header-logo-left

The Lone Geek Blog

One geek in a sea of nerds.

header-logo-left

Creating a Home Based Cloud Service

| Comments

Idea of sorts

For the past few weeks I’ve been poking around on a git repository listing a bunch of self hosted software to get an idea on what to play with on my lab server and maybe keep around and that’s when I came across the “file sharing and synchronization” section. I found some software called Pydio

Pydio

This one was or is a bit tricky imo. I started out with a simple ubuntu vm (4 vcpu, 4gb ram, 8gb system disk, 20gb data disk), getting that all setup and ready to go for the application; no biggie.

Attempt 1

I got the application running but ran into a tiny issue with fine tuning the datastores portion in order to store all my data in the data disk and not on the system disk. Well, what should have been a simple change of the paths, it kept saving data in the original locations and any attempts to remedy that seem to fail. I can’t seem to get it to cooperate. I’m probably going to wipe the install and mount the data disk to .config/pydio and not worry about changing the paths within the app itself. This seems to be an easier method in my mind.

Attempt 2

Mounted the bigger disk to .config/pydio and now it seems to work. :/ Technology eh?

Derp

Tried to change the url in which the application loaded from and well, that just flat out broke it and I can’t find a way to fix it without reinstalling it again. the mysql database is useless, the config still points to the server ip (I wanted to use a local dns name). Oh well. Time to look for another one.

Seafile

Found an alternative to Pydio after a few google searches. I must say, it was far more easier to do and not so complicated to setup and configure. Just download and run a bash script on a minimal server install. I’ve got it in a VM with 4vCPUs, 1GB RAM, 20GB vDisk and seems far more responsive than Pydio. I’m not sure what to with it for now so I’m gonna shutdown the these two VMs for now to mess with at some point in the future.

I’ll probably finish the config with a reverse proxy and set to auto start with the OS.

Conclusion

I’m probably going to delete pydio and not even bother with it anymore. I don’t even understand where it defines the URLs to it’s various services. I checked the database and the only config file I found in .config/pydio.

I may use Seafile for something, not sure what. Resillo Sync and Dropbox has served me well for local and remote file synchronization respectively. I just want something I can link my parents to so they can upload things to me without bothering with archives or anything complicated.

The adventure continues!

Isolating Machines Within a LAN

| Comments

Today, I decided to try creating a single point to point connection from a host on my LAN to the Pfsense box while at the same time, preventing it from connecting to other devices on the LAN. This is not like a VLAN where you’d have multiple networks on the same wires but I think it similar to how ISPs and some businesses engineer their networks.

I did it by creating a Virtual IP Alias on Pfsense to serve has the gateway with the subnet mask of /22 then assigning the second ip on the client with the virtual ip as the gateway and pointing the dns to that virtual ip as well.

Windows IPv4 Settings Windows IPv4 DNS Settings

I then created aliases to point to the right things. Allow rules for the host to Pfsense and specific hosts on the larger lan. A general deny rule to prevent the isolated host from connecting to any private IP. Pretty basic stuff.

Firewall - Isolated IPs

The goal is to isolate a thing while giving it access to the internet and approved nodes on the LAN. This is one method I’ve thought of outside of replacing all the switches on the network with managed ones for doing VLANS to different physical devices on the network. I don’t believe this is a fool proof method as all it’d take is some program or privileged person with the knowledge to modify the host’s IP settings and bump it back on the main LAN. It should work just fine for what I intend to use it for.

I’m curious to see what kind of security risks this poses to the main LAN should a isolated device become infected with something. Some research is required in the matter.

I think for the first real world test is to assign a computer to the isolated IP for my niece and nephew to use for school work. Maybe I can utilize OpenDNS for content filtering :) and of course, grant them unprivileged permissions on the computer. Microsoft has some parental tools for reporting child activity that could be useful.

That’ll be it for now. Until next time, keep geeking out!

The Pfsense Box - Part 2

| Comments

The Pfsense box - Part 2

Time for an update. I think I’ve figured out how statefull firewalls work now. I have 7 networks configured on it, 4 of them leading back to virtual networks on my server, one of them intended for the wireless network, a OpenVPN network, and the main one is of course my LAN.

The Networks

  • Main LAN - Has access to everything and consists of anything that can’t be placed on a VLAN yet.
  • WLAN - For wireless traffic but likely will be devoted to guest use. Maybe I’ll setup two, each taking a /25 segment.
  • OpenVPN - Not explicitly configured but can access the LAN and LAB_NET when a client connects remotely.
  • DMZ - Intended for one machine or VM at a time. Has no access to any other local network but machines on the Main LAN can access it, mainly for RDP access. I may fine tune the level of incoming access later for just RDP.
  • LAB_NET - For any VMs I don’t want on the LAN but still want access to. VMs here can access preapproved nodes on the LAN and nothing else.
  • WINLAB - For VMs within my Windows Server AD network. Has no outgoing access to anything. It is just setup so I can RDP to the windows VMs. I need to lock down the incoming ports.

All networks but the WINLAB can access the internet at varying degrees to later be defined. It took 13 months before I finally learned how to properly configure the firewall to allow all this to work. Learning the order of operations, how rules can influence how next one below it works, how deny rules placed before an allow rule can block all but allow some packets to flow or something like that.

The DMZ can ping and lookup dns on the pfsense box, is denied access to all RFC1918 addresses, and is only permitted outgoing traffic for ports 80 and 443 to the WAN.

The LAB_NET has 3 deny rules to WINLAB, DMZ, and VLAN100, 3 allow rules to 3 nodes on the LAN and one LAB_NET to ANY with the destination inverted for the LAN. Blocking all outgoing access to the LAN but the ones I allow.

The WINLAB has no rules defined so pfsense just blocks traffic originating within the network.

^ That feels redundant but w/e.

Everything is subject to change as I learn more and build on it. I am currently working on a way to grant guest access to the WLAN and looking at getting a Ubiquity Unifi WAP to replace the two routers turned WAPs and sharing the same SSIDs and passwords and hopefully gain some much desired wireless performance to boot. Our laptops will need a upgrades to their wireless cards but that would be an easy swap.

Firewall - WAN Firewall - LAN Firewall - WLAN Firewall - DMZ Firewall - LAB_NET

Err, small update. I originally wrote this on July 20th and not long after, I managed to break the config of my pfsense box and find out that the SSD I had installed had partially failed to a read-only state. Not even formattable. So I have to resort to using a usb flash drive and recover the lost config to get what I had recently setup back up and running. I still don’t have Suricata, Squid, or pfBlocker running atm as I need to rebuild the configs for them and setup so that they don’t write to my flash drive and kill it. In due time.

I had just configured pfBlocker and was testing and playing with it when I get this wild idea to make /tmp and /var into ramdisks. Not realizing that /var had at least a gigabyte of logs from Suricata and roughly 60gb of Squid Cache. Welp, the system did NOT like that and refused to boot and had the SSD been writeable, I could have easily reverted and recovered the system. The purpose of the ramdisk? To save writes to a disk with over 5TB of writes since I deployed it and only 50GB of reads. Seems backwards but yeah, bad config.

Now the plan is to either deploy the OS on flash media and save logs and cache to a spinning hard drive. I’d probably only need to just mount the hard drive to /var and /tmp to ram manually in the /etc/fstab file and be set. Perhaps some work in a lab and/or googling might help with this study. :)

So um, cheers. Keep hacking the things!

Car Radio for Powered PC Speakers

| Comments

Car Radio for Powered PC Speakers

Here’s a thing I use for sound for my desktop. It’s not a typical set of powered satellite speakers. No, I use a car stereo. Specifically, a Jensen CD6112 the someone gave me. Overall, it’s a good little radio. Any of them will do with the only requirement is a auxiliary input of some kind. 3.5mm or RCA. It sits in a box dad made a long time ago for the purpose of having a home made weather radio during the event of a severe storm. I re-purposed it several years ago for my computer. It had a previously had a radio that could tune to the weather channels but only had a cassette player and FM/AM tuners. That worked for a while till the sound quality got annoying so I installed the Jensen from my old truck that I had no use for. Details I’m not going into.

Anyhow, so I got a box with the radio in it. Now, power is simple. Power comes from a standard 12v 5A brick that is always on. There’s a couple 40w 3-way satalite speakers for sound and wired to the front channels only of the radio. I have a simple antenna that was originally screwed into the box just kinda draped across my door frame. It’s been hanging just fine for years.

Audio from the computer runs thru a 3.5mm standard cable into a kvm and out that to the radio’s rear RCA plugs.

The interesting bit, imo, is how I wired it to turn on. First, there is a 5v relay being powered by my PC that is wired in series of a switch hanging below my secondary monitor. The purpose being is when the switch is on, the radio turns on/off with the computer but I can still turn off the radio when the computer is still on. There is a secondary switch in the box that bypasses both switch+relay, essentially wired in parallel, in case I wanted to play the radio without the computer.

And that is that. To me it’s simple setup. :)

Oh, the sound quality is still better than most pre-built setups you’d get in a electronics store imo. That could be just the speakers themselves but still. They get loud and bassy without the need of any kind of sub. I set the EQ to -2 Treble, +3 Bass.

Cue All About Dat Bass song

Automating Ubuntu 18.04 Installs

| Updated on | Comments

Now a month has passed since my last post and Ubuntu 18.04 is almost officially released. It’ll be out on April 26th, 2018. I went ahead and and started building a NetBoot ISO. I found a GitHub repository that contained what I needed. The script simply pulls the NetBoot ISO from a Ubuntu mirror of my choice, extracts it, injects my SSH keys, scripts, preseed file, and whatever else I decide to add. Once the build is prepped, it packs everything up into a nice little 58MB ISO file. From there, I boot the ISO which then promptly runs thru the preseed file and automatically does everything I configured it to do. Once installed and rebooted, I then log in as root with my SSH key assigned to putty or any SSH client, answer a couple questions from a script I put together from the original repository, it does some updating and reboots again. The end result is a system ready to do some whatever with no visible traces that such an install took place. 🙂

The only thing I have to do is answer two questions after it’s first reboot for the host name and domain name then re-login after the 2nd reboot as my chosen user name configured at ISO build time.

Now my ISOs and preseed files utilize a local APT Proxy on my network with the domain name “fileserver.sanlan” using the APT Cacher package. You can either set one up or rebuild the iso.

May readd the local proxy if I can add a trusted root to my images to access the proxy securely and have https repos work. Atm, I must disable the proxy any time a script adds it’s own secured repo to the install.

The other repository I linked in my other post about Server Automation for Linux produced full sized 839MB ISO. This one does everything I need it to do except it requires the Internet to work or mainly, a connection to the APT Proxy I have (was) configured on my local network with all the files preloaded.

Some fine tuning might be needed once Ubuntu 18.04 is officially released but as of today, it’s functional. The only scripts I modified from the original repository was build-iso.sh, preseed.cfg, and added init-host.sh. I deleted the files for 17.10 since I didn’t need or want them. I may carry my changes for 18.04 over to 16.04 for the heck of it. I edit both files at once.

You can’t say they didn’t get credit. 😛 They made the code, I simply modified it for myself. 😊

Enjoy my fellow nerds! 🖖

Update 2018/09/29: My scripts were updated to use a password file in the repository root with a plain text password (for now) and use the user running the script as the user for the image.

Commented out qemu support in the build-disk.sh scripts and add simple VirtualBox support. The script just creates the vbox file, registers it to the installed virtualbox instance, creates the disk image and ISO image then assigns them to the vbox file with a bridged nic.

System Installation Automation

| Comments

Over the past 8 months or so, I’ve been playing with my Dell R710. It’s a nice system to play on but it could use some SSDs. One day I shall get some. My last post described a bit about it as it currently stands. This post shall be about what I’ve done as far as creating automated system installs for both Windows and Linux.

Windows Deployment Systems (WDS) + Microsoft Deployment Toolkit (MDT)

I know some people might frown on the idea but my deployment system resides within my primary Windows Server 2016 Lab VM also running AD and TCP/IP Routing to a isolated virtual network of things.

It took some time but I managed to build a system that’d prepare a Windows 10 VMware VM from creation to a functional system complete with drivers and a few apps preinstalled. I intend to add more when I think about it and eventually come up with some way to update the installers.

I’m going to include some configs of what I have so far.

The MDT Config lets me set up a VM complete with a select set of apps to do my things. It has so much potential that I’ve yet to explore. In due time I suppose. At present, it just installs vmware drivers specifically for VMs hosted on my ESXi Lab Server; notepad++, 7zip, and Google Chrome can be checked at the preinstall stage for whatever template I choose.

The WDS Config is pretty basic. It’ll let me automatically install windows but that’s it. It took some time to figure out how to build it but it works now. There’s not much it can do on it’s own, that’s where MDT comes in.

I have used the WDS system to netinstall windows to a physical machine at least once. No more CDs or USB sticks. :)

Unattended Linux Install ISOs

Now for my efforts with Linux was somewhat easier. It took some effort and with the help of an article I found, I was able to build an ISO that would install Ubuntu Server onto a freshly created VM with OpenSSH Server, nano, and htop along with a script to change the VM hostname and domain and do other things I configure it to do like copy my ssh keys from a remote host to the system. :)

I put all the files up on github to share. Unattended Ubuntu Repository

My Lab/Production Environment

| Comments

This will serve as an update to my lab since I bought it.

The current specs:

  • Dell PowerEdge R710
  • Dual Intel Xeon L5640
  • 64GB DDR3 ECC REG RAM
  • 2x 148GB SAS HDDs in RAID-1
  • 3x 600GB SAS HDDs in RAID-5
  • 1x 500GB SATA HDD in RAID-0

The Server received a fan mod as mentioned here in my effort to keep it’s noise at a tolerable level. Now if and when I get some SSDs, I can get rid of the annoying sound the HDD heads make. I make keep them for storage or for scratch space but I don’t want to be hitting them with random I/O as much. That’s the primary cause for the noise.

It still runs Vmware ESXI 6.5 and currently has 30 registered VMs. This number fluctuates as I create and delete VMs.

It still has my original Windows Server VM that runs my AD related stuff and WDS+MDT. I have a Windows Server 2012 R2 VM for a currently undetermined purpose beyond testing. A few linux servers for web development, ftp server for printer scans, mail server for… reasons, gitlab and a dedicated gitlab runner vm with it’s own private network between the two. I’ve played with making an automated ubuntu server install iso that works wonderfully (may blog on that at some point).

There is a standalone Win10 VM I leave running for various purposes. Resource useage is super low so meh. There is a puppetmaster vm that I’ve yet to explore. All of those things are constantly running though I may kill the puppetmaster till I learn more about it.

For what’s not constantly running. A domain member server (dmsrv1), dockerlabs to play with docker, Kali Linux, MS-SQL Server, Opnsense, pfsense lab, powershell lab, pxe server (currently unconfigured), smallwall, a linux webserver using webmin+usermin for the control panel, 3x Windows 10 Client VMs for automated install testing, Win10 Development VM to host Dev tools, Win10 Insider VM, Win10 Client for VB Studio (the dev vm and it may have the same tools, I don’t remember), Win10 Enterprise VM, Win7Pro VM, and finally Xubuntu.

ESXI UI

ESXI UI

ESXI UI

ESXI UI

My Pfsense Box

| Comments

Image of pfsense box

This is my pfsense box, the dell optiplex 790 computer there. I use it in place of a consumer router since the ones I’ve used in the past would quickly approach their limits. They just couldn’t handle the growing collection of internet connected devices. I have a Netgear WNDR3700v3 and TP-Link W8980v1 serving as Wi-Fi Access Points that used to serve as the home router until they started crashing or dropping connections.

I’ve been using Pfsense for about 8 months now. It can be tricky to use at times but I mainly take advantage of it’s unbound service and bandwidth tracking features. I like knowing about how much traffic goes in and out of my network. :) Unbound just lets me use custom domain names for local services instead of messing around with port numbers or host files. VLAN support can be useful once I learn how to use the firewall to shuffle traffic where I want. When I configure it to pass traffic to/from somewhere, it doesn’t always work. Probably just user error.

The pfsense box has a i5-2400 with 8GB of RAM, a Quad Intel Gigabit PCI-E Slim Card, and a Sandisk 120GB SSD. Plenty of resources to do what I want and hopefully last a long time. The SSD doesn’t see very many writes besides periodic logging and squid caching. Though the SSD somehow saw about 2.367TiB of writes but 26GiB of reads as of this writing. That could have been from me playing with squid several months ago and collecting but never using the cache it saved and ended up deleting. Oh well, it should have plenty of life. Not like I store a whole lot on it.

pfsense UI

Pfsense UI

PSA: Don't Pull on the Wires!

| Comments

frayed-cable

Don’t do this. This is bad. Stop pulling on the flexy bits, take your hands and grasp the hard part and gently remove the cable from your device.

Cables are cheap, yes, but avoiding expensive fires from shorting the wires out and melting things is a whole lot better. Just. Stop it. K?

Migrating From Virtualbox to Hyper-V and Back

| Comments

Today, I decided to try and migrate a few VMs I have on Virtualbox to Hyper-V and it didn’t go so well. It’d probably had worked out kinda ok if I just did fresh installs but I went the disk conversion route.

So I converted the virtual disks twice, VDI (Virtualbox’s Default) > VHD (A more universal disk) > VHDX (For Hyper-V). That was fun.

Only to find out that 1) Windows 7 must have been installed wrong on Virtualbox with a SATA controller so I couldn’t get it to boot on Hyper-V no matter what I tried. It kept blue-screening with the error 0x0000007B. I googled it and tried some registry “hacks” to start the IDE service (I think) but it kept failing. To edit the registry, I had to mount the VHD to my windows host and open the system hive in the local registry editor.

That was pointless

That quickly got annoying so I turned my attention to Windows XP. That worked out a little better as it was installed on Virtualbox with a IDE Controller. Got it running under Hyper-V… annnnd hello 800x600 32bit resolution that maxed at 1024x768 with the generic drivers Hyper-V (I assume) gave it. It was missing the video drivers and two unknown devices. I got networking up with the Hyper-V Legacy Network Controller but Windows XP still couldn’t find any drivers.

At that point, I tried to find some sort of driver pack iso for Hyper-V like Virtualbox has and no joy. That instantly turned me off on Hyper-V and I deleted everything associated with it and removed the feature from the windows host. I’d expect this kind of trouble from Linux VMs but they worked better than the 8+ year old operating systems. Imagine that. Oh well, can’t say I didn’t try. Maybe I’ll try again with Hyper-V on a independent server and not migrate anything older than Windows 8 or Server 2012.

I would have kept Hyper-V itself installed if it didn’t pull virtualization support from the host for Virtualbox to run right. Given the way Hyper-V integrates itself and runs right on the bare metal, below the host OS, I can understand why but still. I would have thought there’d be some sort of VT-X passthru, if that’s technically possible though.

The only thing it had going for it was VLAN support on a per VM or per physical NIC bases and auto start/stop of the vms with the host. Maybe some other time in the future.

I did this on my Dell Precision T3610 Workstation with an Intel Xeon E5-1650 v2, 16GB DDR3 ECC RAM, a secondary Toshiba 128GB SSD with a Samsung EVO 840 128GB SSD primary.

Cheers.