Context:
I’ve decided to try my hand at setting up my own storage/backup/dropbox file sync server. SInce this is going to be babby’s first NAS I figured setting it up on a Raspberry Pi (RPi 4, 2GB RAM) with a USB 3.0 external HDD would be a reasonable place to start.
I understand that this isn’t exactly the most redudant, robust, or reliable implementation of my goals, but this is equal parts an opportunity for me to get my toes wet in somethign a little deeper than using Ubuntu as a daily driver.
Question:
My plan was to use OpenMediaVault and then figure out how to set up nextCloud/ownCloud (whichever has better guides to be honest). In fact, since I have two Pi’s my plan was to use OMV on one Pi+external combo (treat this one as the NAS) and then set up next/ownCloud on the other Pi with Raspbian (and treat this one as the file sync/dropbox-replacement server).
After reading a few guides it became clear to me that I didn’t really understand what was going on. I was under the impression that OMV was a standalone OS, but it seems many guides describe installing Raspbian (or whatever OS) first, then set up OMV, then set up nextCloud on top/alongside that?
My question is a little open ended, but I was wondering if someone could either describe the software hierarchy in a little more detail or be able to point me into some relevant keywords I can google. Is it (in principle) possible to install OMV directly as the “parent” OS, but just not recommended due to idiosyncratic driver requirements of the Pi? Was I mistaken in thinking OMV is an operating system? Was I correct to assume next/ownCloud are just applications I install within whatever OS I’m working in, or is there some subtlety there as well?
OMV is an application that runs on top of Debian (or a derivative distro). They release it as both a software package you can install on top of an existing Debian install and they also release it as a complete install image, in which case what you get is basically a minimal Debian install with OMV installed on top.
Correct, but they are a bit complex to install as normal applications. So often people use the snap package, or run via a prebuild docker container.
I can’t speak 100% to Owncloud, since I run Nextcloud, but they do not like having anybody access “their” files. You have to set up an external storage in Nextcloud, in which case they expect you to access the files via other means, but a cost to performance.
The operating system is the system.
Think about omv as a framework.
Applications are directly independent of omv but can be installed and operated to some extent via omv.
OMV is officially built only on x86 and based on Debian.
OMV does not have theoretically an official version for ARM.
Most ARM SBCs are based on an Armbian base and an installer script for OMV.
Armbian does not have a version for raspberry pi and it is unlikely to change.
Introduction
Installing OMV5 on Raspberry PI OS Lite, using a scripted install, is a relatively easy task. This document is a guide for that purpose. About this GuideThe purpose and intent of this guide is to provide a walk-through to get Raspberry Pi users (hereafter referred toas an “R-PI”) up and running as quickly and as easily as possible. This guide assumes that users have a working Windows Client for installing and executing the needed utilities. It is also assumed that Mac and Linux desktop users will be able to find, install, and use utilities equivalent to those called out in Prerequisites.
For future visitors, note that the “wget” command on page 17 of the document linked by Tim & Mastic must use an upper case O following the wget. I think the text might be capitalized in the document, but it’s not super clear with the font typeface/size. Details can be found here: https://github.com/OpenMediaVault-Plugin-Developers/installScript
Otherwise everything else seems to be going smoothly!
For visitors from the future*, note that the document linked above doesn’t include the step of running “sudo omv-firstaid” after the initial omv installation/reboot. This will repair the broken network connection(s) that you will need in order to log in to your machine via your browser. I don’t know if this step is relevant if you have a direct ethernet connection from your Pi to your router, but I’m forced to connect mine through wlan0, so it was a necessary step to get it working.
A second observation is that my router enables “Set AP Isolated” by default (I understand that at a high level this means something like ‘don’t let devices on the network talk to each other’ – are there any nuances to this that are relevant to network security?). In order to get ssh working & connect to omv via a browser I had to disable this setting. Is there a way around disabling this while still being able to connect to omv?
I’m not very comfortable with networking in general, but I’m aware that being stupid about it can lead to gaping holes in security. I plan to use this box over the internet, and I figured I ought to at least ask about to see what I can do better.
More specifically, I have this vague sense that I should be careful about ports, ssh, etc., but I’m not even sure what words to google in order to uncover the unknown unknowns. I think I’ve covered the obvious things like changing the pi password, omv admin password, encrypting the wifi pass key in ‘wpa_supplicant.conf’, but I’m sure there are some things I’ve missed. Any pointers in the right direction (i.e. words to google) would be greatly appreciated!
My bad. I grabbed the Link from the Radxa site since they linked to an OMV installation on RPi to use with the SATA hat. Did not realized that the linked pointed to the same one that you posted. /funny
This is more useful if you have a public WIFI hotspot, so people that connect are all isolated from each other. Also, it is useful if you have IOT devices, to protect your other devices from the IOT device.
It is fine to turn it off for devices that you trust on your network.
If it’s due to a lack of ethernet ports on your router, then I would suggest getting a cheap network switch. 10 port gigabit switches can be had new for $20-25 USD. Ethernet is way better than WIFI for this type of thing.
The part you have to be careful about is forwarding ports. Anything forwarded should require a login or other authentication before it is accessible. User+password, public/private keypair, certificate depending on the type of thing it is. If it is over HTTP, get a certificate from letsencrypt to use HTTPS encrypt the connection.
The other option is to use a VPN (openVPN, wireguard, etc) to access your home network like you are at home. Setup the server end on your PI, and setup the client end on your devices.
For SSH, setup public key based authentication, then disable password login.
For SMB/CIFS and other network shares, for anything remotely sensitive, don’t allow guest access, and for almost everything don’t allow guest write access.
This is perfect! Thank you so much for the detailed response. I’ll get around to finishing this up later in the week but it seems like your outline + the rpi doc page for “securing your pi” will get me where I need to go in order for me to feel maximum comfy.
Edit: Regarding the wifi vs wired connection. The reason is because the actual physical access to the router is in a room that I absolutely hate going in to. The details are complicated and a bit personal but let it be said that (for now) I’m willing to take the catastrophic haircut to its network throughput. We’ll see if this is tolerable in the long-run or not… Since I plan to use the device over the internet there is some logic to not prioritizing any bandwidth over my plan’s cap at about 110Mbps. Incidentally, ~110Mbps seems to be the Pi4’s real-world (5Ghz) wlan0 bandwidth cap according to this article.
(That said, the current location of the pi-duct-taped-to-an-external-hdd-nas is in such a position that it’s only getting ~65Mbps. I can probably be a little more clever with its placement)
Do you have any thoughts on changing the default user name? I’m not expecting this to all of a sudden make it un-penetrable, but if it’s easy to change from ‘pi’ to something else (without any esoteric drawbacks) then surely it’s at least a non-negative idea?
My primary concern is whether changing it introduces some complexity with the existing system settings (i.e. how the Pi OS interfaces with omv).
You could just prevent SSH login of that user and create a new user that you actually use. I am assuming that you are not very concerned about physical access, but more about digital access.
But if you are allowing only public key authentication to login via SSH, then it does not really matter security-wise, IMO, because you have bigger things to worry about first if someone gets your private key.
I am assuming that you are not very concerned about physical access, but more about digital access.
That’s correct. Frankly, the stakes aren’t very high since I’m not storing data that’s fundamentally more sensitive than some muffin recipes. At the moment this whole experiment is mainly just an exercise for/if when I decide to get more serious (it’s already been a very productive exercise as I’m already way more comfy with linux + the cli than when I started).
I haven’t actually installed nextcloud yet, or make the Pi accessible outside my local network (I think?), but with respect to securing the Pi, I’ve done the following:
Changed the default password.
Set up 4096-bit key-based authentication.
Encrypted the keys with some password.
Disabled password logins so that authentication must be done via key pairs.
Disabled remote root logins (via ssh).
Changed the SSH port to something that’s not 22 (I made sure to look up a quick table of known occupied ports to ensure I don’t pick a port that would conflict with something else).
Set up fail2ban to obstruct brute-force SSH attacks. Is the default setting of 3 failed logins within 10 min. = 10 min. ban sufficient? Should I set up jails for other protocols?
I’ve read that it’s recommended to set up a firewall on the Pi (most articles used ufw). From what I can gather it seems that a firewall like ufw is used to outright block ports on the Pi, is this right? I was having trouble configuring ufw when I first tried setting it up. I think I got it working but while it was active I was unable to access the omv network drive on other machines. I unblocked the ssh port + port 80/81/443, but I suspect there is/are other ports that I need to free up? What is a good way for me to find an exhaustive list of ports that I need to enable?
Edit: I’ve read about setting up a DMZ as an intermediate between my network and the internet. This seems intuitively appealing to me, particularly since I could use my second RPi as a dedicated DMZ box (I’m a big fan of modularity!). Is this something worth looking in to? I don’t really understand it beyond that high-level sentence I wrote, but I figure it can’t be significantly more complicated to learn than learning how to set up port forwarding & a firewall without leaving gaping holes exposed.
It’s not really needed until you forward the SSH port to the internet, and even then, not super important if you are only allowing key based authentication. If you are getting people trying to log in without having the port forwarded, then you have other issues.
You will also need to unblock SMB/CIFS port(s). 137,138,and 445 if I remember correctly.
Look up each the port(s) for service/thing you want to run. So you want ssh, unblock the ssh port. You are running the OMV admin panel, unblock it’s port. Running SMB, unblock the SMB ports, etc.
