Howto install MeshCentral on NethServer

Inspired from MeshCentral (web-based remote computer management) here is an install howto.
Big thanks to @dnutan who provided his notes/references that now make up the biggest part of this howto.

Howto changelog

2020-05-24 - mongodb added
2020-04-28 - virtualhost letsencrypt fix and http redirect
2020-04-26 - ownership, virtualhost http fix

MeshCentral

MeshCentral is a free open source web-based remote computer management software. Target end-points are Linux, macOS and Windows computers with Intel AMT or where an agent is installed.
Connect to your home or office devices from anywhere in the world using MeshCentral, the open source, remote monitoring and management server. Once installed, each enabled computer will show up in the “My Devices” section of the web site and will be able to perform remote desktop, remote terminal, file transfers and more.
This is a full computer management web site. With MeshCentral, you can run your own web server and remotely manage and control computers on a local network or anywhere on the Internet. Once you get the server started, you can create a mesh (a group of computers) and then download and install a mesh agent on each computer you want to manage.

Requirements

To work from WAN I needed the following and I think it’s the preferable way but I may be wrong:

  • Virtualhost Domain - In this howto virtualhost.domain is used.
  • Letsencrypt certificate on NethServer for this virtualhost domain

MeshCentral is setup in this howto to work in hybrid LAN/WAN mode and uses valid certs for security.
It uses internally HTTP and websocket on port 8989. A reverse proxy with Neth Letsencrypt is used to direct connections to MeshCentral.

We could change that to setup a LAN only mode too, maybe without cert…
Instead of having a virtualhost maybe we could use https://nethserver/meshcentral too…

Installation

Get nodejs10 (old LTS, maybe try newer versions)

yum install rh-nodejs10

MeshCentral

Create a system user for MeshCentral:

useradd -r -s /sbin/nologin meshcentral

Install meshcentral:

mkdir -p /opt/meshcentral
cd /opt/meshcentral
scl enable rh-nodejs10 bash
npm update
npm install meshcentral
chown -R meshcentral:meshcentral /opt/meshcentral

Apache reverse proxy

Create the httpd config including reverse proxy

nano /etc/httpd/conf.d/zz_meshcentral.conf

with following content (replace virtualhost.domain with your vhost):

<VirtualHost *:80>
    IncludeOptional conf.d/default-virtualhost.inc
</VirtualHost>

<VirtualHost *:80>
   ServerName virtualhost.domain
   RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://virtualhost.domain
</VirtualHost>

<VirtualHost *:443>
   ServerName virtualhost.domain

   SSLEngine on
   SSLProxyEngine on
   ProxyPreserveHost On

   RewriteEngine on
   RewriteCond %{HTTP:Upgrade} websocket [NC]
   RewriteCond %{HTTP:Connection} upgrade [NC]
   RewriteRule . ws://127.0.0.1:8989%{REQUEST_URI} [P]

   ProxyPass / http://127.0.0.1:8989/
   ProxyPassReverse / http://127.0.0.1:8989/
</VirtualHost>

Reload httpd config:

systemctl reload httpd

Firewall

If AMT is used you need to open its port on the firewall:

config set meshcentral service status enabled TCPPort 4443 access green
signal-event firewall-adjust

Create config file

Start MeshCentral once to let it finish install, create cert and config file:

cd ./node_modules/meshcentral
node meshcentral

After you see following line you can stop the process with CTRL-C:

MeshCentral HTTPS server running on port 444.

Replace the MeshCentral cert with the NethServer Letsencrypt cert:

Use Neth Letsencrypt instead of builtin cert

rm /opt/meshcentral/meshcentral-data/webserver-cert-public.crt
cp /etc/pki/tls/certs/localhost.crt /opt/meshcentral/meshcentral-data/webserver-cert-public.crt
rm /opt/meshcentral/meshcentral-data/webserver-cert-private.key
cp /etc/pki/tls/private/localhost.key /opt/meshcentral/meshcentral-data/webserver-cert-private.key

MeshCentral config

The MeshCentral config file works as described in the first line of the file:

This is a sample configuration file, all values and sections that
start with underscore (_) are ignored. Edit a section and remove the _
in front of the name. Refer to the user’s guide for details.

Edit the config file of MeshCentral

nano /opt/meshcentral/meshcentral-data/config.json

and change the fields accordingly (they are in right order):

"Cert": "yourvirtualhost.domain"
"Minify": 1
"Port": 8989
"AliasPort": 443
"RedirPort": 0
"ExactPorts": true
"TlsOffload": "127.0.0.1"
"CertUrl": "https://yourvirtualhost.domain/"

Additional config

Some more interesting config settings but not needed for the service to start:

{
   "settings": {
      "AllowHighQualityDesktop": true,
    "SelfUpdate": true,
   }, 
   "domains": {
      "": {
         "title": "Mesh", 
         "newaccounts": false,
      }
   }
}

Systemd

Create a systemd service file for MeshCentral:

vi /etc/systemd/system/meshcentral.service

with following content:

[Unit]
Description=MeshCentral Server

[Service]
Type=simple
LimitNOFILE=1000000
ExecStart=/opt/rh/rh-nodejs10/root/usr/bin/node /opt/meshcentral/node_modules/meshcentral/meshcentral.js
WorkingDirectory=/opt/meshcentral
Environment=NODE_ENV=production
User=meshcentral
Group=meshcentral
Restart=always

# Restart service after 10 seconds if node service crashes
RestartSec=10

# Set port permissions capability
AmbientCapabilities=cap_net_bind_service

[Install]
WantedBy=multi-user.target

Apply new service:

systemctl daemon-reload

Optional MongoDB integration

By default an internal database is used. MongoDB is recommended for managing more than 100 devices.

Install mongodb:

yum install mongodb mongodb-server
systemctl enable --now mongod

Install mongodb npm module:

cd /opt/meshcentral
scl enable rh-nodejs10 bash
npm install mongodb

Edit /opt/meshcentral/meshcentral-data/config.json and remove the “_” before the following MongoDB config entries:

    "MongoDb": "mongodb://127.0.0.1:27017",
    "MongoDbName": "meshcentral",

Start MeshCentral

Ensure that permissions are ok:

chown -R meshcentral:meshcentral /opt/meshcentral

Enable and start MeshCentral service:

systemctl enable --now meshcentral

Browse to https://virtualhost.domain and create an admin user.
The first account that is created will be administrator for the server, so create the first account right away.

Create a device group (group of computers to manage).

image

There are two types of groups:

  • Software Agent Group: Commonly used to manage computers. Administrator must install a “remote management agent” on the remote computers.
  • Intel® AMT Agent-less Group: for remote computers that have Intel® AMT activated and need to be managed independent of a “remote management agent”.

Add devices to the group, downloading and running the software agent on the remote devices.

image

Please play with it, test options and provide some feedback…

Manual update process

The manual update process will consist of these commands:

systemctl stop meshcentral
cd /opt/meshcentral
scl enable rh-nodejs10 bash
npm install meshcentral
chown -R meshcentral:meshcentral /opt/meshcentral
chmod -R 755 /opt/meshcentral/meshcentral-files

systemctl restart meshcentral

2FA

Note that if a user performs a password recovery using email, the 2-step authentication is then turned off and will need to be turned on again. This is not ideal as someone being able to intercept the user’s email could still log into the web site. Users should make sure to properly protect their email account.

Branding

Domains -> TitlePicture: for the title image put a PNG image of 450 x 66 pixels in the meshcentral-data directory.
Customize the server icon in the “My Server” tab: put a server.jpg file that is 200 x 200 pixels in the meshcentral-data directory.

Terms of Use

To change the terms of use displayed on the website add a terms.txt file in the meshcentral-data directory. The file can include HTML markup.

Built in Letsencrypt

Not used in this howto but if you like to use the MeshCentral built-in support for Let’s Encrypt certificate or want to use a separate cert to not copy the keys:

mkdir -p /opt/meshcentral/meshcentral-data/letsencrypt
chmod –R 755 /opt/meshcentral/meshcentral-data/letsencrypt

To make this work, you will need to make MeshCentral work with MongoDB because the /meshcentral-data folder will be read-only. In addition, MeshCentral will not be able to update itself since the account does not have write access to the /node_modules files, so the update will have to be manual.

Troubleshooting

Logfiles

  • /var/log/httpd/* for checking reverse proxy
  • /var/log/messages for checking meshcentral

Config files

  • /opt/meshcentral/meshcentral-data/config.json
    • Check syntax, commas needed to separate values for instance.
      Use
      jq empty < /opt/meshcentral/meshcentral-data/config.json
      to check the syntax. If it returns nothing syntax is ok.
    • Remove “_” for activating value
    • Check if virtualhost.name is replaced correctly
  • /etc/httpd/conf.d/zz_meshcentral.conf
    • Check if virtualhost.name is replaced correctly

Services

Restart:

systemctl restart httpd meshcentral

Status:

systemctl status httpd meshcentral

References

https://www.meshcommander.com/meshcentral2



https://www.reddit.com/r/MeshCentral/
http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2SecurityFeaturesGuide.pdf






https://it-security.dnit.fr/?p=261&lang=fr


9 Likes

@mrmarkuz do you use centos 8?

No. I just have a VM for testing.
You don’t need Centos 8 for meshcentral.
I’ll update the howto to avoid misunderstandings.

I meant, is the vm you are using for testing based on centos 8. If so, is Nethserver running on it with no issues?

No, not at all.
I just have a centos8 vm like I have an ubuntu one. There’s no Neth on them.

ow. ok, understood

My testing server is now up and running. Time to test new things and create tutorials.

1 Like

will thi software work if installed on a machine running amd, will it connect to the intel machines?

Yes, it will work without problems, it works on raspberry too. Although it didn’t work on my router (mips not supported).
I didn’t test the Intel AMT part yet but it uses a separate port 4443 (see Firewall section in howto)

Ok, will be installing then post my findings… am fond of breaking things sometimes when testing but hey, they help us improve our solutions.

So far i have been doing a good research on it, and seems to be a very wonderful tool, and i can see how we can use this to support most of the schools we serve, as well as the IT admins to be able to manage the same.

1 Like

Thanks for testing!

Yeah, no risk, no fun.
I recommend virtualization/snapshots for testing. It eases it a lot.

I like that you do not need to configure much. Just deploy the agent to the clients and you can manage them over the browser.

Exactly, i guess the agent is what ill use alot more, than the AMT something configuration… haven’t even gotten the time to read it all through.

1 Like

Tried it on NethServer but failed. MeshCentral service failed to start with this message:

node[10211]: ERROR: MeshCentral failed with critical error, check MeshErrors.txt. Restarting in 5 seconds...

Service started after running:
chown -R meshcentral:meshcentral /opt/meshcentral

I’m not able to access MeshCentral page. Getting an error on the reverse proxy. Chrome shows:

Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /.

Reason: Error reading from remote server
[Sun Apr 26 00:15:02.851349 2020] [proxy:error] [pid 11644] [client 192.168.0.33:39888] AH00898: Error reading from remote server returned by /
[Sun Apr 26 00:15:02.976954 2020] [proxy_http:error] [pid 11644] (103)Software caused connection abort: [client 192.168.0.33:39888] AH01102: error reading status line from remote server 127.0.0.1:8989, referer: https://meshcentral.domain.tld/
[Sun Apr 26 00:15:02.979442 2020] [proxy_http:error] [pid 11646] (103)Software caused connection abort: [client 192.168.0.33:39890] AH01102: error reading status line from remote server 127.0.0.1:8989, referer: https://meshcentral.domain.tld/
[Sun Apr 26 00:15:02.979473 2020] [proxy:error] [pid 11646] [client 192.168.0.33:39890] AH00898: Error reading from remote server returned by /favicon.ico, referer: https://meshcentral.domain.tld/
[Sun Apr 26 00:15:06.776700 2020] [proxy_http:error] [pid 11646] (103)Software caused connection abort: [client 192.168.0.33:39890] AH01102: error reading status line from remote server 127.0.0.1:8989, referer: https://meshcentral.domain.tld/

After rebooting the whole server, MeshCentral service took port 80 and httpd was unable to start:

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
1 Like

OK, I see, it’s done at too early stage in the howto, I’ll correct that…

Hm, the ports should be setup in the config file /opt/meshcentral/meshcentral-data/config.json. Did you remove the “_”?

Yes for the Port and AliasPort parameters. I’d say MeshCentral uses default values when not set by config.json. Port 80 (RedirPort) was “commented ( _ )”. I guess MeshCentral started before httpd taking port 80 (by default, as in the howto sample output of port 444, taken as the next higher available port after 443 taken by httpd, unless ExactPorts parameter is used).

1 Like

OMG, I removed the RedirPort because I didn’t want to set too much. Thanks! Added missing RedirPort again.

I think ExactPorts wont prevent the problem with port 80, it was just a comment on MeshCentral behavior. I’ve set RedirPort to 81 but accessing directly from https (443) redirport is practically of no real use (other than port 80 for built-in letsencrypt certs).

Need to re-read some part of the manual about secureinstall (restricted permissions on directories) and in which case MongoDB is a must.

1 Like

Yes, but setting RedirPort to 81 hopefully prevents the “apache problem”. I thought it’s useless for this config too.

Does it work now, can you reach the MeshCentral page?

Yes, it fixes apache problem. Still getting proxy error.
“Fun” for tomorrow morning.

1 Like

My fault, apache config proxy needs to point to http instead of https and ws instead of wss…thanks again.
EDIT:
Corrected.

2 Likes