Architect Shack
Navigation
Welcome
Projects
Contact Me
Random Page
All Pages
Categories
Quick Search
»
Advanced Search »
Back
Home IT Setup
Modified on 2011-12-14 05:17
by
TaoK
Categorized as
Admin
This is going to be an attempt at documenting the main aspects of my home (and, by extension, office) networking and computing setup, so that I have my thoughts in one place, and have an easier time of figuring out what's missing, and what to change, when another machine or technology enters the fray. There's a very faint chance that something here might be useful to someone or that they get sent here by some confused search engine algorithm - if so, don't hesitate to contact me with any questions. ===Home Server=== An increasing requirement is an always-on server - I happen to currently favor a Mac Mini running Windows 7 (I stick to windows out of laziness - I'm just quicker on my feet in a windows environment). I would love a more power-efficient Pico-ITX or similar server, but Apple's power usage claims on the Mac Mini are already pretty impressive, and it doubles as a decent projector source. ====Sync Folders==== I'm a big fan of Unison as it's a dedicated cross-OS sync solution, but I'm more than a little saddened by its stagnation/abandonment (or, maybe more to the point, its use of OCaml that seems to guarantee its long-term demise); I'd love to create something equivalent (for my purposes at least) starting from a project like Duplicati, but in the meantime I keep using it as it's the only reliable cross-OS open-source solution I'm aware of. These instructions are tainted by my preference for Windows, but seem to work: * Install cygwin ssh on the server (currently v1.7.x). I used to shrink away from any setup that included cygwin because of the unmaintainable bloat I remembered, but recently gave it a try and was VERY pleasantly surprised by the package-manager-like setup program they have now. Easy to set up, easy to use, but you still need some googling: ** Install base packages + nano (or your editor of choice, "mc" (which adds "mcedit") seems to work well) and OpenSSH, and auto-selected dependencies ** if installing nano, you'll probably want to make it the default editor. run the following line, including the initial exclamation mark: *** ! grep -q EDITOR= ~/.bashrc && echo export EDITOR=/usr/bin/nano >> ~/.bashrc ** from a cygwin terminal started as Administrator, run "ssh-host-config" *** priviledge separation: yes (it can only be safer, and I haven't found it breaking anything yet) *** new local account: yes *** service: yes *** value of cygwin: (I left it blank - the defaults seem to work fine for me) *** different name than cyg_server: no (will only be asked on windows 2003 and later) *** create user cyg_server: yes (will only be asked on windows 2003 and later) *** new password: something that you will never remember (you can always reset it and update the service(s) later) ** As recommended [http://lifehacker.com/205090/geek-to-live--set-up-a-personal-home-ssh-server|here], might as well change /etc/sshd_config to prevent legacy SSH 1 connections, using nano to edit the file (for some reason cygwin protects its config files against local windows admins...?) ** Similarly, change the port to (marginally) help avoid drive-by automated attacks ** start the service ("net start sshd") ** if you're running a host-based firewall like Windows Firewall, set up an appropriate exception (usually on your target port, TCP only) ** If you're going to want access from outside your LAN (eg for remote backup), then set up a port forward on your router (TCP only) ** If you're setting up a dedicated user for Unison (with limited rights, presumably) then run "mkpasswd -cl > /etc/passwd" afterwards to sync the passwd file. ** Test eg with FileZilla * Install Unison on server ** Drop GTK+ (2.22.0??) files somewhere known eg Progra~1, and add to path (optional, for GUI debugging) ** Drop Unison files somewhere known eg Progra~1 (optional, for GUI debugging) ** Copy Unison-Cmdline into C:\Windows\System32 (or somewhere else that will be in the PATH of a cygwin shell), as Unison.exe * Install Unison on Client ** Drop GTK+ (2.22.0??) files somewhere known eg Progra~1, and add to path ** Drop [http://alan.petitepomme.net/unison/index.html|Unison files] somewhere known eg Progra~1 ** Add [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|plink.exe] and the ssh.exe wrapper to plink (eg from [http://www.wischik.com/lu/programmer/unison-ssh.html|here]) in the Unison folder *** We don't use cygwin SSH, although it also works, because cygwin SSH has irritating permissions/path issues outside of its shell env. ** Generate a public/private keypair with [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puTTYgen], keep the private key file with the Unison setup (program file probably), and place the appropriate entry in the server's "authorized_keys" file for the target user (creating the .ssh folder for that user profile if necessary, and even the user's folder in /home). ** Connect to the server from the client using puTTY, to save the trusted host key ** Set up one or more appropriate "prf" files in your User profile's ".unison" folder, eg: @@#local folder to sync root = c:\Archive #server/shared mirror location root = ssh://Unison@192.168.2.30/D:/UnisonSync/Archive #Careful with this! Forces RSync mirroring! (deletes any local files that don't match - rarely use) #force = ssh://Unison@192.168.2.30/D:/UnisonSync/Archive #private key and port specifiers for plink sshargs = -i ConfuzzedToUnisonOnMinimac.ppk -P 12322 #back up all deleted files in the unison profile folder, just in case! backup = Name * #accept (non-conflicting) changes automatically auto = true #start automatically (don't wait for the user to click anything) batch = true #trust file timestamps and sizes on windows, don't always re-hash in case someone's messing with us (much faster). fastcheck = true #don't bother with version control internals, trust that there is a connection to an authoritative VCS server ignore = Regex .*/*\.(svn|git).* #Winmerge: suggested at https://alliance.seas.upenn.edu/~bcpierce/wiki/index.php?n=Main.UnisonFAQOSSpecific # /e: Exit by single escape # /ub: Do not add paths to MRI # /dl, dr: Description, left, right # /wr Right side: read only # Merge only works when first root is local! # merge disabled because I want to automate the process (commandline) - but can be enabled for UI-interactive sync #merge = Name * -> "c:\Program Files\WinMerge\winmergeu" /ub /e /wr /dl "Local" /dr "Remote" "CURRENT1" "CURRENT2" # diff enabled because it never hurts to have that option (isn't automatic) diff = "c:\Program Files\WinMerge\winmergeu" /ub /e /wr /dl "Local" /dr "Remote" "CURRENT1" "CURRENT2" @@ ====SysLog Logging==== If you want to keep track of what happens in your home network (esp. inbound access that could indicate a security breach), you need to have some sort of logging happening. I know there are a few large open-source network monitoring/administration systems out there, some of which are open-source (eg OpenNMS), but I like to keep things as simple as possible, using simple broadly-supported tools. As such, SysLog is my monitoring protocol of choice, within my network. I used to favour Kiwi Syslog Server s a free option, but since I want on my open-source bender and discovered that cygwin is very usable these days, I've started using syslog-ng on Cygwin: * Install Cygwin syslog-ng on the server ** (see above, incl installing nano and/or mcedit) ** see overview [http://www.syslog.org/logged/running-syslog-ng-on-windows/|here, for example]: *** run setup *** select "syslog-ng", and probably also cron, and continue *** accept that it's going to have to install all sorts of prerequisites/dependencies, continue to end *** run "syslog-ng-config" from a cygwin console that was started as Administrator, and install as service. *** edit the /etc/syslog-ng/syslog-ng.conf config file with nano, configure logging preferences: **** uncomment the network source line in the "log" section, to enable incoming log messages to the server from the network **** change the filename to include datestamp in the name (unless you have cool logrotate-style functionality available somewhere), eg filename "/var/log/messages_$YEAR-$MONTH-$DAY", and see below for scheduled deletion of old files **** (last time I checked the doc is [http://www.balabit.com/sites/default/files/documents/syslog-ng-v3.0-guide-admin-en.html/bk01-toc.html|here], consider checking there for any aditional rules / functionality) **** (also see sample files [http://www.campin.net/syslog-ng.conf|here] and [http://en.gentoo-wiki.com/wiki/Syslog-ng|here]) ** run the cron service setup, "cron-config" (from an administrator cygwin prompt) *** I let cron start as localsystem, as I'm using LSA for OpenSSH authentication anyway. Avast! antivirus identifies this as a "potentially unsafe" program and asks me to sandbox it, but obviously that would defeat the purpose so I need to add an exemption. I'd love to know the history to that specific detection default... ** Set up new cron jobs to archive and delete logs. normally we might use the crontab.exe program, but I want to operate on system-owned logfiles, so my default user permissions would not be enough. As such, we'll set up the cron jobs in the "main" crontab configuration file at /etc/crontab - jobs defined here should execute as system, without user impersonation. *** You'll want to create the system crontab file, as it doesn't appear to exist by default: **** touch /etc/crontab **** chown SYSTEM /etc/crontab **** nano /etc/crontab *** A sensible daily cleanup, archiving files daily and deleting logfiles older than 3 months (assuming the same filename is never repeated), might be: **** 0 3 * * * /usr/bin/find /var/log/messages* ! -name "*.gz" -mtime +1 -type f -exec /usr/bin/gzip {} \; **** 5 3 * * * /usr/bin/find /var/log/messages* -mtime +91 -type f -exec rm {} \; *** (tasks inspired by the [http://www.balabit.com/wiki/syslog-ng-faq-logrotate|syslog-ng log rotation faq entry]) *** (I found this cron scheduling article rather helpful: [http://www.pantz.org/software/cron/croninfo.html]) *** (even better, this visual editor avoids needing to think about it at all: [http://www.corntab.com/pages/crontab-gui]) * open the port (514 UDP by default) in windows firewall on the server, so that the syslog server is reachable from devices eg router * ensure that all network devices know where to log to (esp. router, see below) * once devices are logging, check activity eg with "tail -f /var/log/messages" or something like that (specific filename) ===Network=== I'm a big fan of technologies that make me the "owner" of my hardware, and as such DD-WRT (and others in the family, such as Tomato firmware) strike me as the coolest thing ever. Consequently, I try to buy devices that can are supported by open firmware (as far as I know DD-WRT has the broadest support). I recently purchased what appears to be the best of both worlds - the "TP-Link TL-WR841ND v7", an absolutely dirt-cheap router (less than 30 EUR) that happens to be supported by DD-WRT, and here's the high-level setup: * Administration -> Management: Password * Setup -> Basic: IP Address (192.168.2.1) * Setup -> MAC Address Clone: Set this to a fixed tht is the SAME as the sometime-default, because otherwise the WAN mac, and therefore the interim IP address, wavers along the lifetime of the router boot/uptime... (use the default MAC but ending in 2, as this seems to be the pre-cloning MAC) * Administration -> Management: Web access - HTTPS only, internal only, no telnet or SSH (except temporarily for backup & upgrade...?) * Administration -> Management: Max Ports: 4096 * Administration -> Management: TCP Timeout: 300 secs (UDP default 120) * Wifi ** Primary "TWireless" with WPA2-PSK-AES, ending in "7" ** WDS of type "LAN" to AP, defaults * DHCP Fixed (list snipped) * Port Forwarding (list snipped) * QoS ** Enable, on WAN, default packet scheduler, with upling & downlink specified. ** Set the IP Phone MAC address with "Premium" priority (need to "Add" to set the prriority) ** Add a "MiniMac-BT" service for the appropriate port range, apply ** Select the new "MiniMac-BT" service at "Bulk" priority (means no reservations at all) * Dynamic DNS ** Setting is in Setup -> DDNS ** I use DynDNS.org - venerable, and as far as I know reliable. ** I can easily find my dynamic hostname (I frequently forget it) by looking up my internal website hostname on iptools.com - my website hostname is a CNAME entry to my dyndns hostname. * SysLog forwarding ** Enable the syslog option with a server IP (the server defined above) in Services -> Services, "System Log" setting. ** Enable security logging events, under Security -> Firewall -> Log Management, enable, set to high, and enable "Accepted" to have a record of every accepted connection (and thereby a reasonable audit trail of ports accessed across your network). * DNS Spoofing for consistent internal/external hostnames ** If you need to access a given host the same way internally and externally, the easiest way to set things up is probably to use the "Additional DNSMasq Options" feature in dd-wrt: *** address=/www.somesite.com/192.168.1.123 *** address=/www.someothersite.com/192.168.1.124 *** '''SUBJECT TO REVISION''' - I'increasingly dissatisfied with this solution, as you generally have little control over the DNS server used. Looking to implement a software-based switch instead, either with different sync profiles, or with HOSTS file updates. *** (you will want to have multiple public domains/subdomains, one for each internal IP that you need to be able to access - the internal and external ports should be the same, and the external names should all be CNAME entries to a common Dynamic DNS A entry maintained by the router) *** (this doesn't work with VPN clients that stick a particular DNS server to the top of the lookup order) Additional parameters that I would have liked to set up, but caused reliability problems (within-network inter-host connectivity failures, WDS connectivity failures, etc): * guest "GuestWireless" with WPA2-PSK-AES password on a note on the fridge ** Setup -> Networking: create "br1" bridge for 192.168.4.1, save/apply ** Setup -> Networking: create a bridge assignment, "br1" to the virtual wifi interface ("ath0.1") ** Setup -> Networking: multiple DNCP Server, create "DHCP 0" on "br1" (NOT "ath0.1"), On, defaults. *** At this point you have a guest SSID and subnet, with internet access, but full cross-talk! ** Administration -> Commands: Save Firewall script (from http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs): @@iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP iptables -I INPUT -i br1 -m state --state NEW -j DROP iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT@@
Meta Keywords:
Meta Description:
Change Comment:
© 2007-2012 Tao Klerks |
Home
|
Contact Me