Tag Archives: NAS

Secure NFS Shares on Lenovo ix2-dl NAS

27 Thursday Feb 2014

Posted by in NAS

1 Comment

Tags

,

Introduction

ix2-dl offers many ways to connect to it, but none of them can provide such a seamless experience for Linux computers as NFS:

Protocols

The problem with NFS is that without a Domain Controller that can provide Kerberos authentication somewhere on the LAN, NFS is horribly insecure. All you have to do to infiltrate the storage is somehow connect to the LAN. Once you are in, it is trivial to steal everything from un-authenticated NFS shares.

Samba 4

It is possible to set up Samba4 as a Domain Controller that will provide Active Directory and Kerberos services:

http://sector7e.com/setup-of-samba4-4-10-on-ubuntu-server-12-04-lts-and-13-10/
http://wiki.samba.org/index.php/Samba4/HOWTO
https://help.ubuntu.com/community/Kerberos

The set up procedure is not trivial unfortunately, and would result in a complication of my infrastructure that I was not willing to deal with.

Windows File Sharing (CIFS)

CIFS shares are attractive, b/c they have built in password authentication. I have tried using CIFS mounts, but quickly rejected the idea b/c the shares were much slower than NFS, did not allow symlinks and did not allow fine grained ownership control of files under one share.

OpenVPN

This ended up being the best and simplest option that allows me to have complete and seamless integration of my shares and best possible security.

The idea is to completely turn off all security on the NFS share, including no_root_squash, and then export the shares exclusively over the VPN subnet. Here’s an example, with an additional read-only export for the local wired net:

shares

OpenVPN Setup

Before you can follow these instructions, you must first enable SSH access to the NAS, connect to package repositories and tie into the boot process. All of this is described in my previous posts:

https://n1njahacks.wordpress.com/2014/02/25/ssh-access-to-lenovo-ix2-dl-nas/
https://n1njahacks.wordpress.com/2014/02/27/setting-up-mysql-server-on-lenovo-ix2-dl-nas/

Install OpenVPN package and dependencies:

# ipkg install openvpn

Open /opt/etc/init.d/S20openvpn:

  • Comment out the tunnel driver and “return 0” line. It’s important to make sure that this script does not try to insert the module, b/c module tun is already compiled into the kernel on this distro
  • Specify correct file name for --config (lan-server.conf)

Add the startup script to /etc/rc.local:

# Start OpenVPN
echo 'Starting OpenVPN server...'
/opt/etc/init.d/S20openvpn

Note: in order for this to work, you must first modify the distro’s boot process as described in the previous section.

OpenVPN Server Configuration

I will provide my config as an example.

/opt/etc/openvpn/lan-server.conf:

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 192.168.129.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 192.168.129.1
#
server 192.168.129.0 255.255.255.224

daemon

# Which TCP/UDP port should OpenVPN listen on?
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# By increasing the MTU size of the tun adapter and by disabling
# OpenVPN's internal fragmentation routines the throughput can be
# increased quite dramatically. The reason behind this is that by
# feeding larger packets to the OpenSSL encryption and decryption
# routines the performance will go up. The second advantage of not
# internally fragmenting packets is that this is left to the operating
# system and to the kernel network device drivers.
tun-mtu 9000
fragment 0
mssfix 0

# "dev tun" will create a routed IP tunnel,
dev tun0

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/ssl/certs/VACE-LAN-CA-Chain.crt
cert /etc/ssl/certs/nas-lan-server.crt
key /etc/ssl/private/nas.key

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
dh /etc/ssl/private/dh1024.pem

# Maintain a record of client  virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /opt/var/openvpn/lan-ipp.txt

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 3

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /opt/var/openvpn/lan-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
log-append  /opt/var/openvpn/lan-server.log
writepid    /opt/var/openvpn/lan-server.pid

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

Pay close attention to the comment on tun-mtu. These settings significantly speed up the tunnel.

OpenVPN Client Configuration

/etc/openvpn/nas-client.conf:

daemon

client

remote nas

dev tun

port 1194
proto udp

# By increasing the MTU size of the tun adapter and by disabling
# OpenVPN's internal fragmentation routines the throughput can be
# increased quite dramatically. The reason behind this is that by
# feeding larger packets to the OpenSSL encryption and decryption
# routines the performance will go up. The second advantage of not
# internally fragmenting packets is that this is left to the operating
# system and to the kernel network device drivers.
tun-mtu 9000
fragment 0
mssfix 0

log-append  /var/log/openvpn/nas-client.log

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /etc/ssl/certs/VACE-LAN-CA-Chain.crt
cert /etc/ssl/certs/boss-lan-client.crt
key /etc/ssl/private/boss.key

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 4

# Silence repeating messages
mute 20

Mounting NFS shares

That’s pretty much it! Now you can mount the NFS shares from the client like so:
/etc/fstab:

nas_tunnel:/nfs/music    /mnt/nas/music     nfs     rw,auto    0       0
nas_tunnel:/nfs/video    /mnt/nas/video     nfs     rw,auto    0       0
nas_tunnel:/nfs/programs /mnt/nas/programs  nfs     rw,auto    0       0
nas_tunnel:/nfs/work     /mnt/nas/work      nfs     rw,auto    0       0
nas_tunnel:/nfs/pictures /mnt/nas/pictures  nfs     rw,auto    0       0

Where nas_tunnel = 192.168.129.1

Tunnel Performance Tuning

https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

Setting up MySQL server on Lenovo ix2-dl NAS

27 Thursday Feb 2014

Posted by in NAS

9 Comments

Tags

,

This article will explain how to install a MySQL server on the Lenovo ix2-dl NAS. It will also demonstrate how to customize the boot process.

This MySQL server will be set up as the back-end for my MediaWiki installation running on a different server.

Enable SSH Access

https://n1njahacks.wordpress.com/2014/02/25/ssh-access-to-lenovo-ix2-dl-nas/

Basic Config

Add the following to /etc/profile:

alias ls='ls --color'

# Set the locale properly
export LANG=en_US.utf8
export LANGUAGE=en_US:en

The locale settings were necessary to properly display Russian file names from a Terminal.

Custom Boot Scripts

One of the difficulties with this box is that it does not respect the startup scripts in /etc/rc* directories, even though they are there. Instead boot processes are managed by appmd, which uses an XML config file found here: /usr/local/cfg/sohoProcs.xml. Unfortunately, you can’t modify that file directly.

The /usr directory is actually part of the /boot/images/apps image mounted on /mnt/apps, so if we want to add anything to the startup config, we must modify the image itself.

Here are some scripts to help with that:

/opt/editconfig.sh:

#!/bin/sh
# edit the bootup config of the ix2
# inspired by http://www.chrispont.co.uk/2010/10/allow-startup-daemons-on-storcenter-ix2-200-nas/
# modified from http://techmonks.net/installing-transmission-and-dnsmasq-on-a-nas/
mknod -m0660 /dev/loop3 b 7 3
chown root.disk /dev/loop3
mkdir /tmp/apps
mount -o loop /boot/images/apps /tmp/apps
vi /tmp/apps/usr/local/cfg/sohoProcs.xml
sleep 1
umount /tmp/apps
rm /dev/loop3

/opt/init-opt.sh:

#!/bin/sh
# modified from http://techmonks.net/installing-transmission-and-dnsmasq-on-a-nas/

rm /opt/init-opt.log
echo "Last bootup:" >> /opt/init-opt.log
date >> /opt/init-opt.log
#Add your command below
/etc/init.d/rc.local start >> /opt/init-opt.log
while true; do
        sleep 1d
done

After creating these scripts, you must run /opt/editconfig.sh and make modifications to the opened file. At the end of <Group Level="2"> section:

<Group Level="2">

    ..... Other Program defs .....

    <Program Name="CustomInitScript" Path="sh">
        <Args>/opt/init-opt.sh</Args>
        <SysOption Restart="-1"/>
    </Program>

</Group>

After these modifications, you can place all your startup scripts into /etc/rc.local, which will be executed after you reboot.

svcd Performance Tweak

svcd is some sort of indexing service that tends to take up a lot of CPU. We can renice it though.

Since we now have access to sohoProcs.xml (see previous section), we can set the Nice level in there.

Run /opt/editconfig.sh, find the entry for svcd and add the Nice attribute:

<Program Disable="0" Name="Svcd" Path="/usr/local/svcd/svcd">
        <SysOption MaxMem="96M" Nice="19" Restart="-1"/>
</Program>

Connecting to package (ipkg) repositories

LifeLine Linux distro in this NAS is based on NSLU2-Linux, so we can make use of their resources.

Open /etc/ipkg.conf and add the following:

src cross http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable
src native http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/native/unstable

root@ix2-dl:/# ipkg update

MySQL Installation

root@ix2-dl:/# ipkg install mysql5

This will install MySQL and dependencies into /opt (aka /mnt/system/opt), but the permissions will be wrong so the server won’t start after installation. You need to follow these steps:

  • Add mysql user through the Web Console
  • Fix permissions
root@ix2-dl:/# chmod o+w /opt/var
root@ix2-dl:/# chown -R mysql /opt/mysql-test
root@ix2-dl:/# chown -R mysql /opt/var/mysql
  • In /etc/passwd change home directory for ‘mysql’ user to /opt/var/mysql
  • Setup environment
root@ix2-dl:/# su - mysql
mysql@ix2-dl:/# vi .bashrc

Add the following:

export PATH=$PATH:/opt/bin
  • Start MySQL. As root:
root@ix2-dl:/# /opt/share/mysql/mysql.server start
Starting MySQL..
  • Configure the server. Follow the wizard and change the root password.
root@ix2-dl:/# su - mysql
mysql@ix2-dl:/# /opt/bin/mysql_secure_installation
  • Log in:
root@ix2-dl:/# su - mysql
mysql@ix2-dl:/# mysql -u root -p
Enter password: *****
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.0.88 optware distribution 5.0.88-1

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| lib                | 
| log                | 
| mysql              | 
| test               | 
+--------------------+
5 rows in set (0.00 sec)
  • To start the server on reboot, open /etc/rc.local and add:
# Start MySQL server
/opt/share/mysql/mysql.server start

Note: This last step will only work if you followed instruction in the “Custom Boot Scripts” section.

You are done!

Importing the Wiki Database

mysql@ix2-dl:/# mysql -u root -p
mysql> create database wikidb;
mysql> CREATE USER 'wiki'@'%' IDENTIFIED BY '********';
mysql> GRANT ALL PRIVILEGES ON wikidb.* TO 'wiki'@'%';

mysql@ix2-dl:/# mysql -u wiki -p wikidb < wikidb-db-backup.sql

Daily Backups of the Wiki Database

The wiki database is backed up and versioned with RCS daily. Here is the setup:

  • Install RCS:
root@ix2-dl:/# ipkg install rcs
  • Backup script (/opt/var/mysql/mysqlbackup.cron.sh):
#!/bin/bash

# DATABASE DEFINITION SECTION
# Database specified with a "dbname user password" triple
databases=("wikidb wiki ******")
# END DATABASE DEFINITION SECTION

WD="/nfs/backups/wiki"
MYSQLDUMP="/opt/bin/mysqldump"
CI="/opt/bin/ci"
AWK="/usr/bin/awk"

numdb=${#databases[@]}

cd $WD

for database in "${databases[@]}"; do
 db=$(echo $database   | $AWK '{print $1}')
 user=$(echo $database | $AWK '{print $2}')
 pass=$(echo $database | $AWK '{print $3}')

 filename=${db}-db-backup.sql

 echo "Backing up database $db..."
 $MYSQLDUMP -u $user --password=$pass $db > $filename 2> MY_SQL_DUMP_ERROR_$db
 if [[ $? -ne 0 ]] ; then
   # The backup has failed. Send a notification e-mail
   #
   echo "WIKI BACKUP FAILURE!"
 else
   # Success. Delete the error file if any and check in the new backup into RCS
   #
   echo "Creating an RCS version for $db..."
   rm MY_SQL_DUMP_ERROR_$db 2>&1 > /dev/null
   export TMPDIR=$WD
   echo . | $CI -l -d"`date`" $filename
 fi

done

Cron Job

/etc/cron.daily/mysql_backup:

#!/bin/sh
/opt/var/mysql/mysqlbackup.cron.sh

Credits

http://vincesoft.blogspot.ca/2012/01/how-to-run-program-at-boot-on-iomega.html
http://iomega.nas-central.org/wiki/Hacking_(Home_Media_CE)
http://www.nslu2-linux.org/
http://techmonks.net/installing-transmission-and-dnsmasq-on-a-nas/