Vocatus Posted January 31, 2011 Share Posted January 31, 2011 How do people normally setup remote access to their files on unRAID? FTP, SSH, SMB? Any help appreciated, thanks! Link to comment
Joe L. Posted January 31, 2011 Share Posted January 31, 2011 How do people normally setup remote access to their files on unRAID? FTP, SSH, SMB? Any help appreciated, thanks! They do not. It is un-secure without a VPN. Joe L. Link to comment
Vocatus Posted January 31, 2011 Author Share Posted January 31, 2011 But if I used SSH/SFTP to access things remotely, it wouldn't worry me as much. Remote access is a must-have for what this servers purpose is. Even simple FTP would suffice, I'll just assign a high-order port. The last thing I want to do is expose SMB shares to the internet, but i may end up being forced to do it (with good passwords) because remote access to the data is one of the major purposes of the box. Link to comment
Spectrum Posted January 31, 2011 Share Posted January 31, 2011 But if I used SSH/SFTP to access things remotely, it wouldn't worry me as much. Remote access is a must-have for what this servers purpose is. Even simple FTP would suffice, I'll just assign a high-order port. The last thing I want to do is expose SMB shares to the internet, but i may end up being forced to do it (with good passwords) because remote access to the data is one of the major purposes of the box. Joe is right, a VPN is by far the most secure route and I would never expose my unRAID box to the wild any other way. Exposing smb shares directly to the net is just about as bad as exposing telnet. It's not a matter of if you will get hacked, it's a matter of how long it will take. Running ftp on a non-standard port may help some, but anyone with NMAP can quickly scan you and find that open port along with the fact that it is an ftp server. The only way I would even consider exposing the box without a vpn would be to setup ssh and disable password/keyboard logins and force the use of pki. I wouldn't trust users to use strong passwords Link to comment
theone Posted January 31, 2011 Share Posted January 31, 2011 Try Hamachi (by Logmein). http://lime-technology.com/forum/index.php?topic=7248.msg97193;topicseen#msg97193 Link to comment
Vocatus Posted January 31, 2011 Author Share Posted January 31, 2011 Try Hamachi (by Logmein). http://lime-technology.com/forum/index.php?topic=7248.msg97193;topicseen#msg97193 Thank-you for the link, that looks like it would work. However, I would like to avoid any extra complexity/configuration, as my users are already accustomed to using SFTP to connect and download/upload files. I can implement certificates for login without much issue, but I'm stuck at how to get SFTP working. I successfully installed OpenSSH and can SSH in as 'root', but all other users fail. Can anyone help me get this running or at least point me in the right direction? I can't be the first user to ever desire SFTP access to their unraid box. I understand the security implications and accept them. Link to comment
gfjardim Posted January 31, 2011 Share Posted January 31, 2011 Try Hamachi (by Logmein). http://lime-technology.com/forum/index.php?topic=7248.msg97193;topicseen#msg97193 Thank-you for the link, that looks like it would work. However, I would like to avoid any extra complexity/configuration, as my users are already accustomed to using SFTP to connect and download/upload files. I can implement certificates for login without much issue, but I'm stuck at how to get SFTP working. I successfully installed OpenSSH and can SSH in as 'root', but all other users fail. Can anyone help me get this running or at least point me in the right direction? I can't be the first user to ever desire SFTP access to their unraid box. I understand the security implications and accept them. How much data do you need to share? Link to comment
Vocatus Posted January 31, 2011 Author Share Posted January 31, 2011 Try Hamachi (by Logmein). http://lime-technology.com/forum/index.php?topic=7248.msg97193;topicseen#msg97193 Thank-you for the link, that looks like it would work. However, I would like to avoid any extra complexity/configuration, as my users are already accustomed to using SFTP to connect and download/upload files. I can implement certificates for login without much issue, but I'm stuck at how to get SFTP working. I successfully installed OpenSSH and can SSH in as 'root', but all other users fail. Can anyone help me get this running or at least point me in the right direction? I can't be the first user to ever desire SFTP access to their unraid box. I understand the security implications and accept them. How much data do you need to share? Quite a bit, i mean I guess that's relative, but here's the basic setup: - Users download movies & TV series regularly (we have a 3Mb upload from the house, so it goes fairly quickly), maybe five or six 700 MB files per week. - Users also regularly backup their personal files to their individual backup folders. The users are scattered all around the US; some in Missouri, some in Arizona, some in LA, etc. - Finally, I host several Linux ISO's and various other common-use programs (OpenOffice.org binaries, etc) for the same users. So the box gets fairly heavy usage, and about 50-75% of that traffic is remote. I also routinely access it remotely from school or the road. Whatever the most hassle-free method of accessing the data (I heavily prefer an encrypted connection) remotely is what i want to pursue. Link to comment
gfjardim Posted January 31, 2011 Share Posted January 31, 2011 I was thinking in something like Dropbox, but for too much data it becomes expensive. Here I use Dropbox to sync some document files and it works really well. Hum, SSH is your way to go. I've found this: Here are the steps you need to do on the computer that acts as the SSH client: 1) Generate your SSH encryption key pair for the filecopy account. Press the Enter key each time you are prompted for a password to be associated with the keys. (Do not enter a password.) [filecopy@bigboy filecopy]# ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/filecopy/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /filecopy/.ssh/id_dsa. Your public key has been saved in /filecopy/.ssh/id_dsa.pub. The key fingerprint is: 1e:73:59:96:25:93:3f:8b:50:39:81:9e:e3:4a:a8:aa filecopy@bigboy [filecopy@bigboy filecopy]# 2) These keyfiles are stored in the.ssh subdirectory of your home directory. View the contents of that directory. The file named id_dsa is your private key, and id_dsa.pub is the public key that you will be sharing with your target server. Versions other than RedHat/Fedora may use different filenames, use the SSH man pages to verify this. [filecopy@bigboy filecopy]# cd ~/.ssh [filecopy@bigboy filecopy]# ls id_dsa id_dsa.pub known_hosts [filecopy@bigboy .ssh]# 3) Copy only the public key to the home directory of the account to which you will be sending the file. [filecopy@bigboy .ssh]# scp id_dsa.pub filecopy@smallfry:public-key.tmp Now, on to the server side of the operation. Configuration - Server Side Here are the steps you need to do on the computer that will act as the SSH server. 1) Log into smallfry as user filecopy. Create an .ssh subdirectory in your home directory and then go to it with cd. [filecopy@smallfry filecopy]# ls public-key.tmp [filecopy@smallfry filecopy]# mkdir .ssh [filecopy@smallfry filecopy]# chmod 700 .ssh [filecopy@smallfry filecopy]# cd .ssh 2) Append the public-key.tmp file to the end of the authorized_keys file using the >> append redirector with the cat command. The authorized_keys file contains a listing of all the public keys from machines that are allowed to connect to your Smallfry account without a password. Versions other than RedHat/Fedora may use different filenames, use the SSH man pages to verify this. [filecopy@smallfry .ssh]# cat ~/public-key.tmp >> authorized_keys [filecopy@smallfry .ssh]# rm ~/public-key.tmp From now on you can use ssh and scp as user filecopy from server bigboy to smallfry without being prompted for a password. Feel free to ask if its not clear You can edit /etc/ssh/ssh_config to block any attempt to login without a key. You will have to add another user and include it to the "sshers" group. Link to comment
Vocatus Posted January 31, 2011 Author Share Posted January 31, 2011 I was thinking in something like Dropbox, but for too much data it becomes expensive. Here I use Dropbox to sync some document files and it works really well. Hum, SSH is your way to go. I've found this: Here are the steps you need to do on the computer that acts as the SSH client: 1) Generate your SSH encryption key pair for the filecopy account. Press the Enter key each time you are prompted for a password to be associated with the keys. (Do not enter a password.) [filecopy@bigboy filecopy]# ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/filecopy/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /filecopy/.ssh/id_dsa. Your public key has been saved in /filecopy/.ssh/id_dsa.pub. The key fingerprint is: 1e:73:59:96:25:93:3f:8b:50:39:81:9e:e3:4a:a8:aa filecopy@bigboy [filecopy@bigboy filecopy]# 2) These keyfiles are stored in the.ssh subdirectory of your home directory. View the contents of that directory. The file named id_dsa is your private key, and id_dsa.pub is the public key that you will be sharing with your target server. Versions other than RedHat/Fedora may use different filenames, use the SSH man pages to verify this. [filecopy@bigboy filecopy]# cd ~/.ssh [filecopy@bigboy filecopy]# ls id_dsa id_dsa.pub known_hosts [filecopy@bigboy .ssh]# 3) Copy only the public key to the home directory of the account to which you will be sending the file. [filecopy@bigboy .ssh]# scp id_dsa.pub filecopy@smallfry:public-key.tmp Now, on to the server side of the operation. Configuration - Server Side Here are the steps you need to do on the computer that will act as the SSH server. 1) Log into smallfry as user filecopy. Create an .ssh subdirectory in your home directory and then go to it with cd. [filecopy@smallfry filecopy]# ls public-key.tmp [filecopy@smallfry filecopy]# mkdir .ssh [filecopy@smallfry filecopy]# chmod 700 .ssh [filecopy@smallfry filecopy]# cd .ssh 2) Append the public-key.tmp file to the end of the authorized_keys file using the >> append redirector with the cat command. The authorized_keys file contains a listing of all the public keys from machines that are allowed to connect to your Smallfry account without a password. Versions other than RedHat/Fedora may use different filenames, use the SSH man pages to verify this. [filecopy@smallfry .ssh]# cat ~/public-key.tmp >> authorized_keys [filecopy@smallfry .ssh]# rm ~/public-key.tmp From now on you can use ssh and scp as user filecopy from server bigboy to smallfry without being prompted for a password. Feel free to ask if its not clear You can edit /etc/ssh/ssh_config to block any attempt to login without a key. You will have to add another user and include it to the "sshers" group. This is what I'm looking for, and i'll give it a try tonight when I finish classes. Is there any way to use passwords instead? My users have secure passwords, and I'd like to avoid the extra step of generating and distributing certs Link to comment
Vocatus Posted February 1, 2011 Author Share Posted February 1, 2011 I may be mistaken, this isn't what i'm looking for. Is the code snippet you posted referencing an unRAID server or something else? It looks like it's setting up transfer between two boxes (big boy and smallfry), not allowing multiple users to login using their uName/Pass combos. Whatever method it is, I need users to access the data remotely. Whether that be FTP, SFTP, VPN, whatever, the data has to be available outside the home. Otherwise I'll have to setup some crazy workaround, like running an additional machine with FTP/OpenSSH that points to the SMB shares internally and forward the ports to that additional machine. But that sounds like a big hassle when there's got to be a way to enable FTP or SFTP on unRAID directly Link to comment
dgaschk Posted February 1, 2011 Share Posted February 1, 2011 If you open ftp to the Internet you will attract a lot of traffic from China. Link to comment
Vocatus Posted February 1, 2011 Author Share Posted February 1, 2011 If you open ftp to the Internet you will attract a lot of traffic from China. although I'm sure that would be entertaining, it's not quite the result I'm looking for Link to comment
Vocatus Posted February 1, 2011 Author Share Posted February 1, 2011 But to continue beating this dead horse, I'm aware of the risks inherent in FTP, but that is my choice to make, and not anyone on the boards. I appreciate friendly warnings, but I work in network security and understand the risks, and as a grown adult make my own choices. Now...how do I accomplish setting up FTP use for the regular users of the server? Link to comment
Joe L. Posted February 1, 2011 Share Posted February 1, 2011 But to continue beating this dead horse, I'm aware of the risks inherent in FTP, but that is my choice to make, and not anyone on the boards. I appreciate friendly warnings, but I work in network security and understand the risks, and as a grown adult make my own choices. Now...how do I accomplish setting up FTP use for the regular users of the server? We understand... You will take the risks FTP on unRAID is the same as "ftp" on any other linux. You need to configure it. There is no GUI. additionally, you need to deal with all the affiliated permissions issues. I wish I could offer more help... but I've never used ftp on the unRAID server. Joe L. PS. I also worked in security at one point. Even was invited to be a guest lecturer at Bell-Labs one year for their security day program based on the work I had done in developing a forensic analysis program that eventually became part of the standard R&D Linux at the labs. There is ONLY one way to get the security right, and every other way is wrong. Problem is, nobody knows the "one" way other than isolation in a guarded, shielded room with no connectivity to the outside. It is just hard to get real work done that way. All you need is one permission set wrong, or one port left open, or one program not coded properly, or one support library written improperly, or one "wrong" assumption made, and your system can be compromised. Link to comment
Vocatus Posted February 1, 2011 Author Share Posted February 1, 2011 But to continue beating this dead horse, I'm aware of the risks inherent in FTP, but that is my choice to make, and not anyone on the boards. I appreciate friendly warnings, but I work in network security and understand the risks, and as a grown adult make my own choices. Now...how do I accomplish setting up FTP use for the regular users of the server? We understand... You will take the risks FTP on unRAID is the same as "ftp" on any other linux. You need to configure it. There is no GUI. additionally, you need to deal with all the affiliated permissions issues. I wish I could offer more help... but I've never used ftp on the unRAID server. Joe L. PS. I also worked in security at one point. Even was invited to be a guest lecturer at Bell-Labs one year for their security day program based on the work I had done in developing a forensic analysis program that eventually became part of the standard R&D Linux at the labs. There is ONLY one way to get the security right, and every other way is wrong. Problem is, nobody knows the "one" way other than isolation in a guarded, shielded room with no connectivity to the outside. It is just hard to get real work done that way. All you need is one permission set wrong, or one port left open, or one program not coded properly, or one support library written improperly, or one "wrong" assumption made, and your system can be compromised. Joe, good to meet a fellow security guy. Thanks for your thoughts...did you ever end up instructing for BL? I'm still feeling out unRAID, determining which daemons I can give the axe, etc. All the system accounts with password-less logins have been fixed, and SMB user accounts have good passwords. I think in the end I'll use another one of my old machines to act as an 'entry point' of sorts, sharing the SMB shares via FileZilla. I.E. users will connect to port 990 (or whatever) which is forwarded to the locked-down Windows machine running FZ server, which will be sharing out the SMB shares on unRAID. This way unRAID is still shielded from the outside, and users have ease of access. It's kind of a hassle to run a third machine just to accomplish basic SFTP/FTPS access, but in the end I think that's what I'll do. I'm not familiar enough with unRAID to set it up directly :-P Link to comment
Joe L. Posted February 1, 2011 Share Posted February 1, 2011 Joe, good to meet a fellow security guy. Thanks for your thoughts...did you ever end up instructing for BL? I did travel to NJ to give the lecture, they even treated me to lunch. My 15 minutes of fame. Dennis Richie was in the audience. I think he knew a bit more about Unix then me. (I recognized him, he did not recognize me ) I'm still feeling out unRAID, determining which daemons I can give the axe, etc. All the system accounts with password-less logins have been fixed, and SMB user accounts have good passwords. That is a good start. You'll just need to set up the correct permissions and hope unRAID still works as desired. The new 5.0beta3 goes a lot more in closing the glaring holes... but it is still dealing with permissions issues. I think in the end I'll use another one of my old machines to act as an 'entry point' of sorts, sharing the SMB shares via FileZilla. I.E. users will connect to port 990 (or whatever) which is forwarded to the locked-down Windows machine running FZ server, which will be sharing out the SMB shares on unRAID. This way unRAID is still shielded from the outside, and users have ease of access. It's kind of a hassle to run a third machine just to accomplish basic SFTP/FTPS access, but in the end I think that's what I'll do. I'm not familiar enough with unRAID to set it up directly :-P Probably easiest at this time. a hardware/firmware firewall. Link to comment
jamerson9 Posted February 1, 2011 Share Posted February 1, 2011 I think in the end I'll use another one of my old machines to act as an 'entry point' of sorts, sharing the SMB shares via FileZilla. I.E. users will connect to port 990 (or whatever) which is forwarded to the locked-down Windows machine running FZ server, which will be sharing out the SMB shares on unRAID. This way unRAID is still shielded from the outside, and users have ease of access. It's kind of a hassle to run a third machine just to accomplish basic SFTP/FTPS access, but in the end I think that's what I'll do. I'm not familiar enough with unRAID to set it up directly :-P This is the way I have it setup at home, but with a single user (me) use. Basically it started off accidentally when I was too lazy to configure multiple port forwards for SSH. SSH tunnel into a bare bones linux machine with mounted shares to all my networked drives, then VNC or SSH/SFTP to manage machines and transfer files. My ultimate goal, if we can get unRAID to reliably work on VMware ESXi, is then to roll up around three machines into one and retire some of my old energy vampire clunkers. By the way isn't using plain FTP or telnet now a real no no on the open internet, given they send login/passwords in the clear? I still shudder at the thought of the time we used FTP/telnet without a care for everything. Link to comment
Vocatus Posted February 2, 2011 Author Share Posted February 2, 2011 I think in the end I'll use another one of my old machines to act as an 'entry point' of sorts, sharing the SMB shares via FileZilla. I.E. users will connect to port 990 (or whatever) which is forwarded to the locked-down Windows machine running FZ server, which will be sharing out the SMB shares on unRAID. This way unRAID is still shielded from the outside, and users have ease of access. It's kind of a hassle to run a third machine just to accomplish basic SFTP/FTPS access, but in the end I think that's what I'll do. I'm not familiar enough with unRAID to set it up directly :-P By the way isn't using plain FTP or telnet now a real no no on the open internet, given they send login/passwords in the clear? I still shudder at the thought of the time we used FTP/telnet without a care for everything. Definitely, but i use either SFTP (FTP over SSH), or FTPS (FTP over SSL). Never plain FTP Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.