Enter the Server – Part Three

HP Microserver Gen 8

Still on the Gen 8 topic, here’s the lowdown on some questions I was asked:

  • File Sharing – I’m using regular Windows FS in a workgroup environment.
  • Backup – I was using a multitude of solutions for backup here at home: my PC had Backblaze backing up to the cloud, my wife’s PC had Veeam Endpoint Backup backing up for a network share. The QNAP was backing up to a USB HDD. Now I’m changing everything to Crashplan. The Gen8 will backup to the cloud via Crashplan and my PC as well as my wife’s will backup to the Gen 8 via Crashplan client.
  • Plex – Plex Server on the G8. I’m using Chromecast in my living room as a Plex client when I need to watch something served by Plex. Sometimes I use Rasplex as well on my Raspberry PI 2.
  • Private Cloud – BitTorrent Sync – they have clients for every major supported OS and mobile OS. Great to sync everything without having your files stored in a service like Dropbox or MEGA.
  • Download Management – uTorrent
  • SFTP Server – Bitvise SSH Server Personal Edition – Free for personal use. Very very good SSH server with lots of options and customization.
  • VPN Server – Windows Server VPN service.

Enter the Server – Part Two

HP Proliant MicroServers Gen 8

Yes, there is a kit with 3 exchangeable faceplates for the Gen8.

After I got the Gen 8, it was testing time. I knew the roles I wanted for my new server:

  • File Sharing
  • Backup
  • Plex
  • Private Cloud
  • Download Management
  • SFTP Server
  • VPN Server

When the hardware arrived I had to improvise a bit, since the budget I had, was not enough for the “perfect configuration”, so I had to settle with what I bought and with what I already had.

The “perfect configuration” I mentioned before would be IMHO, to upgrade the CPU for a Intel Xeon E3-1265LV2, 16GB of RAM, 4x 4TB WD RED, a 250GB SSD for the OS or a 64GB Micro SD to boot VMWare ESXi, running an entire virtualized solution.

The bundled CPU is a Celeron G1610T, and it’s not very powerful (2 cores @ 2.3 GHz) to run VMs, but enough to run the roles I had in mind. I just needed a few more gigs of RAM and my father got me an 8GB DIMM he had laying arround that luckily was compatible with the Gen8.

So from 2GB I was now sporting 10GB of RAM which, BTW, helps a lot with the HP B120i Controller. It’s not a great controller, but for the price I don’t think it could get better. Still, if you want, there’s a PCI-E expansion slot inside the server that you can use to add another controller (or anything else).

As for the storage, I got 2x 3TB WD Red drives, I managed to scavenge some WD Green drives I had lying around. So, my current storage configuration is:

  • 1 TB drive for the OS
  • 2 TB drive for laptop backups, guest file sharing, private cloud and downloads
  • 2 x 3TB drives in RAID 1 for the main storage (photos, documents, movies, tv series, music, etc…)

As for the OS, I tried a few. FreeNAS was the first. It resembled a lot of the NAS OSs you can find in regular NAS, but a bit behind QNAP and Synology OSs. It’s very powerful and robust, it’s based on FreeBSD, but the configuration is not very user-friendly. The Plex server configuration didn’t go as smooth as it should. Still, it’s on my top 10.

Second was CentOS 7. It all ran smoothly, with an exception (very big exception that also happened with FreeNAS): the Gen8 has only on big fan for the entire system. With CentOS, the fan would not lower from 16% and the temperature sensors on the server ILO reported temperature a bit higher than expected. This is probably related with how CentOS handles the Gen8 ACPI or some drivers… either way, I didn’t have time or the patience to look for a solution.

For Synology fans, there’s also a hack of the Synology OS for X86 machines – XPEnology – but maybe because I was trying to install and boot it from the MicroSD, I didn’t have success installing it 🙁 Also, it seemed a bit too much of a hack and by then I was trying to use the Gen 8 as a full server and not just as a NAS.

I then realized that I had my Technet copy of Windows Server 2012 R2 unused 🙂 and like I work with W2k12 on a daily basis… why the hell not?

Every piece of software I need is available on Windows. As an added layer of data protection, online backup plans like Crashplan and Backblaze also run on Windows (still Backblaze doesn’t run on Windows Server or Linux). HP drivers usually are very well optimized for Windows Server, so I went ahead.

The setup was very smooth. After I installed the OS, I ran the Service Pack DVD with the latest drivers and firmware from HP and some Windows Updates later, I noticed that the temperature readings dropped a lot compared with CentOS 7. When idle, the fan doesn’t go beyond 7% even when my office is at the peak of the heat and I don’t have Air Conditioning over here, just a window. The server is very silent, and notice, that my QNAP NAS was fanless!

So, now I have my Gen8 running all the services and roles I need. Is it perfect? No, not yet, there’s still room for improvement. Perhaps when I have the time and money I might try to carry out more and transform this into a VMWare server. Right now the most important for me is that I got full fledge server that suits my needs, cheaper than a NAS, and you can’t beat a good deal like that 😀

Tips for the Gen 8
  • The best site you can go to for info on the Gen8, is this forum on the HomeServerShow site. The info they have there is precious and it was a deal breaker for me when I was considering to buy the Gen8.
  • The Gen8 has a micro sd slot on the board that you can use to boot OSs like VMWare ESXi and FreeNAS. If you don’t want to use it to boot the OS, you can still use it to keep files normally. Get a 64GB or more MicroSD and you got another storage place on your Gen 8.
  • The entry-level Gen8 I got does not come with an optical drive. Although you can get one, with all the USB ports on the server, you can boot anything from a USB pen or HDD. Besides that, you still have the virtual drives on the ILO.  Skip the optical drive and get an SSD to put there instead and boot the OS.

Feel free to ask me anything about the Gen 8, here in the comments on Twitter. I’ll be glad to share more info on this with you.

Update: Here’s part three.

Enter the Server – Part One

Qnap-TS 119

I had a QNAP TS-119 unit as my home NAS for as long as six years. It worked very well until recently it began to corrupt the OS data in the HDD as well as the USB HDD connected to the unit for backup.

Even with a new HDD fitted in the unit and several clean firmware updates, after a few months, the NAS would show a lot of errors in the logs, regarding the HDD. SMART checks and other tests a like didn’t show any problems with the HDD…

This and the fact that the NAS was a one bay model really got me worried about loosing data and so, I began searching for a replacement.

My requisites were simple:

  • two or four bays
  • RAID capable
  • gigabit networking
  • at least one USB 3.0 port
  • a decent CPU
  • 2GB of RAM to run some processes
  • a decent price 😛

I first looked at QNAP and Synology, since they make the best NAS models in my opinion. Both OSs are Linux-based with a lot of functionalities, applications and stuff geeks like me love to play with.

At the end of the day, a NAS is nothing more than a server, a little dumbed down on the hardware. QNAP and Synology have good hardware and their OSs make most of it giving the user the ability to run applications and services like you would on a normal server… it’s a bit limited but it’s useful and cool.

Nowadays, having a NAS at home provides you with a personal cloud, since most brands have their own personal cloud service embedded in the NAS OS. Still you can always install your own options, like a VPN, SFTP server, HTTP/HTTP server, BT Sync, etc…

But I digress… looking at the NAS models from QNAP and Synology that would fit my needs, I suddenly found a pattern… they were all too expensive for my budget. I still needed to buy two WD Red 3GB drives for the new NAS, and this would bring the total up to more than I wanted to spend.

I looked at another brands like Western Digital and Netgear, but I found that their OSs were rather limited comparing to QNAP and Synology. All that apps, bells and whistles I mentioned before were not available entirely in these brands OS.

HP Proliant Microserver Gen 8

That’s when a friend of mine sent me a link for an HP Proliant Microserver Gen 8. The HP Microserver Gen8 is the follow-up model to HP’s Gen 7, which was talked a lot because of the form factor and the HP MediaSmart Server that it replaced.

The Gen8 (for now on) was released in 2014 and it had a lot of advantages compared to a NAS: the entry-level model, with a Intel Celeron G1610T, 2GB RAM, 2 Gigabit ports, one ILO port, several USB ports (some of them 3.0) and four HDD bays (!) would cost me about 250 Eur. With that price I could only get a two bay entry-level NAS from QNAP or Synology and this was a full fledge server, I could run anything I wanted there with almost no limitations.

So you guess right, this was a no brainer, I got the Gen8 and I’ll tell you more about this awesome micro server in part 2.

Security Woes

Crackers are always on the lookout for new chances to access your accounts, either if you’re a private / regular internet user, or a multinational corporation like Sony who recently fell victim to several attacks affecting their flagship console, the PS3, and their Playstation Network.

It began when their PS3 private keys, that sign all data transactions and operations, got public. I won’t digress here, you can find a lot of info on Google, just look for GeoHot / Sony. The latest attack to the PSN has managed a downtime of a week by the time I’m writing this, and only today Sony has come forth with a press release on this issue, as well as a FAQ, saying that all their entire PSN user base got their data compromised, including Credit Card data.

I’m yet to believe that Sony hasn’t released the full extent of the information about the attack, so for now there are three crucial steps that PSN users should follow:

 

  • If you’re using the PSN password in any other service / account, change it. Change it everywhere. You are probably using the same email address you used on the compromised PSN account.
  • Change the password of the email address you used on your PSN account.
  • Change your credit card number, or cancel the card and get a new one. If you can’t do this, be on the lookout for strange credit card transactions and never, ever, release the confirmation code to anyone. Sony states that the cc confirmation code wasn’t stored on their database.

Read the FAQ, they have more info there, but follow these three steps and when the PSN is up again, change your password for something unique, not used on any other account / service and remove your credit card number from the account.

 

Still on Security

With the advent of social networking and connected services, we’ve witnessed a lot of centralized authentication methods. It’s now usual for us to access services that use other site’s accounts to authenticate, like “Login with Facebook” or “Authorize on Twitter”.

This can be very useful because you don’t have to memorize a ton of different passwords but, if you see your Facebook, Twitter or Google account compromised, all those services using “third-party” authentication will be compromised as well… so what to do?

 

  • Use strong passwords. Having a password like your birthday date is not secure. Having your pet name, girlfriend, mom, dad, favorite actor is not secure. Any dictionary word is not secure. Use random stuff with numbers, signs, uppercase and lower case, like “1M4ecur3!?”
  • Use a password manager like 1Password for Mac or Keepass Password Safe for PC. Not only you’ll have an encrypted and organized password safe, but these apps can also generate random passwords.
  • Use HTTPS always when possible. This will encrypt your traffic to these sites. Twitter, Google, Facebook, all of them have HTTPS options, you just have to go to your account settings and turn it on. Facebook can even warn you by email and SMS when other devices accesses your account. Google has a 2 Step Authorization process for your account, using verification codes and an app for your mobile device that works like a token, giving you real-time generated verification codes.
  • Don’t use free Wi-Fi. Sure, it’s cool to use a free hotspot, but you never know who’s listening. People using free Wi-Fi are exposed to virus and password sniffing. This can happen in your neighbors unprotected Wi-Fi or even your school’s network.
  • The usual crap: use a secure OS. Mac OS X and Linux are secure by nature. If you must use Windows, turn on the system’s firewall and get another one, as well as an AntiVirus. Be sure that they’re always updated.
  • Don’t trust your passwords to anyone.

Remember, even with all these precautions you’re never totally safe.

 

Still on Squid integration with Active Directory

I wrote a post a few months ago explaining briefly how to integrate a Squid proxy with a Microsoft Windows Active Directory.

While with Windows XP and Vista the single sign on works flawlessly, with Windows 7 it needs a little tweak.

You’ll need to change your a GPO on your AD:

Computer configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Find “Network Security: LAN MANAGER Authentication Level”
Set it to “Send LM * NTLM – use NTLMv2 session security if negotiated”

This happens because Squid uses NTLMv2 after version 2.6 but it is Negotiated NTLMv2, rather than
straight NTLMv2 (dunno why). Windows 7 refuses to negotiate by default and accepts only NTLMv2.

You might come across with other issues in some apps like having to authenticate manually, Dropbox is one example but there may be others.

As usual, do this at your own risk!

Integrating Squid with Active Directory

Recently I needed to integrate a Squid Proxy server in an Active Directory environment. The main objective was to grant / deny access to the Internet by user / group validation, using single sign on.

The solution might not be the most elegant, but it’s a working one. You’ll need to install the Kerberos, Samba, Squid and NTP packages.

In this solution will be allowing all users in the InternetOn AD group to have access automatically. Any users outside this group will be denied access. Computers outside the AD trying to use the proxy will be prompt for username and password. This is a simple way of keeping access restricted to certain groups without an unnecessary amount of fuss, whether you’re managing the office computers at http://www.partycasino.com/ or building a school network.

krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOURDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
YOURDOMAIN = {
kdc = yourpdc
admin_server = yourpdc
default_domain = YOURDOMAIN
kpasswd_server = yourpdc
}
[domain_realm]
.yourdomain = yourdomain
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

#####################################################

smb.conf

[global]
workgroup = YOURDOMAIN
server string = SQUIDPROXY (or any other name you want)
security = ADS
auth methods = winbind
encrypt passwords = yes
idmap uid = 70001-90000
winbind enum users = yes
winbind gid = 70001-90000
winbind enum groups = yes
client use spnego = yes
winbind separator = \\
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = yourpdcIP
realm = YOURDOMAIN
dns proxy = no
[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

#####################################################

squid.conf

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
access_log /var/log/squid/access.log squid
emulate_httpd_log on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl
acl interneton external ADS InternetOn

acl blocksites url_regex "/etc/squid/squid-block.acl"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # waisacl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
http_access deny blocksites
http_access allow interneton
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid

#####################################################

Start samba, winbind and squid by this order.

Synchronize your squid server with the AD

ntpdate yourprimarydomaincontroller

Initialise Kerberos

kinit administrator@YOURDOMAIN

Test Kerberos connection

klist

Join Squid Server to AD

net ads join -S yourpdc -U administrator

Validate Trust

wbinfo -t

Validate if the wbinfo_group.pl script is working

echo "youralloweduser InternetOn" | /usr/lib/squid/wbinfo_group.pl -d
(it returns OK or ERR if the user is in the InternetOn group or not)

You might have some problems with the winbindd_privileged directory. If that’s the case:

cd /var/cache/samba
chgrp squid winbindd_privileged
chmod 750 winbindd_privileged

The problem with this setup is that when you change the InternetOn members, Samba / Winbind aren’t aware of the change until the cache clears, so I made a small script you can run in cron or manually.

clearcache.sh

#!/bin/bash
/etc/init.d/smb stop
/etc/init.d/winbind stop
rm -f /var/cache/samba/*.tdb
/etc/init.d/smb start
/etc/init.d/winbind start
/etc/init.d/squid reload

Test this at your own risk. 🙂

Asus EEE PC 1008 HA SeaShell

Asus EEE PC 1008HA

Until a few weeks ago, the netbook market / scene was a bit of a unknown thing to me. I lacked the information mainly because I was never attracted to small notebooks and netbooks felt into that “class”.

What made me change my mind? Well, my wife often mentioned she would like to have a smaller notebook than her 15.4″ Dell to take to school. That and a trip we made this vacation 🙂 I needed to take a computer and my 17″ Macbook Pro was out of the question since I would need it to check maps, info and e-mail on the go. So, a few days before this trip we went to take a look on the local Vobis / Worten and evaluated the offer.

The Asus EEE PC 1008HA was indeed the most balanced of them all, taking in perspective what we both needed: a light netbook. I was still split between the Asus and an Aspire One, but the Asus had Wifi N and a bigger hard drive, not to mention the screen quality that is amazing.

But enought chit chat, here’s my take and notes on the Asus 1008HA:

Pros

  • Very light, only weights 1.1 Kg
  • Stylish design, similar to a MacBook Air
  • 160Gb HD
  • WiFi Draft N and Bluetooth v2.1
  • Functional Keyboard
  • Multitouch Touchpad
  • 6 hours unplugged computing with Super Hybrid Engine (Asus’s energy managment app)

Cons

  • Plastic sheel feels cheap and fragile in some areas
  • Windows XP bundle
  • Non Removable Battery
  • No easy access to RAM and HD
  • 1.1 Mpixel Webcam has a crappy framerate

The Netbook behaved very well on the go, the battery time is amazing and it seems to last forever, and it’s a good thing because there’s no way to use a second battery. Due to the Seashell design, Asus limited all the expansion on the machine. The battery is not user removable neither is the RAM or HD. To replace these three components you need to disassemble the machine.

One of my frustrations was that there was no bundle with Linux, Asus seems to be kissing Microsoft’s ass again with Netbooks, so the first thing I did after getting home from the trip was to try to find a decent operating system for the Netbook. The candidates were:

  1. Windows 7
  2. Fedora 11
  3. Jolicloud
  4. Ubuntu Netbook Remix

Windows 7 installed very well, the only problem I had was with the ACPI and graphics card. Flashing the 1008HA with the latest bios solved the latest problem, and the other one was solved with a hacked ACPI driver I found on the web. There are still no Asus drivers for Windows 7 but the ones the system installs work rather well. The problem with 7 is that with a default configuration it ran slower than XP, consuming a hefty 450Mb of RAM without no other application loaded. Oh and it was slow as hell to boot. So, on to the next.

Fedora 11 looked beautiful for the first 5 minutes. It all seemed to work out of the box, even wireless and it booted rather fast from the CD I was using. One of the first problems I noticed was that the it wasn’t optimized for netbooks, Gnome dialog boxes were huge and often the OK / Cancel buttons were offscreen. When I tried to install it to the hard drive it failed afer creating the partitions and exited the installation program, leaving me with a damaged installation. I might try it another time but for now… next!

I was very eager to try Jolicloud but the alpha is still invitation only, and since no one on the Interwebs was kind enought to send me an invite, I only managed to try the OS without the cloud part… It seemed like a heavily modified Ubuntu Netbook Remix. It worked very well out of the box and the eye candy is very cool. Sadly for me the most interesting part of this system is the cloud… so, on to the next one.

Enter Ubuntu Netbook Remix, a netbook oriented Ubuntu, which seems to be the most common base of a boatload of netbook linux distros. I installed UNR 9.04 and guess what? Wireless and Ethernet didn’t work. It was Google time and I finally found this guy’s post on the 1008HA and exactly the same problem I had. Three commands and a reboot and Networking is back, my luck is that I also had an USB Ethernet adpter that UNR immediately recognized. After taking it for a quick spin, it seems I found a suitable OS for this netbook.

Of couse I’m not stoping here, as I’m writing this I’m installing UNR 9.10 Alpha to check if there are some significant improvements over 9.04. After that I’ll probably try another 2 or 3 distros, but I think it will be hard to surpass UNR 9.04. Unfortunately not everything works with UNR as well as it works with Windows XP, since there are no Asus drivers for Linux either. So don’t count with some keyboard combos and the Super Hybrid Engine on Linux, at least for now.

Ending this loooong post: The more I play with this netbook the more I wish that Apple would release a netbook or a smaller version of the Air (still I wouldn’t mind having an Air). I think that once you go Mac it’s hard to look back.

Notes

To get wireless working on UNR 9.04:

sudo apt-get update

Reboot

then:

sudo apt-get upgrade

Reboot

sudo apt-get install linux-backports-modules-jaunty

Reboot only needed after modules installation. (Thanks Tiago!)

There’s a big step…

…between saying and actually doing it…. time will tell.

[tags]Microsoft[/tags]

Tagged:

Microsoft’s new Linux Bashing Site

As if the famous “Get the Facts” website wasn’t completely stupid and biased, MS presents us with another Linux Hate website, this time called WindowsServer/Compare.

In this new site, MS mainly compares the Windows Server Platform to Linux, Unix and Mainframe environments as well as providing some case studies… it’s “Get the Facts” part 2, but this time they have use Novell (their partners) as a comparing term… the “middle guy”, the “not so bad Linux” because the main target is definitely Red Hat. A site to see and read, even that is just for the laughs.

[tags]Microsoft, Linux, Novell, Red Hat, Windows Server[/tags]

Rotten Apple

Some times old habits can’t die… the main reason they get old is probably because they are good habits in the first place. I just got home from a friends birthday dinner, we spend some time in his office because he wanted to show me his new PC running Windows Vista Ultimate. This was my first Wow experience, Microsoft really did good this time. Everything in Vista is so fluid, so well designed, the improvements over XP are amazing. I just regret having this Macbook Pro now when I could have a superior PC running Vista… looks like this is the time to finally format my Mac, and install Boot Camp with Vista on it. Screw Mac OS X, I want the bubbles screensaver now!

[tags]Microsoft, Windows, Windows Vista, April Fools[/tags]

Next Page »