Derek_

Plugin (i'm guessing) seems to duplicate a couple of lines in the sshd_config file in /boot/config/ssh and here..

That's weird, i just updated the NerdPack and also did 'check for updates' and i don't see libffi. UPDATE: I've uninstalled all the apps, Borg, Python - everything. Rebooted. Reinstalled. Rebooted. Still doesn't work libffi isn't available for me to install either.

I don't think it's for Synology at all. My guess is you'd have to install nginx or something to use it. It's really aimed at enterprise i think. The guy who is making it runs a webserver business i think, and he wanted to ditch whatever expensive backup software he uses and switch to Borg, but it wasn't easy to manage across dozens (hundreds?) of hosts, so he's developing his own management console. From what i've gathered it's a solo effort. If you don't have many devices to backup, then it's really overkill. Borg is pretty robust from what i've seen, and you can configure desktop notifications or emails. It's not all there for you, so it can require some work to set it up if you're anal about it (like i am), but it's pretty much set and forget once you're done (i'm not yet done, i'm about half-way there). It'd made a pretty sweet Docker in unRAID, eh?

I'm not Raz, but that would be awesome

@mlapaglia I've seen some efforts on the client side, but nothing comprehensive to manage a range of backup operations performed on a server. Borg has Vorta, and this project seems very similar for Restic: https://github.com/Mebus/restatic Now for Borg, i've seen this astonishing server-side effort: "Borg Backup Server". It looks quite amazing, but it's been in development for i think about 1.5 years and as far as i know it's not yet considered ready for the big time. I presume it also needs a bunch of effort getting it running - some webserver or something. Looks amazing though and maybe one day we'll see it available as a plugin.

This plugin looks really cool. Raz's post on Reddit brought me here. Next we'll 'need' a 'store' from where to preview and get the themes

Borg is in the NerdPack, it's comparable to Restic, but adds compression. I've just spent weeks developing my own scripts to use Borg from my Linux Desktop to unRAID, and for unRAID to perform server-side checks on the repository on a scheduled basis. It took weeks because it's my first go at bash scripts, and i'm also quite anal It's really interesting that Restic is available as a Docker. It just seems odd to me! I'd be interested to hear how you go with it.

Why couldn't the USB be encrypted? It's just a Linux distro, and there's LUKS on this thing i don't see why it couldn't be encrypted. I guess creating a /boot partition would require a redesign. But it could be done i would think. A problem would be you'd need physical access to the device to enter the key. But encrypting the USB would be by choice and that would be a consequence.

Well, it's taken me ages but i believe i've cracked the nut. It forced me to learn much more about Linux and i had to (sort of) learn Bash scripting. I now have a fairly comprehensive backup strategy working. I won't go into details, but here's a summary: Borg backs up my Linux desktop to unRAID via SSH (using the backup-user -- thanks to the SSH plugin) and using systemd to schedule my bash script. It's quite comprehensive and provides desktop notifications of the status of it. It also prunes old backups. unRAID has a scheduled cron job (thanks to the User Scripts plugin) that then switches user to backup-user and runs another script that performs health-checks on the repository without breaking the permissions! These take a like 2hrs for 400gb repository, so that's why i want it to run server-side, without the client having to do anything. The script notifies my email via Notifications of the success, warning or failure of the script. Not yet implemented, but down the track my unRAID server will SSH to an offsite repository using the backup-user to complete the 1-2-3. I've learned so much about Backups in general, BASH, systemd and unRAID during this exercise. I may try to document it and share, particularly my scripts, which for a total noob i'm quite proud of. It'll take me a while to document it. Thanks to the people who tried to help through this thread, particularly @Can0nfan who provided awareness of the time-saving SSH addon. I believe i could have done what it does, but it would have taken me longer. 🙏

Upon subsequent reboots, i still get the error on the server's screen, but the service does seem to load properly. Perhaps the error and the service are not directly related, but still would be a good (low priority) thing to not have the error.

I installed this plugin and have had a small play. After a reboot, i get the error on the device monitor (not web interface): chmod: cannot access '/user/local/emhttp/plugins/denyhosts/icons': No such file or directory. I SSH'd in and saw that the directory does not exist. Upon entering the webGUI, DenyHosts was not started. I started it via the GUI and it says it's started but ?? Through this exercise, it doesn't appear to alert unRAID that it hasn't successfully started - can that please added? Or is that a consequence of this error?

I'm not sure if this relates - were those documents backed up in an old version of Borg? I have no experience with this command option, if it were me, i'd backup my Repository before trying it: https://borgbackup.readthedocs.io/en/stable/usage/upgrade.html

No, i haven't tried. I've only set up Borg on my desktop to backup to unRAID, i haven't yet tackled the server-side. There are... complications . Seems that doing everything as root is how unRAID works, including using SSH as root (only as root). There's a plugin that allows SSH as other users mentioned in that thread which i haven't tried yet, but even if that works - Cron operations will run as root which as i mention in the thread screw the permissions on the backup set (if the backups 'belong' to a different user. I'm new to unRAID and this approach (root all the things) really took me by surprise. I have to decide what i'm going to do.

Please direct me to the recommended practises. Tks.

Yes I have installed the CA Plugin. Lots of cool stuff . I've already donated to one plugin author (more to come after I leave the experimental stage). When LimeTech put SSH into the GUI I think they should provide a bit more than they have to improve the security, and not leave it entirely up to a community developed plugin. That SSH plugin mentioned by CanOnFan looks like it will improve the OOTB/default security nicely. I haven't had the time to play with it yet. I saw in the thread that there was an occasion where people told it to turn off password authentication, and the GUI indicated that was the case - but it hadn't. That's a bit scary. DenyHost looks like a welcome inclusion in the plugin too. I haven't looked into it yet either. I hope it can ban and not just deny like fail2ban is capable of. I don't know how dockers like Let's Encrypt interact at a host OS level. I'm very new to containers

Thanks. I'm was just starting to look at keyfile authentication and to my horror its not in the GUI at all. As i've just posted in the SSH plugin thread i think that's astonishing. IIRC SSH is enabled OOTB, and now i see that there's no GUI way to change the authentication method to key only. Password entry should be disabled by default. Fixing that should be a doddle: some small config changes. Create an 'import' button so people can upload their key. Create a 'generate' button, so people can generate a key. Create an 'export' button, so people can export their key (to USB, or network share for example). Reading more, there's no fail2ban built into the OS either. Does the Let's Encrypt Docker with f2b protect the OS, or just the Docker?

I've been directed to this plugin after i enquired about logging in as someone other than root via SSH. I'll check it out, though something as serious as SSH security should ideally be in the base product IMO. Frankly, i'm AMAZED that LimeTech haven't disabled password authentication by default, and forced people to use keys (and provided the GUI to do it). I thought that it was basically unheard of for people to use passwords with SSH these days. A lot of people open up their unRAID to the world, and i bet many of them (most?) are just using SSH passwords. I know people are using LetsEncrypt (which has Fail2Ban) - but being in a Docker does that protect SSH connections to the unRAID host? This plugin has existed for over three years. Please LimeTech - incorporate: - SSH keys authentication by default (at least, if not stop passwords entirely). - Fail2Ban baked into the OS.

I get that this is a home-focussed GUI-based server, and its pretty obvious that not many people have expressed an interest in this kind of capability and that my scenario is presumably a bit on the fringe. It's a bit of an idealist position i'm taking. I created my user through the webUI initially not realising that i wouldn't then be able to use that user to do things at the terminal. Of course i now know this to be the case. At i see it, i presently have these choices: SSH with root (can't SSH as any other user) into the server to perform the backups. This allows me to run automated scheduled maintenance on the server itself via cron without breaking permissions or having to invoke it from a desktop client. Use backup-user to perform client backups to the server via a traditional mount. Use cron to perform scheduled maintenance on the archive (as root). BASH script permissions fixes as part of the cron job. Invoke all operations from the desktop, using backup-user credentials and traditional mounts Hack unRAID to give me a backup-user i can switch to. But there are consequences: I'd say this is not best practise. Root should be reserved for activities that require it. Backup maintenance does not require root (normally). This, along with no.2, means that mutual remote backups (unRAID to offsite/offsite to unRAID) requires me to use root SSH as there is no alternative. So my remote box (be it unRAID or other) will have full access to my local unRAID when it performs backups. Not ideal! How then to push a copy to another off-site server? Can only do via cron as root - so once again the permissions get broken. I guess i can script chown/chmod fixes in there too . Really shouldn't have to do this. I don't know what kind of IO that places on the desktop. Maybe it'll slow down a game i'm playing or other disk operations? I really don't know. Plus i have to leave it on - i don't leave my PC on in the middle of the night which is probably when i'd do these backup healthchecks and sending data off-site. Risk lots of problems, especially at system upgrade time. I'm not going to take this approach. I'd love to see if there's a timeline for this. As they've just released 6.8 (which i'm not yet running, i figure i'd wait a month or so) which presumably doesn't have it - i guess it'll be a while When's 6.8.1 due? Thanks for listening

Let me say that i'm no expert, so my thoughts and words may just be me over-complicating things and being far too much an idealist. I lack real-world experience and knowledge in this area. For now i'm just trying to do stuff in the terminal. The workaround didn't work, or is at least incomplete: $ su -s/bin/sh backup-user This does allow me to switch to the user, but i think i'd need to grant the user the 'wheel' group to be able to elevate its privileges to run some commands (in my case Borg). As it doesn't have a /home , maybe that's the problem rather than rights elevation (Borg doesn't need sudo on my Linux desktop). I can't SSH into the box as the backup-user to take advantage of Borg's capabilities in that regard either. I was trying to use Borg for my backup strategy, but the only way to do so seems to be using traditional mounts and running tasks from the client rather than running things on unRAID (like repository checks which can take hours). OR i connect using root, which i think really we should not as that will expose unRAID's root password on potentially un-encrypted devices - particularly common for Windows clients. Though i guess most Windows backup programs would encrypt the password they use. I was going to use a FOSS command-line program which wouldn't. Another problem with this nerfed user is running backups across to a remote device that isn't unRAID. I don't think my Synology won't let me create a root user (and like unRAID seems to nerf its added users), so i presume it would then become owned by 'admin' (the Synology's user-accessible 'root' user i think). I don't know, but that seems like it would complicate recovery in the event my unRAID machine exploded/was stolen. Maybe i'd just have to chown it after i copied it back? Man, such unexpected complications. I really would like someone from LimeTech to provide some advice about buffing a backup-user. And maybe depending on that advice, i might make a feature request for unRAID to have a 'backup-user' in the build that has a home and a shell, if not elevated rights OOTB. As well as that, i'd like to better understand how other people manage their backups. I'm probably over-complicating things - which is a personality trait of mine . I might start a new thread on that somewhere.

Hmm... well i have a workaround suggested to me which will allow me to use one of these crippled (is 'nerfed' nicer?) users. It does not require i change any of the things i've mentioned. I'll test it tomorrow in a very limited use-case capacity. I shall not give in without a fight!

Hi Bonienl, thanks for replying. I've done a bit of digging... I looked at /etc/passwd and he's without an environment as you say. All the users i've added to unRAID via the GUI do not have /bin/bash in /etc/passwd - unlike root. And unlike a 'normal' user in a 'normal' Linux distro. I'm not a Linux guru/admin or anything so my sleuthing might not mean i can work around this, or do so safely which is the most important thing. What comes If i add /bin/bash for the user/s i want to be able to do stuff in the terminal - to /etc/passwd? I presume it'll work, but i don't know what 'side-affects' this might have for unRAID. TL;DR a). Why are added users denied a shell? Is this quite typical for a NAS or Server? b). Can i give them a shell safely if i want to? c). Can i give them wheel group safely if i want/need to? (sudo) d). Not so far mentioned, but will i be able to run cron jobs as another user WITHOUT having to mess around with the users (b & c)? OR as an alternative, will i be able to switch user in a BASH script to run some things? (i'll have to learn BASH to some extent). Thanks.

Kinda really would like to know this. Surely it's possible. Anyone?

Hi Squid. Good to see it will not conflict with parity check. I've done some research, and i think we can run the script that cron invokes as another user. I'll avoid the chown route if i can. I'm exhausted right now learning about BASH and systemd, so this cron stuff will have to take a back seat for a bit... depends how long it takes me to come to grips with what i'm already working on. Pity i can't utilise my systemd configurations in Slackware-based unRAID. Here's the run as another user info: https://www.lostsaloon.com/technology/how-to-run-cron-jobs-as-a-specific-user/ I presume everyone who needs it either worked it out, or there's little demand for it, but that might be an ok idea for a feature enhancement. As an aside, i've added my tinny voice to the request to put anacron in the base build, and i've also asked the NerdPack guys if they could add it, because the feature request to LimeTech was from 2016 Thanks.

I've requested 'anacron' in the unRAID 'feature request' sub-forum, well i added mine to someones pre-existing request for it. That request dates back to 2016 so it doesn't appear likely to be added, and as 6.8 has only just landed without it, i doubt it's arrive any time soon... or ever. Can we please have anacron? It's ideal for systems that are not on 24/7. Thank you.

Wow, this is old. I was going to ask for the same thing but in a new request. Please do add anacron. I imagine quite a few people do not leave their unRAID box on 24/7 and anacron is a tiny and sensible addition.