Using NS8 on a virtual host with a VPS provider

NethServer Version: NS8

Hello,

the NS8 Firebird module is practically complete, the next step would be to test the NS8 VPS. The operation of the Firebird and MariaDB database managers with Windows client programs, the protection of the NS8 server against unauthorized access, etc. must be tested.

I would like to install the new NS8 on a VPS provider, similar to the current Nethserver 7.

Nethserver 7 included full protection and could be configured with one or two exceptions so that running services were only accessible via openVPN. NS8 does not have similar protection, applications cannot be restricted to be accessible only via VPN. Nethsecurity can be used to achieve adequate protection, but this cannot be installed on the NS8 server, it requires a separate VPS this means that the costs will double, so it is not a solution.

Unlike Nethserver 7, all services and applications of NS8 are directly accessible from the internet and do not have protection (fail2ban, suricata, threat shield, etc.), so the NS8 server is by default exposed to the internet without Nethsecurity since the port of every running service is open on the firewall and directly accessible from the internet.

Is it possible to install NS8 on a virtual host with a VPS provider with adequate protection and if so, how?

Maybe NS8 is not suitable for this?

Thank you for yor help

The webapps can be restricted to IPs or (VPN) networks via their HTTP routes, see HTTP routes — NS8 documentation

There’s a community OpenVPN access server app that allows 2 concurrent connections. It should be possible to reach the host via the Wireguard IP or a dummy interface IP over VPN and close not needed ports in the firewall.

There’s crowdsec that’s similar to fail2ban, see CrowdSec — NS8 documentation

Hi @steve

I’m running one of my nodes on a VPS, and even a very cheap and small one.
It’s true that NS8 has a different approach than NS7, but that doesn’t have to keep you from doing it if you don’t mind a little BASH.

My setup is as follows:
My main network is my homelab. I have a fixed IP with all ports open on my home network, so i’m never affraid of my ISP blocking anything. I currently have a Mikrotik hardware firewall, but in the process of replacing that with NethSecurity.
On my network i have 3 nodes running, 4th node is on the VPS and i have that node specificaly for mail services.

My VPS is a single core with 2GB of RAM and 50 GB of storage - so definitely not very ‘beefy’
It’s running Debian 12.9, and i did a apt-upgrade before installing NS8

The first thing i did was set a firewall rule so SSH, HTTP and HTTPS would be blocked, with my home IP as an exception. I don’t need HTTP/S and SSH to be reacheable to the world since my HTTP infra runs on my home lab. I DO have roundcube installed on the VPS node, and it’s available through a hostname known on the web, but for that i made a traefik rule that if the request for roundcube enters my HTTP/S infra at my place, it gets proxied from within my enviroment to the ip of the VPN on the VPS. That may seem dull, but it keeps my proxy rules all in one place and i only have 1 entry point to secure.so on the Debian shell i did this:

firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --zone=public --remove-service=http --permanent
firewall-cmd --zone=public --remove-service=https --permanent
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent

firewall-cmd --zone=public --add-rich-rule ‘rule family=“ipv4” service name=“ssh” source address=“my.fix.ip.addr” accept’ --permanent
firewall-cmd --zone=public --add-rich-rule ‘rule family=“ipv4” service name=“http” source address=“my.fix.ip.addr” accept’ --permanent
firewall-cmd --zone=public --add-rich-rule ‘rule family=“ipv4” service name=“https” source address=“my.fix.ip.addr” accept’ --permanent

replace ‘my.fix.ip.addr’ with your IP (hopefully it’s also a fixed one’)

Since the VPS needs to grab a certificate sometimes the acme servers should be able to reach the node also, so here’s that:

firewall-cmd --zone=public --add-rich-rule ‘rule family=“ipv4” service name=“http” source address=“172.65.32.248” accept’ --permanent
firewall-cmd --zone=public --add-rich-rule ‘rule family=“ipv4” service name=“https” source address=“172.65.32.248” accept’ --permanent

firewall-cmd --reload

Maybe this is a possible solution for you?

EDIT to elaborate, by VPN i mean the wireguard VPN that is setup between nodes when installing NS8. It gives an open communication channel between nodes an these lines have full freedom of speech to one another. so any communication that may not see the front side, i do over the VPN.

Grtz,

Stef

@mrmarkuz HTTP routes can be useful, but they don’t solve all problems. They are good for restricting domain/path routes to VPN, but they don’t solve the problem of restricting open ports to VPN, Firebird, MariaDB, etc.

The firewall doesn’t solve this either, because restarting the given pod or host always makes changes to the firewall according to its configuration. It opens the pod ports on the firewall again. What is a possible solution to this problem?

I’ve already looked at Crowdsec, it seems useful instead of fail2ban, it can sufficiently protect ports that must be kept open, such as ssh, http, https. Unfortunately, I’m having trouble setting it up right now, because it seems much more complicated than fail2ban… I don’t even understand how to unblock it if the blocking is wrong… Do you use it, how to configure it to be good and how to unblock it?

Mail complicates the situation, because it would be nice to be able to access it without a VPN, but the open ports cannot be closed due to the aforementioned problem…

Thank you for your help

@stefferd What you wrote is very useful, thank you.

Unfortunately, it seems that the firewall does not solve the problem, because restarting the given pod or host always makes changes to the firewall according to its configuration. It opens the pod ports again on the firewall. I am looking for a solution for this.

My system would be very simple, a single VPS would run at the provider, which would be accessed from home or other places via VPN. Only a few ports would be open, all the others and the routes to the applications would only be accessible via VPN. I would have to solve this. Mail complicates the situation, because it would be nice to be able to access it without a VPN, but the open ports cannot be closed due to the aforementioned problem…

I think you could use the firewall to restrict access to ports to the VPN network as @stefferd proposed:

Maybe you can use a cron script that applies the needed firewall config regularly?

It’s pretty simple, just install it, set the IPs/ranges that shouldn’t be blocked in the settings and you’re done. In the “Banned IPs” you can unban wrongly blocked IPs.

Are you thinking of running a cron script after every reboot or restart or module restart to re-close the ports that are opened by default on the firewall?

The idea seems good, but I don’t know how to set the launch condition for the run yet.

I did a test with HTTP-route. I set it up so that, for example, mylam access was limited to the VPN (10.8.0.0/24). Access from the local network was not possible, in principle it should have been accessed via the VPN, but it did not work. The reason for this is probably that the DNS name was resolved, because the local DNS server runs on the local network. I think so, but what could be the problem.

I don’t know where to look for a solution, HTTP-route doesn’t want to work…

NethServer doesn’t open dangerous ports by default so I wonder if you really need the VPN approach for the whole server. Maybe just protect Firebird and mariadb…

I thought about running it every 15 minutes.

Here’s an example to check if ports are open or closed: (Port 1234/tcp is checked in the example)
Instead of the echo command you could open/close the ports as wanted.

firewall-cmd --list-ports | grep -q 1234/tcp && echo "Port open" || echo "Port closed"

I’m using OpenVPN Roadwarrior and it works to restrict the HTTP route to my VPN.
To allow local networks you need to add them too.

You’re probably right, but I don’t like to take risks with security. I also redirected everything to openVPN on Nethserver 7 except for SOGo and Nextcloud, and I only allowed postfix safely, blocking port 25 because I have an external well-protected mail server. I would like to do something similar on NS8 so I can sleep peacefully.

It’s unfortunate that Nethsecurity can only be run on a separate host, although I understand…

I’m interested in the method, the solution makes sense to me. Thank you, but I don’t think this would be an optimal solution.

Are you using the openVPN Road Warrior client with the openVPN Access Server?

What do you enter in the HTTP route settings to make it work for you?

I can connect to NS8 via mobile internet with Wireguard VPN, but I can’t access the applications on servername.lan/path (phpmyadmin, etc.) … Access to Firebird port (3050) works via VPN and I can also disable it in the Firebird settings so that it can only be accessed via VPN.

I currently have a local NS8 server for testing. The server does not have a public domain name, IP address, Let’s Encrypt certificate and runs behind a router on the local network.

I have tested a lot of things on this, but to test the internet security I need to modify the above parameters. I need to give it a public domain name and register it in the DNS. I need to request a certificate from Let’s Encrypt and open the necessary ports on the router firewall, it will need to be placed in DMZ.

The problem is that the host’s FQDN is currently ns8. localdomain.lan and the Samba AD DC is configured for it and the users are configured the same way.

I cannot create a Samba AD DC for a public domain because I already have one, at most I could delete it. What problems does this cause?

It’s not a problem if the users need to be deleted because they were created for testing, the bigger problem is that I don’t want the firebird and mariadb databases uploaded for testing to be deleted and have to be uploaded again because it’s a lot of work.

This also applies to rebuilding the entire server. What would be a good solution?

Thank you for your help

You could use the backup/restore function to restore mariadb or firebird to a new NS8.

The public test NS8 server is starting to come together. I want to set up mail sending and downloading from the external stand-alone mail server.

It seems that the mail sending is successfully sent via the external stand-alone mail server and reaches the recipient.

However, I cannot set up downloading of the mail. I would connect to the external stand-alone mail server with POP3S (995 TCP port) and immediately delete it from the external stand-alone mail server after downloading. Unfortunately, the connection fails, I get an error message:

smtplib validation: Connection unexpectedly closed: timed out.

Moreover, I cannot find an option to set up deleting the message after downloading from the external stand-alone mail server.

What could be the problem and how could it be solved?

Thank you for your help

Imapsync supports downloading mail from a mail server via IMAPS, POP3S isn’t supported, see Imapsync — NS8 documentation
With imapsync it’s possible to delete the mail from the server after the sync, see Imapsync — NS8 documentation

Imapsync will be a later task when I migrate the users. There is an imapsync module for that.

Now my problem is that I can’t download mail from my mail server using POP3S protocol. I set up Relay Recipient and when I connect I get an error message.

The mail module opens the POP3S (995 TCP) port on the firewall. This suggests that it should handle it, but it doesn’t seem to.

Everything works fine under NS7…

What is the reason for this? How can I download the mails so that they match those available in SOGo?

Thank you for your help

The logs could be really helpfull here.

I assume you used the pop connector in NS7, it’s successor in NS8 is imapsync, see NethServer 7 migration — NS8 documentation

The port is opened for mail clients to get the mails, see Mail — NS8 documentation

Exactly, I use the pop connector on the NS7.

On NS7, the task of imapsync was completely different, so is it downloading emails under NS8? I didn’t read this in the imapsync description… Do I need to install and use the imapsync module?

Can imapsnyc download emails from another server using the POP3S protocol?

I think we are misunderstanding each other and the task.

I currently have an external mail server that is operated by a service provider, both the primary and backup mail servers. I download emails from this mail server to Nethserver using the PO3S protocol and delete them on the external server at the same time. Nethserver stores all downloaded emails and makes them available to users using the IMAPS protocol using SOGo or e.g. Thunderbird.

Port 25 is closed on Nethserver because it is not a public mail server. Nethserver sends authenticated mail via port 587 via the external mail server.

Indeed, the mail service opens ports 25, 110, 143, 993, 995, 465, 587.

Indeed, the mail service opens ports 25, 110, 143, 993, 995, 465, 587. Ports 25, 110, 143, 465 are not needed, so I tried to close them on the firewall, but it won’t work. The firewall says that they are not open, but the ports are available. How is this possible? How can I close them?

Thank you for your help

Yes. As an alternative there’s fetchmail which supports pop3s but needs to be configured manually.

I guess because the port is in the mail service, see for example The firewall page in cluster admin shows removed ports - #4 by mrmarkuz

Thanks, I’ll check out the fetchmail module. Manual configuration is no problem, before Nethserver I also downloaded emails from the external email server with fetchmail since around the turn of the millennium. Maybe I even have the config…

Indeed, this is easily possible, but then how can I close TCP ports 25, 110, 143 and 465?

I don’t want to expose the ports I left open to attack even if Crowdsec protects them, because a DDOS attack on these ports would really slow down my server.

Did you try this:

firewall-cmd --permanent --service=mail1 --remove-port=143/tcp
firewall-cmd --reload