

I’ve set out to do an R&D spike on what is available and would best suite the above mentioned needs.
I’ve looked at a large range of products available.

At this stage, due to my research and in talking to some highly regarded technical friends and other people about their experiences with different systems, I’ve narrowed them down to the following.

Subversion, Git and Mercurial (or hg)
Subversion is server based.
Git and hg are distributed (Distributed Version Control System (DVCS)).

The two types of VCS and some of their attributes.

Centralised (or traditional)

  • Is better than no version control.
  • Serves as a single backup.
  • Server maintenance can be time consuming and costly.
  • You should be able to be confident that the server has your latest changeset.

Distributed

  • Maintenance needs are significantly reduced, due to a number of reasons. One of which is… No central server is required.
  • Each peer’s working copy of the codebase is a complete clone.
  • There is no need to be connected to a central network. Which means users can work productively, even when network connectivity is unavailable.
  • Uses a peer-to-peer approach rather than a client-server approach that the likes of Subversion use.
  • Removes the need to rely on a single machine as a single point of failure.
    Although it is often a good idea to have a server that is always online and ready to accept changesets.
    As you don’t always know whether another peer has accepted all your changes or is online.
  • Most operations are much faster than the centralised model, as no network is involved.
  • Each copy of the repository effectively acts as a remote backup. Which has multiple benefits.
  • There is no canonical code base, only working copies.
  • Operations such as commits, viewing history and rolling back are fast, because there is no need to communicate with a central server.
  • A web of trust is used to merge code from disparate repositories.
  • Branching and Merging made easier.
  • No forced structure: a central server can be implemented or peers can control the codebase.
  • Although I don’t see huge benefits for a central server in my target scenario.
  • Buddy builds. A team member can pass a change set to another member to try before committing to a central location.
    This would stop broken CI builds.
  • There is a huge amount of flexibility with your layout.
  • With a well planned layout a Distributed Version Control System can do anything a Centralised system can do, with the additional benefit of easy merges.

In weighing up the pros and cons of distributed versus the centralised model.

I think for my target requirements,
a distributed system has more to offer in the way of time savings and hardware savings.
This page has a good explanation of the differences between Centralised and Distributed.
Here is a detailed list of comparisons of some of the more common systems.

Mercurial is ticking quite a few boxes for me.
Mercurial has a VisualStudio plug-in.
There is a GUI available for windows platforms and others that integrates Mercurial directly into your explorer.
It’s free, open, and being actively maintained.
Projects using Mercurial.

Mercurial is written in Python, which is another plus for me.
Binaries are freely available for Windows, GNU/Linux, Mac OS X, OpenSolaris.
The source is also available, so you can build it for most platforms.

Plenty of documentation here, plus the book.

Installation and Configuration. Covering Windows, Debian and more.
TortoiseHg has binaries for windows and debian, but only for Squeeze onwards by the look of it.
If your running Lenny, you can just use hg. apt-get install mercurial.
When I downloaded and installed the 64 bit version of TortoiseHg (v1.1.3 hg v1.6.3), it came with 4 comprehensive documents.

  1. Mercurial: The Definitive Guide 2010-02-21 as pdf
  2. TortoiseHg v1.1.3 Documentation in both pdf and chm
  3. Mercurial Command Reference

Very nice!
Turn off the indexing service on the working copies and repositories, and exclude them from virus scans
.
Can also get TortoiseHg here (For Debian, TortoiseHq isn’t available for Lenny).
Click the Tutorial link for the Quick start guide to TortoiseHg.

Once installed, start working through the following links.
http://tortoisehg.bitbucket.org/manual/1.1/quick.html
http://mercurial.aragost.com/kick-start/basic.html

Comments or thoughts?

Installation of SSH on 64bit Windows 7 to tunnel RDP

August 26, 2010

This post covers two scenarios.

Scenario one

With this setup I have a Windows 7 VM (the server) on the same network segment as the client PC which will be taking over any work I would normally do on my Windows XP box.
My existing XP box is used for any development that is easier to do on a Windows machine than a *nix machine.
Mostly .Net development.

Scenario two

Includes tunneling to a NATed Windows 7 machine on a different network

Access to my existing Windows XP box:
Is by way of RDP session tunneled through SSH.
SSH link being established from one of my Debian eeepc’s (The computer I use most of the time) to the existing Windows XP machine.

Used OpenSSH for the existing Windows XP machine.
http://sshwindows.sourceforge.net/ which is no longer supported.
Couldn’t get key pair authentication working though when I set it up.

I thought I’d give OpenSSH a try on the Windows 7 machine and see how far we could get.
Once followed all directions in the ssh readme.txt and comparing with the setup on my existing Windows XP box.
The OpenSSH Server service wouldn’t start.
Followed directions here.
Tried everything I could think of and still couldn’t get the service to start.

So going on some others advise, decided to give copSSH a try, as it is an implementation of OpenSSH, but currently being maintained.
Thanks to Tevfik Karagülle.
This worked out well and was a very easy setup.
The version of CopSSH used for this was 4.1.0 from here.

Initial sites used for copSSH install

http://www.sevenforums.com/customization/19864-ssh-windows-7-a.html
http://www.itefix.no/i2/copssh

Installation of copSSH

When you add a user to the CopSSH Control Panel, make sure you run the CopSSH Control Panel as an administrator (probably best to runas administrator for any actions),
else the user appears to be added, but when you try to SSH to the server, you get something along the lines of…
Unable to authenticate
Failed password for invalid user
See http://www.itefix.no/i2/node/12494#comments

Setup for the tunnel

Create a file in your ~ dir. TunnelToWin7Box for example, and put the following command in it.

ssh -v -f -L 3391:localhost:3389 -N MyUserName@MyWindows7Box

Turn the executable bit on.
Make sure owner and group is correct.

chmod 750 TunnelToWin7Box
chown MyUserName:MyGroupName TunnelToWin7Box

Add a command drawer to the task bar.
Add a Custom Application Launcher to the drawer that points to the TunnelToWin7Box file.
You can even add an image that makes sense to the drawer.
Mine looks like this, with 3 command launchers…

The first port there can be any port not currently in use.
The second port is the port that RDP listens on in Windows.
You also need to add an inbound rule to open port 22 or a port of your choosing on the Windows Firewall.
Also close the Remote Desktop port TCP 3389 on the Windows box.
If the server you are trying to tunnel to is behind a NAT and not on your network, I.E. you are trying to tunnel to your work machine from home for example, There is a little more involved in setting up the firewall rule and a change to the sshd_config.
You’ll need to add an inbound rule. I called it SSH. In the Programs and Services tab… selected “All programs that meet the specified conditions”.
For the Service Settings, only one that would work was “Apply to services only”. I thought it would be best to select only the ssh service, but this wouldn’t allow SSH in.
General tab just had Enabled on. Computers tab was untouched. Users and Scope was untouched. Advanced tab only needed to select Private check box.
“Protocols and ports” tab Protocol type is TCP, Local port is port 22, Remote port is All Ports.
Edit the C:\Program Files (x86)\ICW\etc\sshd_config as an administrator.
Add the line… GatewayPorts yes
Or uncomment it and set to yes rather than no if it already exists.

Command I used for the NATed scenario

ssh -v -f -L 3392:localhost:3389 -N User@YourWorksGateway.com -p 2222

The port is the port that your network admin has setup for you to forward to the machine you want to tunnel to.

When I run the command to try establish the tunnel I was getting an error message.
I made a post here.
So I un-installed copSSH and re-installed a few times trying different things.
Before last un-install, I removed the users that copSSH adds, because it doesn’t remove them on un-install,
and deleted the OpenSSHServer service using the “sc delete OpenSSHServer” command in cmd.exe shell running as administrator.
Installed again using all defaults.
It appears as even though SSH gives the message that it won’t tunnel, if you then try and open the port forwarded RDP session, it works.
In saying that, sometimes it didn’t work.
This happens if you click the command launcher more than once and you end up with more than one tunnel established.
In which case you just kill one of them and your away laughing.

Setup your Remote Desktop Session now

I’ve been using Gnome-RDP for my RDP sessions.
Set the session up to look like this.

Once done, click Connect, and you should have your RDP session from your Linux box to your Windows 7 box secured courtesy of SSH

Setup Key pair authentication

On Debian epc, or any other Debian machine for that matter

Copy the existing public key I used for SSHing to other servers to MyWindows7Box.
This is considerably more difficult if you want to scp the key to a NATed machine on another network.
Read the likes of this if your interested.
It’s the public key, so sniffing it is not such a big deal.

scp ~/.ssh/id_rsa.pub MyUserName@MyWindows7Box:

Make sure you have the Colan at the end of the above command, else the file won’t be copied.
You may receive a prompt that the authenticity of the server you are trying to scp to can’t be established and you want to continue.
The server you are trying to connect to is added to the list of known hosts on the local machine.
Thats /home/MyUserName/.ssh/known_hosts
I didn’t get that with scp’ing to MyWindows7Box because my known_hosts already knew about MyWindows7Box from my previous OpenSSH install.

On MyWindows7Box

In the dir C:\Program Files (x86)\ICW\home\MyUserName\.ssh\
I copied the authorized_keys file to authorized_keys-OrigWithInstall (rename).
Wasn’t allowed to edit the authorized_keys file for some reason, so opened a Bash shell that comes with copSSH
and edited ~/.ssh/authorized_keys with nano. Deleting the public key.
When I tried to open this file in file explorer, it didn’t appear to have been edited.
This is because the file I thought I had edited (C:\Program Files (x86)\ICW\home\MyUserName\.ssh\authorized_keys)
was actually C:\Users\MyUserName\AppData\Local\VirtualStore\Program Files (x86)\ICW\home\MyUserName

From C:\Program Files (x86)\ICW\home\MyUserName\.ssh (or at least what I thought was there),
the public key needs to be put into the list of authorized clients that may connect to the ssh daemon.
Can do this using the Bash shell that comes with copSSH.

$ cat id_rsa.pub >> .ssh/authorized_keys

You can now delete the id_rsa.pub on the target machine.

Copied C:\Users\MyUserName\AppData\Local\VirtualStore\Program Files (x86)\ICW\home\MyUserName\authorized_keys
to C:\Program Files (x86)\ICW\home\MyUserName\.ssh\authorized_keys

With scenario two, there were a few differences.
I’m thinking some of which were probably due to a more recent version of CopSSH (4.1.0).
For starters there was no authorized_keys file anywhere, so I created one (in C:\Program Files (x86)\ICW\home\User\.ssh).
As stated above, it’s considerably more difficult to scp the id_rsa.pub from a remote pc to a NATed server.
Put id_rsa.pub in C:\Program Files (x86)\ICW\home\User\.ssh along with the authorized_keys I created, and from the bash shell
(accessible from the Copssh folder in the start menu) who’s root dir is C:\Program Files (x86)\ICW\
ran the cat command shown above.

This is probably a better way to copy the public key:

ssh-copy-id MyUserName@MyWindows7Box

Anapnea showed me this.

Could now connect via key pair auth

Made the usual changes to C:\Program Files (x86)\ICW\etc\sshd_config on MyWindows7Box

I.E. turn root access off, password auth off,
set
AllowUsers MyUserName
Although this is done by the CopSSH Control Panel in version 4.1.0
I think a service restart is required to reload changes.
When you make changes to the sshd_config, you’ll need to do them as an administrator (similar to how you would on a *nix system as root).
This site has example of setting up SSH to be even more secure by modifying the sshd_config.
It’s specific to copSSH.
There are many items on the net that show and describe the options when it comes to the sshd_config.
The available options are in the man page http://unixhelp.ed.ac.uk/CGI/man-cgi?sshd_config+5

Enjoy!

Setting up a NFS share in FreeNAS

May 16, 2010

This setup is quite different to how you would normally setup NFS on a *nix server.
I only use NFS in read only mode due to security concerns with NFS.
There are very few options you can configure and there is no point in modifying the /etc/rc.conf /etc/exports and there is no point in adding /etc/hosts.deny, /etc/hosts.allow

as they will be removed on server reboot. Hopefully these options will be added in the future or at least a work around made available.
Ideally I’d like to add the

-mapall=myuser:myusergroup

option to the /etc/exports but there is no point as it’s not persisted to hard disk.

In the Web UI under Services|NFS leave Number of servers as default of 4 and check the enable box. This options will allow 4 concurrent users to be logged into the share.

In the Web UI under Services|NFS|Shares add a share with Path of /mnt/FileServer/myNFSshare Network 192.168.0.0/24

Have to set Map all users to root to Yes. This is the same as including the no_root_squash option that can be put in the /etc/exports on a *nix box, but normally I’d choose root_squash, but this doesn’t work well for mounting at boot without the

-mapall=myuser:myusergroup

option in the /etc/exports
Setup my authorised network, All dirs and Read only to yes.

Added the following lines to /etc/rc.conf in FreeNAS as per this link

rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_flags="-r"

Didn’t need the below line adding to the client machines /etc/rc.conf, although this said I did.

nfs_client_enable="YES"

After I restarted the server, the

mountd_flags="-r"

line was removed and the /mnt/.ssh dir was removed.
I no longer had key pair auth for SSH.
So had to go through the process of setting up that again.
The problem was any changes to /etc are not persisted to disk, so after a reboot it’s reset as it’s the FreeNAS ROM.
Matt Rude helped out with this

What I did was copy the /etc/rc.conf to my ~ which is /mnt/FileServer/home/myuser
Add the options again in /mnt/FileServer/home/myuser/rc.conf
Only the last option was actually not present and needed to be added.
Create a link from /etc/rc.conf to /mnt/FileServer/home/myuser/rc.conf

ln -s /mnt/FileServer/home/myuser/rc.conf /etc/rc.conf

Renamed the /etc/exports on the file server
Check the exports man page for the options…
Created an exports in /mnt/FileServer/home/myuser/ and added the following lines:

/mnt/FileServer/media -alldirs,ro -mapall=myuser:family -network 192.168.0.0 -mask 255.255.255.0
/mnt/FileServer/media -alldirs,ro -mapall=otheruser:family -network 192.168.0.0 -mask 255.255.255.0

Link the /etc/exports to /mnt/FileServer/home/myuser/exports

ln -s /mnt/FileServer/home/myuser/exports /etc/exports

None of the above links worked as they are removed on server reboot.
So basically the only options you have are on the Services|NFS web UI.

From here I created the /mnt/myfileserver/media directory on my client machines and set the myfileserver and media dir and perms to
/mnt/myfileserver was drwxrw—- myuser myusergroup
/mnt/myfileserver/media was drwxr-x— myuser users

Tried to mount the exported nfs share:

# mount myfreenasservername:/mnt/FileServer/media /mnt/myfileserver/media

This worked. So unmounted it.

# umount /mnt/myfileserver/media

Updated the /etc/fstab on the client machines so myfreenasservername:/mnt/FileServer/media would be mounted to /mnt/myfileserver/media on the client machines at boot.
add this to your client machines /etc/fstab

myfileservername:/mnt/FileServer/media /mnt/myfileserver/media nfs ro,hard,intr 0 0

A few steps to secure a FreeNAS server

April 6, 2010

Change the web gui admin user name in System|General under WebGUI->Username.

Change the default password in System|General|Password.

Setup key pair authentication for SSH and secure FreeNAS.

Clean out any existing files in ~/.ssh on your client machine.
At command prompt on client:

$ ssh-keygen -t rsa

agree to location that ssh-keygen wants to store the keys… ~/.ssh
Enter a pass phrase twice to confirm. This is the pass phrase for the public key.
Keys are now in ~/.ssh

I created the home directory in /mnt/FileServer and chown’d it to root:wheel.

mkdir /mnt/FileServer/home
chown root:wheel /mnt/FileServer/home

Created the myuser directory in /mnt/FileServer/home.
In the web UI Access|Users|Edit for my user. I set the Home directory to /mnt/FileServer/home/myuser/
The reason we can’t use the default ~ directory of /mnt is because everything in front of /mnt/FileServer (the mount point of my RAID) is part of the FreeNAS ROM.
It’s destroyed on each reboot. Matt Rude brought this to my attention here
Log in to FreeNAS using SSH

ssh myuser@nameoffileserver

create the .ssh directory on /mnt/FileServer/home/myuser/
as myuser, create the authorized_keys file in /mnt/FileServer/home/myuser/.ssh if it doesn’t already exist

$ touch authorized_keys

Copy the public key to the file server

scp ~/.ssh/id_rsa.pub myuser@nameoffileserver:

Make sure you have the collan at the end of the above command, else the file won’t be copied.
Type yes to the prompt that the authenticity of the server you are tryign to scp to can’t be established and you want to continue.
The server you are trying to connect to is added to the list of known hosts on the local machine.
Thats /home/myuser/.ssh/known_hosts
On the server, from the ~ directory (thats /mnt/FileServer/home/myuser in our case)
The public key needs to be put into the list of authorized clients that may connect to the sshd.

$ cat id_rsa.pub >> .ssh/authorized_keys

Although this is a better way to copy the public key:

ssh-copy-id MyUserName@MyWindows7Box

We need to change some permissions on…
your home directory on the server (/mnt/FileServer/home/myuser) may have the wrong permissions. We need to remove the write perms for group and other.

$ su root
# chmod go-w /mnt/FileServer/home/myuser

The /mnt/FileServer/home/myuser/.ssh currently had 755 so

# chmod go-w /mnt/FileServer/home/myuser/.ssh

had no effect.
/mnt/FileServer/home/myuser/.ssh/authorized_keys needed to be chmod 600. In fact anything/everything in the ~/.ssh dir (if there is anything else) needs to be chmod 600

Also need to

nameoffileserver:/mnt/FileServer/home/myuser/.ssh# chown myuser authorized_keys

We can now remove the ~/id_rsa.pub from the server, now that the key is in ~/.ssh/authorized_keys

$ rm ~/id_rsa.pub

Should now be able to log in using key pair authentication.

Turn password authentication off, and changed the default ssh port in the web gui Services|SSH.

Turned ssl on to access the web gui in System|General Setup.

When I open up the FreeNAS server to the internet, it’ll be by way of SSH tunnel rather than just opening up the firewall to https to the server.

Looks like there is a pretty simple guide here to do that.

Used the following resources:

http://www.learnfreenas.com/blog/
http://phanvinhthinh.blogspot.com/2010/02/how-to-secure-your-freenas-server.html
http://www.freenaskb.info/kb/?View=entry&EntryID=257
http://www.learnfreenas.com/blog/2009/07/22/how-to-connect-to-your-freenas-server-via-ssh-without-a-password-password-free-logins-via-public-key-authentication/
http://www.freebsd.org/doc/en/articles/committers-guide/ssh.guide.html

Adding disks, CIFS/SMB shares to FreeNAS

March 27, 2010

Add Disks:

What I did, was add a disk at a time (one each week, and stressed it for the entire week).
This way the wear on the disk should be staggered and we are less likely to have all drives fail at the same time.
Once I’d physically added all disks (ended up adding 4 x WD7500AACS for now).

Follow directions here.
This set of directions is also useful: http://freenas.org/contrib/sloan/freenas1.htm
I used software RAID 5.
I was keen to setup a raid-z using ZFS, but it’s still only an experiemental release.
Plus when I install the new RAID card, I’ll have to rebuild the array anyway, and by then, hopefully ZFS will be production ready (thanks to Olivier Cochard-Labbé and iXsystems).
Each disk I added I chose to set the Hard disk standby time to 60 minutes.
Turned the S.M.A.R.T. monitoring on.
Chose Unformated for the Preformatted file system for each disk I added as they were new disks.

Format Disks:

Format each of the disks for Software RAID.
Again following directions here

Create the software RAID array:

While the RAID is building you can continue to the next step.
It took about 12 hrs to build the array.

Format the software RAID array:

Format the array as UFS (GPT and Soft Updates).
This is BSD’s native file system.

Create the mount point:

Partition type set to GPT partition.
File system set to UFS.
Called my Share Name “FileServer”.
This will mount the array on /mnt/FileServer

Add the groups and users in the Web GUI

Access|Users:

groups:

family, sons-name, my-name, wifes-name

users:

guest:
Primary group
——guest
Additional group
——none
Other settings as default.
——enter passwords.
sons-name:
Primary group
——sons-name
Additional group
——family
Other settings as default.
——enter passwords.
my-name:
Primary group
——my-name
Additional group
——family, wheel (wheel is like admin in windows)
Other settings as default.
——enter passwords.
——enable bash Shell so I can ssh
wifes-name:
Primary group
——wifes-name
other settings same as sons-name

Enable SSH in web gui:

Services|SSH

Login to the file server and create the directories you will be sharing:

You can do this via the Web GUI (Advanced|File Manager (make sure you login as admin)) or just SSH to the shell.
I find going directly to the shell easier.

ssh [your user name]@<hostname>
Create the directories (family, media, etc) I want to share and set appropriate ownership and permissions.
I set my ownerships and perms up the same as my existing file server. I also had these recorded in a text document.

Enable CIFS/SMB In the Settings:

Authentication set to Local User.
Local Master Browser set to Yes.
Time server set to No, as I have another server doing the honors.
In Auxilary parameters, I added some of the params I used in a smb.conf file from my existing file server.
Some of these parameters in the global section.

Create the smb shares on top of FileServer (family, media, etc).
As is stated in this thread:

Set permissions in the following places:

Disk mount point, set file/directory creation masks, override inheritable permissions option in the CIFS/SMB share itself.
The creation masks I used from a smb.conf I already had setup on another file server (mouse).
These go into Auxiliary parameters on each share.

Setup Email alerts on disk failure and disk heat:

This is done in Disks|Management|S.M.A.R.T.
Heat on each of my first 3 disks Only gets to around 30 tops (in summer (room temp 24 deg c)). The bottle kneck is the 100Mb port on the switch. This only allows 100Mb total to/from the file server.
So the disks never really get a chance to heat up at this stage.
The last (4th) disk I added was getting to around 33 deg c, as it wasn’t sitting behind a fan. So I added an old 80/20mm fan I had, and stuck it in front of it, now the drive runs cooler than all the others.
Enable self monitoring.
Set Check interval to 300 (5 min).
Power mode Standby. I only want the disks checked if they are spining).
Temperature monitoring
Difference set to 5 deg c
Informal set to 33 deg c
Critical 36 deg c
Setup Scheduled self-tests in order to receive email alerts if a disk is offline.
If it’s off line I need to add another disk and re-build the array.
Directions for replacing a failed hard drive here.
Add each disk and select all hours, all days, all months, all week days and choose Offline Immediate Test.
Set the email address you want alearts to be sent to and select the Send TEST warning email on startup until your happy you have it all set up correctly.
You’ll also need to setup the email settings in System|Advanced|Email
The From email is the same as the email recipient.
If using gmail…
Outgoing mail server: smtp.googlemail.com
Port: 465
Security SSL
Username: this will be your email address.
Enter password.
Authentication method: Login
Save and Send test email.
Then back in Disks|Management|S.M.A.R.T.
Save and Restart samba.

Tested this configuration over a week.
Disks never seemed to spin down.
According to Diagnostics|Information|Disks (ATA)
APM (Advanced Power Management) is not supported on my disks (WD750AACS)
In which case there is no point in setting the Advanced Power Management or Acoustic level on Disks|Management|Disk|Edit for each disk.

Initial setup of (FreeNAS) file server

February 7, 2010

Components used:

AData Speedy Compact Flash card: NZ$30
Lian Li PC-A06FB Aluminium Case: NZ$170
ASUS p5kpl/epu Mobo: NZ$96.40
Celeron 1.8Ghz single core #430: NZ$70
Corsair 2GB KIT (2x1GB) DDR2 800Mhz DIMM PC6400 – Desktop RAM – TWIN2X2048-6400C4: NZ$104
P/S ZM750-HP NZ$257:33
2 x HDD swap trays. 3 SATA 3.5″ in 2 5.25″ bays just under NZ$300 incl shipping (havn’t got these yet).
5 x WD7500AACS HDD’s (already had these)(only using 3 for now).
Cold cathode tubes that were lying around.

The Lian Li case I chose had 4 x 5.25″ bays for HDD trays.
Using the 3 in 2 hot swap trays, I can get 6 HDD’s in to 4 5.25″ bays.

At this stage I didn’t get the 3 in 2 hot swap trays due to lack of funds.
Plus I’ll only install 3 750GB drives (I already have) at this stage.
I’ll put more drives in once I acquire a decent RAID card.
Something similar to the Adaptec RAID 3805.
The p5kpl/epu has a Gbit LAN interface, which is essential for me, as my ESX server guests will have most of their data on it.
Further down the track I’d like to get another Gbit NIC (maybe with several ports) and use LACP (Link Aggregation Control Protocol) to share the load between the NIC’s.
My current Cisco switch only has 2 Gbit ports though so I’ll need an extra Gbit switch that supports LACP.
Or may use Roundrobin or Loadbalance as the aggregation protocol in FreeNAS.
Yet to be decided.

Had quite a bit of trouble trying to install to a AData Compact Flash 2GB in a CF Card to IDE HDD adapter.

The BIOS (latest revision) wouldn’t detect it.
Tried another adapter/16MB CF SanDisk from one of my other embedded project machines in the file server and it was recognised fine.
Tried previous adapter (the one I purchased for this project) and another 16MB CF SanDisk from one of my other machines in the file server and it was recognised fine.
Tried the previous adapter (the one I purchased for this project) and 2GB CF card in another old machine and it was recognised fine.
So looks like the P5KPL/EPU BIOS has a problem detecting the 2GB AData CF card.

I had an old USB 1GB thumb drive I decided to use, this worked.
I’d rather use a CF Card to IDE HDD adapter with CF card as it’s all hidden inside the case.
May end up trying a SanDisk 128MB CF card.
They have 2 x packs on ebay for US $24 incl shippping.
All I have to do once I acquire a compatible CF card is redo the install (10 seconds)
and replace the config file that I’ll save once I’ve got FreeNAS setup and configured.

The file I used to do the install was from source forge.
You can find it from http://freenas.org/downloads -> http://sourceforge.net/projects/freenas/files/
I got a copy of the FreeNAS-amd64-LiveCD-*.iso.
Burnt the image to a CD.
And used an old CD ROM drive to do the honors.
I chose option 9) Install/Upgrade to hard drive/flash device, etc.
Then option 1) Install ’embedded’ OS on HDD/Flash/USB
I don’t need swap as I have 2GB of RAM, and I don’t want to be writing to my flash memory.
Installed in aprx 10 seconds.
Removed CD and rebooted to FreeNAS.

Now to setup the NIC’s and set the LAN IP address.
Choose option 1) Assign Interface and follow the prompts.
Choose option 2) Set LAN IP address.
Once you’ve done this, you can login to the Web UI. http://<the ip address you chose>
Default username is admin. Default password is freenas.
Make sure you change these credentials as soon as you can.
I was using an old version of the installer, so I downloaded the FreeNAS-amd64-embedded-*.img from sourceforge.
From the FreeNAS WebUI System menu -> Firmware I choose the img I downloaded and hit Upgrade firmware.
It’s important not to interupt the upgrade while it’s working.

Once you have everything setup and configured, you can save the FreeNAS config to a safe place for a restoration at a later stage if the need arises.

Most of the details I used were here:

Informative videos on setting up FreeNAS:


http://freenas.org/contrib/sloan/freenas1.htm

Informative video for ZFS on FreeNAS: