NS8 cluster with Mail on public VPS

Hi all,

I was away for a while experimenting with different platforms, just for learning and experiencing the differences. I have experimented with NS6, ClearOs and Zentyal so far and when NS8 came out, it was time to come back.

What an amazing improvements NS has made! it’s really running far ahead since my initial experiments. So now i have headed over to implementing production for my personal projects.
I’m pretty sure i’ll never look back.

I have a home connection with a fixed IP and all ports open. I run a hardware firewall at home here giving me the first safety border against dirt on the outside.

Currently i run a small cluster with a master node on my home server, and a VPS as a second node for my mail system.
The VPS has no firewall settings, so it’s full open to the outside, which is a security concern of course.
But: any standard installation of NS8 had firewalld running, with a trusted zone on the wireguard VPN. Trusted zone has a standard ACCEPT.
It also has a ‘public’ zone, with standard DROP and a set of services that are allowed. These services are automatically added when functionality or apps are added to the node.

A clean install of NS8 open ports in the firewall for services ‘dhcpv6-client’, ‘ssh’, ‘http’ and ‘https’

Ssh is a security concern, you don’t want port 22 to open to the entire internet.
Https and https are also open, so cluster-admin is also reacheable from the outside - which is not needed afaik for my specific setup, apart from the main node.

the ports for the MAIL app, yeah, they are needed of course.

Since i have a fixed IP, i reconfigured firewalld to only allow ssh, http and https from my home ip, and drop everything else. i want to share how i did it for other new users facing the same challenges.

SSH into the vps and run following commands:

firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --zone=public --remove-service=http --permanent
firewall-cmd --zone=public --remove-service=https --permanent
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent 

firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" service name="ssh" source address="YOUR.IP.GOES.HERE" accept' --permanent
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" service name="http" source address="YOUR.IP.GOES.HERE" accept' --permanent
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" service name="https" source address="YOUR.IP.GOES.HERE" accept' --permanent

firewall-cmd --reload

dhcpv6-client can only be removed if your VPS has a fixed IPv6 address, which it probably has.
To check the status:

firewall-cmd --list-all --zone=public

There sure are other anb better ways to achieve this (like renting a VPS with a REAL firewall), but this what works for me.

Now, i can SSH into the machine while i’m at home or when i have a VPN connected to my home from remote locations.

Grtz,

Stef

I also want to add that installing and configurin both NS8 clusters was so straightforward an painless that i got it up and running (up to this point - that will probably change when i dive into the Nextcloud integration) without having to ask specific questions to the community. All needed information was well documented, and some specifics i needed were very Google’able.
Only for this, i find NS8 currently the most mature system available, it just works as expected.
For anyone still in doubt to convert: just do it, you won’t be dissapointed.

No, it isn’t. Disable password authentication; it’s otherwise secure.

…along with literally every other web-based service that runs on NS8. If you don’t intend to have anything web-based on your NS8 system that’s open to the public, well, go ahead and block those ports. But NS8 is intended to serve web stuff to the public.

It’s also possible to restrict access to cluster-admin from public, see also How do I prevent the administration page from being accessible from the Internet? - #16 by davidep

If you look on mitre.org you can see multiple cve’s that can cause authentication bypass. While ssh is regularly patched and indeed considered very safe when using certificates, blocking it from public access can elevate security measures still. It’s with this philosophy in mind that i firewalled it.

Completely correct. Edited my post to add that this is for my specific configuration.

Grtz,

Stef

Yes, i have found that thread also. But i’m confused with the setup, since it’s a ‘restrict from’ policy and i would expect an ‘allow from’ policy so the private subnets i have CAN access the cluster admin interface. if this is indeed the case, then shouldn’t it read ‘restrict to’, so it’s clear that the subnets you enter in this configuration would be allowed?
I have skipped this configuration for now, meaning that on my main node the cluster admin is indeed open to the public. As an extra security measure i immediately setup 2FA, which is like anything else in NS8 i have tried so far very straightforward to do.

I agree that restrict from may sound ambiguous.

Allow from could imply a default deny all policy, making the list mandatory.

Additionally, NethSecurity already uses restrict from for the same feature. If there’s a strong case, we could change both or clarify the documentation.

@danb35, what do you think? As a non-native English speaker, I may not fully grasp the nuances. I’m open to suggestions.

I think I’d understand those phrases as you do: “restrict from” would suggest everything’s permitted except what you list there; “allow from” would suggest nothing is allowed except what’s listed there.

Thank you for the quick response! So what’s the alternative proposal? “Allow from”? “Restrict to”?

Restrict from658×409 14.1 KB

Restrict to658×409 14 KB

Allow from658×409 14.1 KB

Please note that the default “Allow everyone if field is left blank” is explained under the text-area.

I think I’d favor the third.

Hi all,

I come from a networking background, so my favorite would be firewall-like terminology. what comes to mind is ‘restrict to’ which would imply indeed that if there are no entries, access is granted, and if there are entries, access would restrict to.

Grtz,

Stef