So, what are you working on? - 18 Dec 17


(Alessio Fattorini) #1

NethServer Family!!! :family_man_woman_boys:
Let’s kick off this new week now, this 2017 is ending and :santa: is coming!
Personally, also this week I’m going to help this community and work on our new NethServer Support/Partner Program.
What do you think of my last post?

NOW Let me give a big warm welcome to our new members from this past week! :hand_splayed: :hand_splayed: :hand_splayed:
Make yourselves at home and consider this your safe space for any questions you have related to NethServer and sysadmin’s life.

This is an incredible, supportive and understanding community. We’re all here to help each other.

So, what specifically are you working on at the moment? Are you setting up a new NethServer installation? Some great testing ? Do you work for a brand, or do you freelance? Is there a problem that you’re here hoping to solve?

Ehi…

Ehi @tedimacko @asl @prostream @fausp @pike @JOduMonT @a4rgl @transocean @Christian_Gabriel_Fe @flatspin @wbilger @iglqut @indra @Ctek I see you :eyes: what’s on your plate this week?


(Alessio Fattorini) #2

(Andreas Schloegl) #3

Hello @alefattorini,
I’m busy with Nethserver #6, this time hostet on a rented root server. This is a different situation for me, because now I’m limitet to just 1 NIC I got included with my virtual server.

If you need a second interface for e.g. internal VPN you can do a trick with a dummy interface. I will soon post a feature request, because this is something missing in NS but not that hard to implement and hopefully helpful to others, too.

And here the link for details: https://community.nethserver.org/t/dummy-interface-virtual-nic/8572


(Uwe) #4

After a very hard year (my mother died in march, my father is very ill) i have holidays now.
Tomorrow we start the trip to my hometown in Northgermany. In the afternoon, I bring my father home from the hospital. And then, hopefully, we’ll have a quiet and peaceful Christmas.
And that is exactly what I wish for all people out there in the world. Have a nice and contemplative time, stay healthy and start well into the new year.

Thank you for the always friendly help here in the forum. It’s people like you who made Nethserver the successful project it is today.

Best regards

Uwe


(Alessio Fattorini) #5

Thanks man for sharing this. I appreciate your courage.
I wish your family all the happiness and peaceful you really deserve

Thanks for your trust and heart-warming words too. You’re so kind!
The whole community will be happy to read that.


(Forgotten Beast) #6

Hi everyone,
I’ve been looking around for an all purpose server I could setup during my internship and I’ve been quite taken with nethserver. I’m even thinking about adding it to my home infrastructure (got an old work laptop to retire so…) The killer features being the squid proxy, suricata, firewall as well as virtualization capabilities.

Currently most of it is running in docker containers configured with ansible so the lack of a nice web UI for docker isn’t that much of a drawback.

I have some questions regarding nethserver’s future:

  1. Is a bro IDS module planed?
  2. Does the current backup system also backs up active directory data?
  3. Is CIFS traffic encrypted by default?

Thanks for the warm welcome!


(Markus Neuberger) #7

Hello @ForgottenBeast,

http://docs.nethserver.org/en/v7/suricata.html

Yes…

http://docs.nethserver.org/en/v7/backup.html

TLS is required by default.

If you have questions feel free to open a new topic…


(Filippo Carletti) #8

It’s in my plans, but it’s scheduled after a lot of higher priorities tasks. No ETA.


(Rob Bosch) #9

At first glance bro looks quite comprehensive. I must say I hadn’t heard of it before… maybe I should have!
I found a (unfortunately quite old) comparison of snort, bro and suricata: https://www.duo.uio.no/bitstream/handle/10852/8951/Rodfoss.pdf
In 6 years a lot has changed so I don’t know how useful this document is. but it might give an idea on differences and similarities between the solutions.


(Forgotten Beast) #10

Thanks for all the answers,
@robb, indeed Bro is quite interesting and I think it is at it’s best when deployed alongside something that does more classical signature detection (such as suricata or snort). It might not have the “aura” of more exotic behaviour based solutions (such as hogzilla) but it is straightforward to deploy (especially if containerized) and the scripting language is nice.

One of the main use cases I can think of is triggering alert in case of anomalous behavior (given a specific context) that wouldn’t raise any signature because in another context it would be perfectly normal.


(Michael Kicks) #11

New toy

(the guy who bought it had a little issue with “right size for your business”)


(Alessio Fattorini) #12

What do you mean with the right size?


(Wijnand Mijnders) #13

On this side the daytime-job and some other activities are consuming al lot of time, but my Nethserver installation at home is doing its job superbly! From a distance I’m monitoring the discussions on the Hotsync module, this looks very promising. I hope I can spend some time on that when I have a second server up and running and share my experiences.

I would like to take this opportunity to wish all who are on any way involved on Nethserver some nice Christmas Holidays and a great year’s ending. I’m sure 2018 will be another prosperous year for Nethserver!

Greetings, Wijnand.


Happy Christmas 2017 Official Topic :christmas_tree:
(Michael Kicks) #14

This product won’t be used at full capacity for services (optional) and it’s quite too big for a small network with few devices and a too slow internet connection (even for italian standards).

He already bought it, therefore, change’s not an option now.


(Alessio Fattorini) #15

Ehi welcome here!
Can you add some details about that? Really curious about this implementation

Oh yeaaaaa :slight_smile:


(Forgotten Beast) #16

When I started I didn’t have a big budget so I decided to do a raspberry pi setup with multiple vpns and separated pkis to keep things clean. In the begining it all ran on raspbian without containers, some services had multiple instances I got running in different processes and there was a lot of perl/bash + cron based duct tape to keep it from blowing up as well as iptables and routing voodo. But it did blow up. Occasionally, services would go down because of unpredictable interactions between my scripts, or even with the underlying hardware (pilfered hard drives that should have been retired but had to work together with mhddfs).

As you might imagine, updates could break the system and as time went on it became harder and harder to get everything runing again when the sd card died (probably a side effect of me writing and reading a lot from it since I couldnt trust the hard drives).

So one day I saw the light and decided that I might as well try to do things properly. I made a new setup using RancherOS (ultra lightweight linux distro that is only meant to run docker containers) and ansible.

After about a week of work I had created ansible roles to replace my scripts, automated my image building pipeline (all images had to be built both on ARM and x86/64 so I could deploy them anywhere, furthermore I wanted an easy way to make any image able to use a vpn and do so without leaking) and created a generic role for handling deployments.

So right now I have a rudimentary framework that allow me to just add images to a yaml config file while specifying the architecture, privileges and whether I want a specific command to be ran once the container starts and I can run it anywhere. There is also another role for vpn deployment, certificate generation/revocation and such. As I got interested in running more services I either created new roles if required or just plugged them in my main deployment/building roles.

I used it a lot to help friends deploy websites or even a Ctf event.


(Alessio Fattorini) #17

CTf event?

BTW Looks interesting :slight_smile: would you like to help us and contribute to the project?


(Forgotten Beast) #18

I’m about to graduate with a master’s degree in CS and I specialized in Infosec. As you might surmise there his a high participation in Capture The Flag competitions among us, even after we have left our alma mater. A bunch of former students and some of my friends have been organizing such competitions to convince undergrads to join us :slight_smile:

One of the difficulties was that we didn’t have much in terms of either budget or hardware and we didn’t have much time to prepare the rooms either so there was a need for an easy to deploy system where you could just specify everything you needed in one config file (such as "one Sqli vulnerable website at XXX.XXX.XXX.XXX, one vulnerable AD at XXX.XXX.XXX.XXX and a VPN with 52 certificates for the participants set up in less than half an hour). Luckily it was right up my alley since it was exactly what I had setup for my home network (except for the crapy badstore/DVWA webapps of course! I only deploy my own crapy code :stuck_out_tongue: ). The fast deployment from scratch was also a requirement for me since you can’t upgrade rancherOS without overwriting the SD card on raspberry pi (and thus losing everything you have put there) and I hate downtime.

Sure, I wouldn’t mind helping, though you have to understand I’m still quite a newbie :wink:

Once I’ve started my internship I am thinking about deploying NethServer on at least two instances and it looks like some of what I am planing might not be already doable through the GUI (setting up Bro, adding broscripts and a generic way to send specific logfiles to a remote logging server,) so who knows, I might have to brush up on my php since I mostly code in python these days :slight_smile:


(Jonathan Dumont) #19

Hi everyone;

I hope you will have a great 2018.

Personally I

  • play with Cockpit, Alpine Linux and
  • Docker/Runc as always;
  • then going deeper with SELinux.

(Alessio Fattorini) #20

We re working hard on that. Would you like lend a hand?