Lost on Nethserver 8 - how to get nethsecurity up and running

Axel_Pospischil · October 13, 2024, 12:17pm

NethServer Version: Nethserver 8
Module: nethsecurity

Hi together,

i instantiated a new Root-Server. The goal is to migrate my long years trusted Nethserver 7 instance to this new Rootserver. Both are placed in the internet (Netcup root server).

My focus now is getting an understanding on NS8 and new installation and first of all prepare it mainly from a security point of view. Then I start over from scratch. So far so good. Nothing to worry about - it’s not a productiv system yet.

I installed successfully via the Qcow2-image, registered the server at the community portal, altered admin password and so on and installed basic things like the LDAP provider. I also tried to migrate something from NS7 to NS8 (Mattermost) which was pretty impressive! This is a damn good thing, NS8: congrats and thanks a lot.

BUT what drives me crazy for hours now: the most important thing before going further is getting Nethsecurity running.

I installed the QCOW2 image, so I assume, that Nethsecurity is already installed - or am I wrong here? If this is so, then installing the Nethsecurity Controller via Software-Center should be enough.

My problem is:
I try for hours and 2 days now to understand how to register a unit (“join code”) with the Unit Manager and getting access to the / a Firewall UI on port 9090.

Unit is up and running
Status is “Not registered”
I created the Nethsecurity Trial (want community) on my.nethserver.com

First problem: no UI on https://my_ip:9090

When I follow the advice on Remote access — NethSecurity documentation, there is simply no such UI existent.

Second problem: register the unit

When I follow Subscription — NethSecurity documentation I am totally lost, sorry.

Access the Enterprise or Community portal, add a new server and copy the token → OK, done
Access the firewall and go to the Subscription page → FULL STOP

? Which firewall on what URL - there is none
? Which “subscription page” - I cannot access the UI “firewall”, so no subscription page

Sorry, totally lost. Probably someone can kick me into the right direction?

Cheers, Axel

dnutan · October 13, 2024, 4:00pm

Firewall is separate from NS8, and based on OpenWRT. Still, NS8 has firewalld (like NS7 had a minimal firewall without installing the firewall module, or like Windows has its own firewall).

If NethSecurity firewall is needed, it has to be installed on another hardware or VM.

NethSecurity Controller App is used to be able to manage NethSecurity firewall(s) from the same single server/cluster interface. But NethSecurity firewall has an UI by its own.

Once you have NethSecurity up and running, it can be joined with/to NS8’s NethSecurity Controller app

jaywalker · October 13, 2024, 4:53pm

For netcup, this means imho roughly the following:

Get a 2nd server for Nethsecurity
Setup a private network link between the two servers (there are free and paid, faster options available at netcup)
Install Nethsecurity on the 2nd machine, and setup port forwarding / reverse proxy etc to make NS8 accessible through the firewall and the private link, without using the direct internet connectivity of the NS8 machine
Double check that you can reach all needed NS8 services through the Nethsecurity firewall and the private link.
Enable access to the cluster-admin abs Nethsecurity admin sites without making them publically available. I would setup a VPN server on the firewall to allow remote access into the private subnet, and access the admin sites from there. Additionally, consider enabling ssh access from private net on both servers as a fallback, and for administration of the underlying linux of NS8.
Disable the direct internet access on the nethserver machine. I don’t remember if that can be disabled in netcup, but at least you can disable the network interface in the underlying linux, or simply block all incoming and outgoing traffic on that interface.
Enjoy NS8 behind a Nethsecurity firewall on two netcup machines

This is a rather tricky setup. I have done something similar with Debian+opnsense based machines on netcup a few years ago, and it took some effort to get it right.

LayLow · October 13, 2024, 5:34pm

If you really need NethSecurity (don’t know your reasons), otherwise, like @dnutan said, the ‘build in forewall(d)’ will do.

If you need an extra/sepeate firewall, the setup is generally the same, depending on you zones setup and security hardening.

Axel_Pospischil · October 14, 2024, 6:43am

Hi together,

thank you a lot for making things clear. If you are coming from NS7 like me you expect some UI within the control center for basic network tasks (managing services, ports, zones…) . Getting another server is also not only a question of invest but complexity for a small system (small non-profit).

Firewall:
This is totally ok, because, as I understand, can use firewall-cmd to do the necessary stuff. I basically like to do all admin tasks only via VPN. Formerly, it was possible to secure every service via cockpit (e.g. ssh). There should be by default a road warrior to reach the admin UI only via VPN (which is already there).

Configure and use Wireguard VPN for administration:
This is a real downside, since it is not as easy as before to get road warriors up and running. But I know, it is doable. VPN is up and running and should be - as I already said — made the only way to reach the admin panel or the node. And yes, I know, SSH with a privat/public PKI is basically the same (but not really).

I hope there will be how-tos of use cases that existed in NS7 and now no longer available — at least with an UI. This should be part of the migration guide. I really think, there are only a few use cases concerning the network stack (isolating administration via VPN, get road warriors running). I have some understanding of network technology, but to build things up from scratch is another thing. So probably, you can expect something here from me.

I have time to do the transition. So this is enough help and information for me to dive deeper into the new NS8.

One last note on security: I really can not understand, why such a complex system is exposed to the outside world by default only via a simple admin password for root (ssh) and admin (node controller). This should be fixed by another strategy: e.g. a generated Token or SSH-key that can be get from the command line.

Thanks a lot.

Cheers, Axel