Pages

Tuesday, 29 April 2014

Secure your NAS with a trusted certificate

With all the security buzz around heartbleed I decided to secure my QNAP NAS just a little more, so I reconfigured it to only allow SSL connections.

However, because I have a twisted mind, I just couldn’t live with the browser complaints about using a non trusted certificate…. I had a quest… :)

Step 1: Buy yourself a certificate

Since I was not willing to pay a lot of money to fulfil my needs I ended up at [SSLs.com] (https://www.ssls.com/) where I could buy a certificate for only 4.99$ a year.

So I bought myself a certificate.

Note: There is only one thing you have to know before you buy a certificate: you need an approver email linked to the domain that you use for your certificate. Most often this means that you will be the domain owner for the domain linked to your certificate.

Here’s an example: if you want to buy a certificate for qnap.example.com the approver email has to be one of the following:

  • admin@example.com
  • administrator@example.com
  • hostmaster@example.com
  • postmaster@example.com
  • webmaster@example.com

If you have access to the approver email you can just go on and buy yourself a certificate.

Step 2. Get your keys

The next step is to get yourself a pair of keys. The easiest way to do this is via openssl.

openssl req -nodes -newkey rsa:2048 -keyout qnap.key -out qnap.csr

This statement will deliver you two files:

  • qnap.key: your private key (as the name says, keep it private!)
  • qnap.csr: your Certificate Signing Request

Step 3: Activate your certificate.

Activate your certificate by submitting your CSR at the merchant where you bought your certificate.

  • To copy your certificate to the clipboard

    pbcopy < qnap.csr
    

Step 4: Add your trusted certificate to your NAS

Once you’ve submitted your CSR you’ll get two new certificates in return: a Web Server CERTIFICATE and a INTERMEDIATE CA.

All there is left to do is to add the certificate to your QNAP NAS.

ssh admin@qnap.host

vim /etc/stunnel/stunnel.pem

Note: you can find a cheat sheet on how to use vim here.

Add your certificates and key like this: - First your private key - Secondly your Web Server CERTIFICATE - Then your INTERMEDIATE CA

    -----BEGIN RSA PRIVATE KEY-----
    [characters]
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    [characters]
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    [characters]
    -----END CERTIFICATE-----

You can now safely go to: https://qnap.example.com

Update your Domain Name (DNS) with a Dynamic IP and Amazon Route 53

Note: works also on a QNAP NAS

  • Install Python and pip (for QNAP you can find a how-to here).
  • Install the required libraries
    $ curl -o boto-2.27.0.tar.gz https://pypi.python.org/packages/source/b/boto/boto-2.27.0.tar.gz#md5=47a4d81554380b21d85005f91d12a585 -k
    
    $ pip install boto-2.27.0.tar.gz
    
    $ curl -o dnspython.zip  https://pypi.python.org/packages/source/d/dnspython/dnspython-1.11.1.zip#md5=5829130ed557d6f2e1c3ca9ed01d337a -k
    
    $ pip install dnspython.zip
    
  • Configure boto
    $ touch /etc/boto.cfg
    $ vim /etc/boto.cfg
    

    Add the following lines to boto.cfg:

    [Credentials]
    aws_access_key_id = <your_access_key_here>
    aws_secret_access_key = <your_secret_key_here>
    

    Note: you can find a cheatsheet on how to use vim here.

  • Install the script to update your DNS. The script is also available on Github here.
    $ cd /share/MD0_DATA]
    $ mkdir scripts
    $ cd scripts        
    
    $ curl -o dyndns_route53.py  https://gist.githubusercontent.com/glnds/11352999/raw/7958f754f4422ca09a8e338f231101cd845a31e3/dyndns_route53.py -k
    
  • Configure the script
    $ vim dyndns_route53.py
    
    • Change the following lines (more info about Amazon Hosted Zones is available here):
      # Settings, Change me!
      HOSTED_ZONE = 'ZXQU10000001'
      DOMAIN_NAME = 'home.mydomain.com'
      
    • Change the file permissions:
      $ chmod +x dyndns_route53.py
      
    • Test the script:
      $ ./dyndns_route53.py   
      
  • Run your update script every 5 minutes

    $ vim /etc/config/crontab
    
    • Add the following line:

      */5 * * * * /share/MD0_DATA/scripts/dyndns_route53.py
      
    • Restart cron and reboot

      $ /etc/init.d/crond.sh restart
      $ reboot
      

Note: there seems to be a script available on the QNAP NAS just to retrieve your WAN ip, the script is located on your NAS under /etc/init.d/get_external_ip.sh.

Install Python pip on QNAP NAS

  • QNAP Model: TS–439 Pro II
  • CPU: Intel(R) Atom(TM)

Setup procedures

  • Install Python from QNAP App center. (It should be the most easy way)
  • Access your NAS through SSH, ex. ssh admin@192.168.1.2
  • Install setuptools
    $ wget https://pypi.python.org/packages/source/s/setuptools/setuptools-3.4.4.tar.gz --no-check-certificate      
    $ tar xf setuptools-3.4.4.tar.gz        
    $ cd setuptools-3.4.4       
    $ python setup.py build
    $ python setup.py install
    
  • Install pip
    $ curl -O https://pypi.python.org/packages/source/p/pip/pip-1.5.4.tar.gz -k
    $ tar xf pip-1.5.4.tar.gz
    $ cd pip-1.5.4
    $ python setup.py install   
    
  • Add symbolic links
    $ vim /share/MD0_DATA/.qpkg/Python/python.sh
    

    Note: you can find a cheatsheet on how to use vim here.

    Insert the following two statements under the “#create symbolic links” section

    /bin/ln -sf ${QPKG_BASE}/.qpkg/Python/bin/pip /usr/bin/pip
    /bin/ln -sf ${QPKG_BASE}/.qpkg/Python/bin/pip2.7 /usr/bin/pip2.7
    

    Save and exit.

    /share/MD0_DATA/.qpkg/Python/python.sh restart
    

SSL error when using pip

When running pip install you’ll get the following SSL error (run with -v option):

SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Workaround: Install libraries manually

Example:

  • Download the archive:
    curl -o boto-2.27.0.tar.gz https://pypi.python.org/packages/source/b/boto/boto-2.27.0.tar.gz#md5=47a4d81554380b21d85005f91d12a585 -k
    
  • Install the archive:
    pip install boto-2.27.0.tar.gz
    

Sunday, 13 April 2014

Clang error installing Ansible on Mac

Installing the latest version of Ansible on Mac should be very easy when using pip. However, when I tried to do this on my Mac with the most recent versions of all software, I got the following error during install:

clang: error: unknown argument: '-mno-fused-madd'

The problem seems to be the latest (5.1) version of Xcode which treats unknown passed parameters as errors.

The workaround is quite simple, run the pip command with the following prefix:

ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future sudo pip install ansible

Run pip this way and your Ansible install will work like a charm again.