Home IT Setup

Modified on 2011-12-14 05:17 by TaoK Categorized as Admin
This is going to be an attempt at documenting the main aspects of my home (and, by extension, office) networking and computing setup, so that I have my thoughts in one place, and have an easier time of figuring out what's missing, and what to change, when another machine or technology enters the fray.

There's a very faint chance that something here might be useful to someone or that they get sent here by some confused search engine algorithm - if so, don't hesitate to contact me with any questions.

===Home Server===

An increasing requirement is an always-on server - I happen to currently favor a Mac Mini running Windows 7 (I stick to windows out of laziness - I'm just quicker on my feet in a windows environment). I would love a more power-efficient Pico-ITX or similar server, but Apple's power usage claims on the Mac Mini are already pretty impressive, and it doubles as a decent projector source.

====Sync Folders====

I'm a big fan of Unison as it's a dedicated cross-OS sync solution, but I'm more than a little saddened by its stagnation/abandonment (or, maybe more to the point, its use of OCaml that seems to guarantee its long-term demise); I'd love to create something equivalent (for my purposes at least) starting from a project like Duplicati, but in the meantime I keep using it as it's the only reliable cross-OS open-source solution I'm aware of. These instructions are tainted by my preference for Windows, but seem to work:

* Install cygwin ssh on the server (currently v1.7.x). I used to shrink away from any setup that included cygwin because of the unmaintainable bloat I remembered, but recently gave it a try and was VERY pleasantly surprised by the package-manager-like setup program they have now. Easy to set up, easy to use, but you still need some googling:
** Install base packages + nano (or your editor of choice, "mc" (which adds "mcedit") seems to work well) and OpenSSH, and auto-selected dependencies
** if installing nano, you'll probably want to make it the default editor. run the following line, including the initial exclamation mark: 
*** ! grep -q EDITOR= ~/.bashrc && echo export EDITOR=/usr/bin/nano >> ~/.bashrc
** from a cygwin terminal started as Administrator, run "ssh-host-config"
*** priviledge separation: yes (it can only be safer, and I haven't found it breaking anything yet)
*** new local account: yes
*** service: yes
*** value of cygwin:  (I left it blank - the defaults seem to work fine for me)
*** different name than cyg_server: no (will only be asked on windows 2003 and later)
*** create user cyg_server: yes (will only be asked on windows 2003 and later)
*** new password: something that you will never remember (you can always reset it and update the service(s) later)
** As recommended [http://lifehacker.com/205090/geek-to-live--set-up-a-personal-home-ssh-server|here], might as well change /etc/sshd_config to prevent legacy SSH 1 connections, using nano to edit the file (for some reason cygwin protects its config files against local windows admins...?) 
** Similarly, change the port to (marginally) help avoid drive-by automated attacks
** start the service ("net start sshd")
** if you're running a host-based firewall like Windows Firewall, set up an appropriate exception (usually on your target port, TCP only)
** If you're going to want access from outside your LAN (eg for remote backup), then set up a port forward on your router (TCP only)
** If you're setting up a dedicated user for Unison (with limited rights, presumably) then run "mkpasswd -cl > /etc/passwd" afterwards to sync the passwd file.
** Test eg with FileZilla
* Install Unison on server
** Drop GTK+ (2.22.0??) files somewhere known eg Progra~1, and add to path (optional, for GUI debugging)
** Drop Unison files somewhere known eg Progra~1 (optional, for GUI debugging)
** Copy Unison-Cmdline into C:\Windows\System32 (or somewhere else that will be in the PATH of a cygwin shell), as Unison.exe 
* Install Unison on Client
** Drop GTK+ (2.22.0??) files somewhere known eg Progra~1, and add to path
** Drop [http://alan.petitepomme.net/unison/index.html|Unison files] somewhere known eg Progra~1
** Add [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|plink.exe] and the ssh.exe wrapper to plink (eg from [http://www.wischik.com/lu/programmer/unison-ssh.html|here]) in the Unison folder
*** We don't use cygwin SSH, although it also works, because cygwin SSH has irritating permissions/path issues outside of its shell env.
** Generate a public/private keypair with [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|puTTYgen], keep the private key file with the Unison setup (program file probably), and place the appropriate entry in the server's "authorized_keys" file for the target user (creating the .ssh folder for that user profile if necessary, and even the user's folder in /home).
** Connect to the server from the client using puTTY, to save the trusted host key
** Set up one or more appropriate "prf" files in your User profile's ".unison" folder, eg:
@@#local folder to sync
root = c:\Archive
#server/shared mirror location
root = ssh://Unison@192.168.2.30/D:/UnisonSync/Archive 
#Careful with this! Forces RSync mirroring! (deletes any local files that don't match - rarely use)
#force = ssh://Unison@192.168.2.30/D:/UnisonSync/Archive
#private key and port specifiers for plink
sshargs = -i ConfuzzedToUnisonOnMinimac.ppk -P 12322 
#back up all deleted files in the unison profile folder, just in case!
backup = Name * 
#accept (non-conflicting) changes automatically
auto = true 
#start automatically (don't wait for the user to click anything)
batch = true 
#trust file timestamps and sizes on windows, don't always re-hash in case someone's messing with us (much faster).
fastcheck = true 
#don't bother with version control internals, trust that there is a connection to an authoritative VCS server
ignore = Regex .*/*\.(svn|git).*
#Winmerge: suggested at https://alliance.seas.upenn.edu/~bcpierce/wiki/index.php?n=Main.UnisonFAQOSSpecific
#          /e:  Exit by single escape
#          /ub: Do not add paths to MRI
#          /dl, dr: Description, left, right
#          /wr  Right side: read only
#          Merge only works when first root is local!
# merge disabled because I want to automate the process (commandline) - but can be enabled for UI-interactive sync
#merge     = Name * -> "c:\Program Files\WinMerge\winmergeu" /ub /e /wr /dl "Local" /dr "Remote" "CURRENT1" "CURRENT2"
# diff enabled because it never hurts to have that option (isn't automatic)
diff     = "c:\Program Files\WinMerge\winmergeu" /ub /e /wr /dl "Local" /dr "Remote" "CURRENT1" "CURRENT2"
@@

====SysLog Logging====

If you want to keep track of what happens in your home network (esp. inbound access that could indicate a security breach), you need to have some sort of logging happening. I know there are a few large open-source network monitoring/administration systems out there, some of which are open-source (eg OpenNMS), but I like to keep things as simple as possible, using simple broadly-supported tools.

As such, SysLog is my monitoring protocol of choice, within my network. I used to favour Kiwi Syslog Server s a free option, but since I want on my open-source bender and discovered that cygwin is very usable these days, I've started using syslog-ng on Cygwin:

* Install Cygwin syslog-ng on the server
** (see above, incl installing nano and/or mcedit)
** see overview [http://www.syslog.org/logged/running-syslog-ng-on-windows/|here, for example]:
*** run setup
*** select "syslog-ng", and probably also cron, and continue
*** accept that it's going to have to install all sorts of prerequisites/dependencies, continue to end
*** run "syslog-ng-config" from a cygwin console that was started as Administrator, and install as service.
*** edit the /etc/syslog-ng/syslog-ng.conf config file with nano, configure logging preferences:
**** uncomment the network source line in the "log" section, to enable incoming log messages to the server from the network
**** change the filename to include datestamp in the name (unless you have cool logrotate-style functionality available somewhere), eg filename "/var/log/messages_$YEAR-$MONTH-$DAY", and see below for scheduled deletion of old files
**** (last time I checked the doc is [http://www.balabit.com/sites/default/files/documents/syslog-ng-v3.0-guide-admin-en.html/bk01-toc.html|here], consider checking there for any aditional rules / functionality)
**** (also see sample files [http://www.campin.net/syslog-ng.conf|here] and [http://en.gentoo-wiki.com/wiki/Syslog-ng|here])
** run the cron service setup, "cron-config" (from an administrator cygwin prompt)
*** I let cron start as localsystem, as I'm using LSA for OpenSSH authentication anyway. Avast! antivirus identifies this as a "potentially unsafe" program and asks me to sandbox it, but obviously that would defeat the purpose so I need to add an exemption. I'd love to know the history to that specific detection default...
** Set up new cron jobs to archive and delete logs. normally we might use the crontab.exe program, but I want to operate on system-owned logfiles, so my default user permissions would not be enough. As such, we'll set up the cron jobs in the "main" crontab configuration file at /etc/crontab - jobs defined here should execute as system, without user impersonation.
*** You'll want to create the system crontab file, as it doesn't appear to exist by default:
**** touch /etc/crontab
**** chown SYSTEM /etc/crontab
**** nano /etc/crontab
*** A sensible daily cleanup, archiving files daily and deleting logfiles older than 3 months (assuming the same filename is never repeated), might be: 
**** 0 3 * * * /usr/bin/find /var/log/messages* ! -name "*.gz" -mtime +1 -type f -exec /usr/bin/gzip {} \;
**** 5 3 * * * /usr/bin/find /var/log/messages* -mtime +91 -type f -exec rm {} \;
*** (tasks inspired by the [http://www.balabit.com/wiki/syslog-ng-faq-logrotate|syslog-ng log rotation faq entry])
*** (I found this cron scheduling article rather helpful: [http://www.pantz.org/software/cron/croninfo.html])
*** (even better, this visual editor avoids needing to think about it at all: [http://www.corntab.com/pages/crontab-gui])
* open the port (514 UDP by default) in windows firewall on the server, so that the syslog server is reachable from devices eg router
* ensure that all network devices know where to log to (esp. router, see below)
* once devices are logging, check activity eg with "tail -f /var/log/messages" or something like that (specific filename)

===Network===

I'm a big fan of technologies that make me the "owner" of my hardware, and as such DD-WRT (and others in the family, such as Tomato firmware) strike me as the coolest thing ever. Consequently, I try to buy devices that can are supported by open firmware (as far as I know DD-WRT has the broadest support).

I recently purchased what appears to be the best of both worlds - the "TP-Link TL-WR841ND v7", an absolutely dirt-cheap router (less than 30 EUR) that happens to be supported by DD-WRT, and here's the high-level setup:

* Administration -> Management: Password
* Setup -> Basic: IP Address (192.168.2.1)
* Setup -> MAC Address Clone: Set this to a fixed tht is the SAME as the sometime-default, because otherwise the WAN mac, and therefore the interim IP address, wavers along the lifetime of the router boot/uptime... (use the default MAC but ending in 2, as this seems to  be the pre-cloning MAC)
* Administration -> Management: Web access - HTTPS only, internal only, no telnet or SSH (except temporarily for backup & upgrade...?)
* Administration -> Management: Max Ports: 4096
* Administration -> Management: TCP Timeout: 300 secs (UDP default 120)
* Wifi 
** Primary "TWireless" with WPA2-PSK-AES, ending in "7"
** WDS of type "LAN" to AP, defaults
* DHCP Fixed (list snipped)
* Port Forwarding (list snipped)
* QoS
** Enable, on WAN, default packet scheduler, with upling & downlink specified.
** Set the IP Phone MAC address with "Premium" priority (need to "Add" to set the prriority)
** Add a "MiniMac-BT" service for the appropriate port range, apply
** Select the new "MiniMac-BT" service at "Bulk" priority (means no reservations at all)
* Dynamic DNS
** Setting is in Setup -> DDNS
** I use DynDNS.org - venerable, and as far as I know reliable.
** I can easily find my dynamic hostname (I frequently forget it) by looking up my internal website hostname on iptools.com - my website hostname is a CNAME entry to my dyndns hostname.
* SysLog forwarding
** Enable the syslog option with a server IP (the server defined above) in Services -> Services, "System Log" setting.
** Enable security logging events, under Security -> Firewall -> Log Management, enable, set to high, and enable "Accepted" to have a record of every accepted connection (and thereby a reasonable audit trail of ports accessed across your network).
* DNS Spoofing for consistent internal/external hostnames
** If you need to access a given host the same way internally and externally, the easiest way to set things up is probably to use the "Additional DNSMasq Options" feature in dd-wrt:
*** address=/www.somesite.com/192.168.1.123
*** address=/www.someothersite.com/192.168.1.124
*** '''SUBJECT TO REVISION''' - I'increasingly dissatisfied with this solution, as you generally have little control over the DNS server used. Looking to implement a software-based switch instead, either with different sync profiles, or with HOSTS file updates.
*** (you will want to have multiple public domains/subdomains, one for each internal IP that you need to be able to access - the internal and external ports should be the same, and the external names should all be CNAME entries to a common Dynamic DNS A entry maintained by the router)
*** (this doesn't work with VPN clients that stick a particular DNS server to the top of the lookup order)

Additional parameters that I would have liked to set up, but caused reliability problems (within-network inter-host connectivity failures, WDS connectivity failures, etc):

* guest "GuestWireless" with WPA2-PSK-AES password on a note on the fridge
** Setup -> Networking: create "br1" bridge for 192.168.4.1, save/apply
** Setup -> Networking: create a bridge assignment, "br1" to the virtual wifi interface ("ath0.1")
** Setup -> Networking: multiple DNCP Server, create "DHCP 0" on "br1" (NOT "ath0.1"), On, defaults.
*** At this point you have a guest SSID and subnet, with internet access, but full cross-talk!
** Administration -> Commands: Save Firewall script (from http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs):
@@iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT@@
Meta Keywords:
Meta Description:
Change Comment:
Architect Shack

Navigation

Home IT Setup
