First ever install in production - experiences

Hello Forum,

Yersterday night I’ve installed NS7 on our production server which works as a gateway. I wish to tell you my experiences. Maybe as SysAdmin or as Developer, you’ll find it useful.

  • So NS7 rc3.

  • The server is the 1st computer that get’s internet from the ISP. This gives the offices other computers IP and forwards them to the net. So it is a gateway. After installing the very first shock struck me down.
    During the install I’ve set 2 out of 3 ethernet cards with static IP addresses. The 3rd one is PPPoE, but since there is no option to do that during the install I’ve kept it on DHCP. So after the install, just after I’ve entered the command line, I’ve started thinking: OK, now what? I need to set DHCP, OH WAIT! That can be done on the web config. But I can’t reach it’s webconfig until I set the DHCP up! What a blummer. OFC I’ve set a static IP for one of my clients and started looking for the server in a browser and I’ve succeeded. But this was very frustrating.

  • So after the first shock, everything went quite smooth. I’ve connected the server to the net vie PPPoE, Set DHCP up, set 8.8.8.8 for DNS (since it didn’t fetch it from my ISP) and then started setting up Fail2Ban. I need to thank @stephdl for the awsome work he have done. I just hope it will work as nice as the IDS/IPS was on ClearOS. I’ve seen on that OS that we had about 30-40 failed ssh login every minute so we’ve banned them. So far Fail2Ban didn’t log / ban anything. But let’s just hope it is still working.

  • The server nicely upgraded to the latest version and working like a charm so far. So here I’m.

I still have some job to do (give fix IP addresses to clients, import our cert, create firewall rules, etc), but I wish to tell you some stuff I think the dev team should consider.

  • GUI: A server that is intended to be the DHCP server will obviously need a client to join and then the web config will be reachable only then. How about implementing a small desktop (like LXDE or Xfce) with a small browser so when the SysAdmin installs the server for the first time, they don’t have to assign static IP to a client and then start searching for the server on the network.

  • More CLI: Altho I see that the mail goal is to make a server completly configureable from the browser, the above case shows that sometimes we have to work in the CLI. I hardly could find some documentation about the CLI commands available but eventually I succeeded. Is it possible to have a CLI documentation more easy to find and maybe with more options? Like setting up DHCP with ease, etc.

Overall:
Thank you for your hard work Dev.Team! I really enjoy this system. :slight_smile: Just make sure you won’t remove Fail2Ban and PPPoE from the server!!!

4 Likes

Oh, a question that just poped into my mind. Is there a possible way to add a list of MAC addresses to the DHCP and deny any unknown and keep them away from my network?

Hi @Imre_Bertalan, welcome on NethServer community!

Good news, IIUC that feature already exists! Please have a look at

http://docs.nethserver.org/en/v7rc/firewall.html?highlight=binding#ip-mac-binding

Thanks David. It is good news indeed! Another topic: For creating new users to access the webconfig isn’t it just enough to create a user in terminal, add password? Well apperantly it isn’t because it can log in, but can’t reach anything besides his own profile. But nothing can be set there, all it can do is logout. I must isntall one of the user management services (SambaPDC or LDAP) for this to work?

Yes, you should bind to a remote account provider or install either Samba or OpenLDAP local account provider. For more infos have a look at the manual!

http://docs.nethserver.org/en/v7rc/accounts.html

Unprivileged users should log on the server-manager only to change their password.

The Anaconda installer provides a GUI to set up the network in complex scenarios. Otherwise, if you install with the “unattended” mode, the server receives its IP from DHCP, if exists, otherwise falls back to 192.168.1.1.

Hey David,

Thanks for the ideas. Doing it now. However about the installation: I’ve used the anaconda install and that is how I’ve set my network cards. Read more carefully please what I’ve wrote. Wasn’t using the unattended install method.

I must admit I found some troubles with the Anaconda network user interface. Sometimes I think I’ve applied my settings but it seems to ignore them :confused: I’ll surely open an upstream bug when I can reproduce the misbehavior.

14 posts were split to a new topic: Honor static IP configuration from interactive ISO installer