This is going to be an attempt at documenting the main aspects of my home (and, by extension, office) networking and computing setup, so that I have my thoughts in one place, and have an easier time of figuring out what's missing, and what to change, when another machine or technology enters the fray.
There's a very faint chance that something here might be useful to someone or that they get sent here by some confused search engine algorithm - if so, don't hesitate to contact me with any questions.
Home Server
An increasing requirement is an always-on server - I happen to currently favor a Mac Mini running Windows 7 (I stick to windows out of laziness - I'm just quicker on my feet in a windows environment). I would love a more power-efficient Pico-ITX or similar server, but Apple's power usage claims on the Mac Mini are already pretty impressive, and it doubles as a decent projector source.
Sync Folders
I'm a big fan of Unison as it's a dedicated cross-OS sync solution, but I'm more than a little saddened by its stagnation/abandonment (or, maybe more to the point, its use of OCaml that seems to guarantee its long-term demise); I'd love to create something equivalent (for my purposes at least) starting from a project like Duplicati, but in the meantime I keep using it as it's the only reliable cross-OS open-source solution I'm aware of. These instructions are tainted by my preference for Windows, but seem to work:
- Install cygwin ssh on the server (currently v1.7.x). I used to shrink away from any setup that included cygwin because of the unmaintainable bloat I remembered, but recently gave it a try and was VERY pleasantly surprised by the package-manager-like setup program they have now. Easy to set up, easy to use, but you still need some googling:
- Install base packages + nano (or your editor of choice, "mc" (which adds "mcedit") seems to work well) and OpenSSH, and auto-selected dependencies
- if installing nano, you'll probably want to make it the default editor. run the following line, including the initial exclamation mark:
- ! grep -q EDITOR= ~/.bashrc && echo export EDITOR=/usr/bin/nano >> ~/.bashrc
- from a cygwin terminal started as Administrator, run "ssh-host-config"
- priviledge separation: yes (it can only be safer, and I haven't found it breaking anything yet)
- new local account: yes
- service: yes
- value of cygwin: (I left it blank - the defaults seem to work fine for me)
- different name than cyg_server: no (will only be asked on windows 2003 and later)
- create user cyg_server: yes (will only be asked on windows 2003 and later)
- new password: something that you will never remember (you can always reset it and update the service(s) later)
- As recommended here, might as well change /etc/sshd_config to prevent legacy SSH 1 connections, using nano to edit the file (for some reason cygwin protects its config files against local windows admins...?)
- Similarly, change the port to (marginally) help avoid drive-by automated attacks
- start the service ("net start sshd")
- if you're running a host-based firewall like Windows Firewall, set up an appropriate exception (usually on your target port, TCP only)
- If you're going to want access from outside your LAN (eg for remote backup), then set up a port forward on your router (TCP only)
- If you're setting up a dedicated user for Unison (with limited rights, presumably) then run "mkpasswd -cl > /etc/passwd" afterwards to sync the passwd file.
- Test eg with FileZilla
- Install Unison on server
- Drop GTK+ (2.22.0??) files somewhere known eg Progra~1, and add to path (optional, for GUI debugging)
- Drop Unison files somewhere known eg Progra~1 (optional, for GUI debugging)
- Copy Unison-Cmdline into C:\Windows\System32 (or somewhere else that will be in the PATH of a cygwin shell), as Unison.exe
- Install Unison on Client
- Drop GTK+ (2.22.0??) files somewhere known eg Progra~1, and add to path
- Drop Unison files somewhere known eg Progra~1
- Add plink.exe and the ssh.exe wrapper to plink (eg from here) in the Unison folder
- We don't use cygwin SSH, although it also works, because cygwin SSH has irritating permissions/path issues outside of its shell env.
- Generate a public/private keypair with puTTYgen, keep the private key file with the Unison setup (program file probably), and place the appropriate entry in the server's "authorized_keys" file for the target user (creating the .ssh folder for that user profile if necessary, and even the user's folder in /home).
- Connect to the server from the client using puTTY, to save the trusted host key
- Set up one or more appropriate "prf" files in your User profile's ".unison" folder, eg:
#local folder to sync
root = c:\Archive
#server/shared mirror location
root = ssh://Unison@192.168.2.30/D:/UnisonSync/Archive
#Careful with this! Forces RSync mirroring! (deletes any local files that don't match - rarely use)
#force = ssh://Unison@192.168.2.30/D:/UnisonSync/Archive
#private key and port specifiers for plink
sshargs = -i ConfuzzedToUnisonOnMinimac.ppk -P 12322
#back up all deleted files in the unison profile folder, just in case!
backup = Name *
#accept (non-conflicting) changes automatically
auto = true
#start automatically (don't wait for the user to click anything)
batch = true
#trust file timestamps and sizes on windows, don't always re-hash in case someone's messing with us (much faster).
fastcheck = true
#don't bother with version control internals, trust that there is a connection to an authoritative VCS server
ignore = Regex .*/*\.(svn|git).*
#Winmerge: suggested at https://alliance.seas.upenn.edu/~bcpierce/wiki/index.php?n=Main.UnisonFAQOSSpecific
# /e: Exit by single escape
# /ub: Do not add paths to MRI
# /dl, dr: Description, left, right
# /wr Right side: read only
# Merge only works when first root is local!
# merge disabled because I want to automate the process (commandline) - but can be enabled for UI-interactive sync
#merge = Name * -> "c:\Program Files\WinMerge\winmergeu" /ub /e /wr /dl "Local" /dr "Remote" "CURRENT1" "CURRENT2"
# diff enabled because it never hurts to have that option (isn't automatic)
diff = "c:\Program Files\WinMerge\winmergeu" /ub /e /wr /dl "Local" /dr "Remote" "CURRENT1" "CURRENT2"
SysLog Logging
If you want to keep track of what happens in your home network (esp. inbound access that could indicate a security breach), you need to have some sort of logging happening. I know there are a few large open-source network monitoring/administration systems out there, some of which are open-source (eg OpenNMS), but I like to keep things as simple as possible, using simple broadly-supported tools.
As such, SysLog is my monitoring protocol of choice, within my network. I used to favour Kiwi Syslog Server s a free option, but since I want on my open-source bender and discovered that cygwin is very usable these days, I've started using syslog-ng on Cygwin:
- Install Cygwin syslog-ng on the server
- (see above, incl installing nano and/or mcedit)
- see overview here, for example:
- run setup
- select "syslog-ng", and probably also cron, and continue
- accept that it's going to have to install all sorts of prerequisites/dependencies, continue to end
- run "syslog-ng-config" from a cygwin console that was started as Administrator, and install as service.
- edit the /etc/syslog-ng/syslog-ng.conf config file with nano, configure logging preferences:
- uncomment the network source line in the "log" section, to enable incoming log messages to the server from the network
- change the filename to include datestamp in the name (unless you have cool logrotate-style functionality available somewhere), eg filename "/var/log/messages_$YEAR-$MONTH-$DAY", and see below for scheduled deletion of old files
- (last time I checked the doc is here, consider checking there for any aditional rules / functionality)
- (also see sample files here and here)
- run the cron service setup, "cron-config" (from an administrator cygwin prompt)
- I let cron start as localsystem, as I'm using LSA for OpenSSH authentication anyway. Avast! antivirus identifies this as a "potentially unsafe" program and asks me to sandbox it, but obviously that would defeat the purpose so I need to add an exemption. I'd love to know the history to that specific detection default...
- Set up new cron jobs to archive and delete logs. normally we might use the crontab.exe program, but I want to operate on system-owned logfiles, so my default user permissions would not be enough. As such, we'll set up the cron jobs in the "main" crontab configuration file at /etc/crontab - jobs defined here should execute as system, without user impersonation.
- You'll want to create the system crontab file, as it doesn't appear to exist by default:
- touch /etc/crontab
- chown SYSTEM /etc/crontab
- nano /etc/crontab
- A sensible daily cleanup, archiving files daily and deleting logfiles older than 3 months (assuming the same filename is never repeated), might be:
- 0 3 * * * /usr/bin/find /var/log/messages* ! -name "*.gz" -mtime +1 -type f -exec /usr/bin/gzip {} \;
- 5 3 * * * /usr/bin/find /var/log/messages* -mtime +91 -type f -exec rm {} \;
- (tasks inspired by the syslog-ng log rotation faq entry)
- (I found this cron scheduling article rather helpful: http://www.pantz.org/software/cron/croninfo.html)
- (even better, this visual editor avoids needing to think about it at all: http://www.corntab.com/pages/crontab-gui)
- open the port (514 UDP by default) in windows firewall on the server, so that the syslog server is reachable from devices eg router
- ensure that all network devices know where to log to (esp. router, see below)
- once devices are logging, check activity eg with "tail -f /var/log/messages" or something like that (specific filename)
Network
I'm a big fan of technologies that make me the "owner" of my hardware, and as such DD-WRT (and others in the family, such as Tomato firmware) strike me as the coolest thing ever. Consequently, I try to buy devices that can are supported by open firmware (as far as I know DD-WRT has the broadest support).
I recently purchased what appears to be the best of both worlds - the "TP-Link TL-WR841ND v7", an absolutely dirt-cheap router (less than 30 EUR) that happens to be supported by DD-WRT, and here's the high-level setup:
- Administration -> Management: Password
- Setup -> Basic: IP Address (192.168.2.1)
- Setup -> MAC Address Clone: Set this to a fixed tht is the SAME as the sometime-default, because otherwise the WAN mac, and therefore the interim IP address, wavers along the lifetime of the router boot/uptime... (use the default MAC but ending in 2, as this seems to be the pre-cloning MAC)
- Administration -> Management: Web access - HTTPS only, internal only, no telnet or SSH (except temporarily for backup & upgrade...?)
- Administration -> Management: Max Ports: 4096
- Administration -> Management: TCP Timeout: 300 secs (UDP default 120)
- Wifi
- Primary "TWireless" with WPA2-PSK-AES, ending in "7"
- WDS of type "LAN" to AP, defaults
- DHCP Fixed (list snipped)
- Port Forwarding (list snipped)
- QoS
- Enable, on WAN, default packet scheduler, with upling & downlink specified.
- Set the IP Phone MAC address with "Premium" priority (need to "Add" to set the prriority)
- Add a "MiniMac-BT" service for the appropriate port range, apply
- Select the new "MiniMac-BT" service at "Bulk" priority (means no reservations at all)
- Dynamic DNS
- Setting is in Setup -> DDNS
- I use DynDNS.org - venerable, and as far as I know reliable.
- I can easily find my dynamic hostname (I frequently forget it) by looking up my internal website hostname on iptools.com - my website hostname is a CNAME entry to my dyndns hostname.
- SysLog forwarding
- Enable the syslog option with a server IP (the server defined above) in Services -> Services, "System Log" setting.
- Enable security logging events, under Security -> Firewall -> Log Management, enable, set to high, and enable "Accepted" to have a record of every accepted connection (and thereby a reasonable audit trail of ports accessed across your network).
- DNS Spoofing for consistent internal/external hostnames
- If you need to access a given host the same way internally and externally, the easiest way to set things up is probably to use the "Additional DNSMasq Options" feature in dd-wrt:
- address=/www.somesite.com/192.168.1.123
- address=/www.someothersite.com/192.168.1.124
- SUBJECT TO REVISION - I'increasingly dissatisfied with this solution, as you generally have little control over the DNS server used. Looking to implement a software-based switch instead, either with different sync profiles, or with HOSTS file updates.
- (you will want to have multiple public domains/subdomains, one for each internal IP that you need to be able to access - the internal and external ports should be the same, and the external names should all be CNAME entries to a common Dynamic DNS A entry maintained by the router)
- (this doesn't work with VPN clients that stick a particular DNS server to the top of the lookup order)
Additional parameters that I would have liked to set up, but caused reliability problems (within-network inter-host connectivity failures, WDS connectivity failures, etc):
- guest "GuestWireless" with WPA2-PSK-AES password on a note on the fridge