Month: March 2018

Multiple SSH instances on OpenMediavault

I have a port 22 open towards a device allowing me to logon. I have mutiple other devices also with SSH but I do not want them available over the internet. This is fine as long as you do nothing in your portforwarding.

But as I wrote earlier in a previous post: I need SSH for my RSYNC backup. This cannot run on port 22 as the device where port 22 is open is not the device running what is the target for the RSYNC job.

So we do configure openmediavault (4.x) to have 2x a SSH instanc running on a different port with a different configuration

The 2nd instance allows only a login with public key. All other logins are disabled.

Simple steps:

cp /lib/systemd/system/ssh.service /etc/systemd/system/sshdrsync.service
modified 1 certain part in the target file:
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_rsync_config $SSHD_OPTS

than copied the standard ssh config from OMV to the sshd_rsync where I modified the port to the port it needs to run on.

this you can find in /etc/ssh

Please note that in the ssh file I already had the include part about the public key (where to find it).

than: 2 commands:

systemctl enable sshdrsynd.service

systemctl start sshdrsync.service

ready set and go .. 10 min work. (testing is simple ssh to the new port, your login will tell you that it is only allowing with public key.

Backup MIAB (Mail in a Box) through Rsync towards Openmediavault Server

Mail in a box (MIAB) has a backup feature available. It stores full and incremential backups on the mailserver and it is possible to store the backup also on another device through RSYNC. In my situation I am saving the data to an OpenMediaVault NAS

Here I write my own: How I did it (quick and dirty cause I expect you to know things).

In short:
rsync over port 5678 to backup your data to the OpenMediaVault NAS

  1. Make sure you have a hostname available where rsync can be connected to, the hostname must point to the IP where the OMV (OpenMediaVault) is connected
  2. Rsync over SSH is being used.
  3. if you do not want to use port 22 with Rsync, you need to modify /root/mailinabox/management/backup.py line 19: change -p 22 to -p 5678
  4. Enable Rsync Server in the GUI (Grapical User Interface) of openmediavault.

Please note that it is not possible to use the ~/.ssh/config file where you can add the port as well. The reason is that the verification process needs in the backup.py a -p setting which is not overridden bij de config file.

  • SSH standard port 22, this we will change. (ie. port 22 is already in use towards another server)
  • In the router go to your portforwarding section and open port 5678 towards port 22 to your device (with OpenMediaVault).
  • MIAB and RSYNC needs to have the full path where to store the backup. In my situation: /media/a925efd7-ada5-48b5-80e6-383cc6274bcd/Backup (the folder must available and writable
  • Make sure that a user can login with SSH and can access OpenMediaVault
  • MIAB is providing a public key for auto-login needed for rsync. this key must be available in OpenMediavault. You can put the public key in: ~/.ssh/authorized_keys or in a folder in /var/lib/openmediavault/ssh/authorized_keys where you create a file with the name of the user
  • within MIAB you can use from /root/mailinabox/ the following: sudo management/backup.py –verif

to test if your public key is accepted: from MAIB ssh with the following command:  ssh -p 5678 -i /root/.ssh/id_rsa_miab user@domain.name

If this is giving you a direct login to your OpenMediaVault NAS you can use Rsync ;)

Missing something? Reply and ask

 

VLAN for Guests with Ubiquity: Unifi USG, USW8-150, AC-Pro, AC-LR and other stuff

This posts is merely an overview of what I did to get my WLAN guests, who access the Internet through the hotspot feature of the USG and the Unifi controller,through a VLAN so that they are not part of my own private network. (security)

This handout only applies when you own some gear of Ubiquity. (I have also other hardware, here you might have to make some configuration as well, my situation is explained.

What hardware is in the network
USG Router – US 8-150W switch – AC-Pro, 2 x AC-Lite AccessPoint (Unifi stuff)
1x TP-Link TLSG108E (Smart Switch)
2x Dump switch 5 port Netgear (not important in this story)
1x TP-Link TLSG2216 (Smart Switch)

1st Create a guest network with VLAN100. Do this only if you have the USG. If you do not have an USG this does not apply cause the network part in the controller is for use with the Unifi USG router.

If you use “Guest” it is already isolated from your corporate LAN.
Modify other settings like DHCP in this menu. This I do not explain.

Now make sure your SSID for your guests can be on a VLAN

This is the most important part.

Notice: I have an US-8-150W. When creating a VLAN Guest network in the profiles part of the controller the ports will be configured automatically. As long as you have all profiles accepted on the ports, the VLAN will directly work if your AccessPoint is directly connected to the Unifi Switch.

In my situation I have 2 AccessPoints behind a smart switch and 1 AccessPoint connected to a dumb switch what is connected to the US-8-150W (all devices eventually come to the US-8-150W as the uplink is the USG Router).

A simple test towards the AP connected to the dumpswitch is showing that the VLAN is working

To have the VLAN100 working towards the other APs you need to tag the ports in other smart swiches. In my situation 2 different TP-Link devices

Tips for the TP-Link: TLSG108E: enable 802.1Q (no need to set the 802.1Q PVID setting)

In my example you see that port 1 and port 6 are tagged with VLAN 100. Port 1 is the uplink port towards the other switch (the unifi switch) and port 6 is the port towards the AccessPoint

Apply and save the configuration and your guests can access the guest portal over VLAN

the TP-Link SG2216 is a business smart switch so the screens are a little different

Here you see the VLAN section of the SG2216 where I tagged port 16 (uplink port towards the Unifi Switch) and port 10 connected to the AccessPoint. Now this AccessPoint is also serving VLAN towards my Guests.

Maybe you wonder what will happen to your normal LAN clients when you enable or tag ports on VLAN100: your normal LAN is not tagged and the switches will forward your data normally.