Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

5May/162

WD NAS: Enable FTPS

Sending unencrypted FTP across the internet is a bad idea! You send your credentials in plain text compromising access security as well as the data your sending. My book live duo has, as most NAS products, support for unencrypted FTP. Since it's based on vsftpd it's only a matter of configuration to make it a much more secure FTPS implementation instead. In this post I'm using my Western Digital My Book Live Duo but this is applicable to most Western Digital NAS products and many other brands as well.

Enable SSH

First of all we need to enable SSH to be able to get access more configuration options for the FTP service. By accessing http://{WD IP-address}/UI/ssh you will see a screen where you can enable SSH access and get the root password.

Enable SSH

After this we can connect to the Live Duo via SSH. I recommend that you change the root password the first thing you do, use the passwd command to accomplish this.

Create certificate

The My Book Live Duo, and probably most of the other models as well (since the share much of the firmware), already have openssl installed which we can use to create the certificate. First we need to create a folder for the certificates and generate them. I generate both 2048bit and 4096bit certificates since I want to test the performance difference (see below). You should not use the 1024bit key length since that has been proven to be weak and can be broken.

mkdir /etc/ssl/ftp
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/ftp/vsftpd_2048.key -out /etc/ssl/ftp/vsftpd_2048.pem
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/ftp/vsftpd_4096.key -out /etc/ssl/ftp/vsftpd_4096.pem

You will be asked a bunch of questions about location and other stuff. You can more or less put in whatever you like since this is a self signed certificate it will never automatically be trusted by clients anyway so the information is pretty much irrelevant.

Configure FTP (vsftpd)

The My Book Live Duo already have an FTP service that you can enable from the UI. It use vsftpd which supports SSL and TLS, which we want to use for this, as long as OpenSSL is available on the box and apparently it is since we generated the certificates. First we make a copy of the original conf file for save keeping and then open it for editing.

cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
nano /etc/vsftpd.conf

At the end of the file we add:

#SSL CONF
rsa_cert_file=/etc/ssl/ftp/vsftpd_2048.pem
rsa_private_key_file=/etc/ssl/ftp/vsftpd_2048.key

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

require_ssl_reuse=NO
ssl_ciphers=HIGH

Then CTRL + O to save and then CTRL + X to exit nano. Then we restart the FTP service.

/etc/init.d/vsftpd restart

filezilla_ssl_warning

Now you can try it from Filezilla, or what ever client software you like that supports ftps. In Filezilla you will get this certificate warning where you can see the additional information you put in when you created the certificate.

Performance - 2048 vs 4096

First run with the configuration above gave me around 8.9MiB/s transfer speeds and the CPU of the Live Book Duo was around 89%. I change the certificates to the 4096bit ones, restart the service and try again. More or less got the same numbers with the higher encryption so the CPU is not the bottleneck for the throughput. At the same time I'm not running any other services besides the SMB shares on this device.

Make backup of the config file

cp /etc/vsftpd.conf* /shares/Backup/

The backup is good to have if a firmware update changes the config file back. I have tried to enable and disable the FTP service and that doesn't effect the configuration at least.

7Mar/160

Odroid: First setup

If you have installed Raspberry Pi in the past the Odroid will not be a problem. It a little more hands on and require a little more effort then the Raspberry Pi. Here is a quick guide how to get you Odroid up and running. In this example I use an old Odroid-C1 that I found in one of my drawers.

Download image

First you need to download an image for your SD-card (or eMMC module, which is supported by Odroid). The Hardkernal download page have all the available images. Then make use of SD-formatter and Win32DiskImager to get the image onto the SD-card. When you first boot you Odroid you will notice that it doesn't give HDMI output as appose to the Raspberry Pi. You will need to connect it to your network and make sure you have a router or similar running a DHCP server. Once you see the IP in the DHCP list you can go ahead and use putty to SSH into it. Default username is root and default password is odroid.

Initial config

First thing you want to do is to change the default root password by running passwd. Now you have a much more secure box then before. The Raspberry Pi ships with a config script that you can use to make your basic config, the Odroid doesn't. I did however find a great script called odroid-utility written by Mauro Ribeiro, which seems to be an employee of Hardkernal actually. The script is open sourced on Github and gives you more or less the same capabilities as the Raspberry Pi config script. Since it's not shipped we need to download it, make sure that your Odroid have an internet connection and run the following:

sudo -s
wget -O /usr/local/bin/odroid-utility.sh https://raw.githubusercontent.com/mdrjr/odroid-utility/master/odroid-utility.sh
chmod +x /usr/local/bin/odroid-utility.sh
odroid-utility.sh

odroid-utility

It gives you the ability two do basic configuration like HDMI, resize root partion and change the hostname. You can also update the kernel with this tool. Each time you run the script it updates it self so once you download it you can be sure you have the latest release.

Update your system

After all this just do a basic package upgrade and your Odroid is ready for use.

sudo apt-get update
sudo apt-get upgrade

Timezone

This one is really important for some implementations since correct date and time can break some setups.

sudo dpkg-reconfigure tzdata
16Feb/160

Raspberry PI: Central kodi database

When you run more then one Kodi device with a shared media repository you should also run a shared library. With a shared library you only need to update the library on one of the Kodi devices when new media is added. There are a few other great benefits of running a shared library like the ability to stop media on one device and continue watching on another. It will also show what has been watched regardless of which device you actually watched it on. I run OpenELEC on Raspberry Pi's for all my media stations so this guide is focused on a Raspberry Pi implementation but the principal is the same for all devices capable of running Kodi and MySQL.

Preparations

Download the latest raspian image from https://www.raspberrypi.org/downloads/raspbian/ and put it on an sd-card with Win32DiskImager. Then put the sd-card in the Raspberry Pi and power it on. You can connect a monitor, mouse and keyboard for the initial setup. I usually just wait for it to boot up and check my routers DHCP list for it to show up and connect to it over SSH. This article is based on SSH terminal access but you can do the same on the Pi with a connected monitor.

Basic setup of the Raspberry Pi

First we need to configure the Raspberry Pi. Connect over SSH and login as pi with password raspberry. We want to:

sudo raspi-config
  • Expand Filesystem - Expand the pi file system to use the entire SD-card.
  • Change User Password - Change the default raspberry password for the pi user.
  • Boot Options - Select B1 Console - Text console, requiring user to login
  • Advanced - Some additional settings
    • Hostname - Select a hostname for your pi. I user PISRV
    • Memory Split - Set to 16 since we will not use a monitor or run any other graphics on this machine.
  • Finish - Exit the raspi-config and reboot.

When the pi has booted up again we can login with our new password we configured. When in the console run:

sudo apt-get update

Update the package lists from all the repositories.

sudo apt-get dist-upgrade

Upgrade all installed packages.

Install MySQL

Install MySQL server. It will ask you to select a root password.

sudo apt-get install mysql-server

We need to be able to access the MySQL server from other locations then localhost. Open up the MySQL config file.

sudo nano /etc/mysql/my.cnf

And change:

bind-address = 127.0.0.1

To:

bind-address = 0.0.0.0

Then restart the MySQL server.

sudo /etc/init.d/mysql restart

Setup the databases

Now we need to setup the databases for our video and music library. Login to MySQL, you will be prompted for your password.

mysql -uroot -p

What ever you do don't create any databases. Kodi will use the name that we supply later but just as a prefix, it will add an additional identifier. We need to create a user for the kodi machines. You can use whatever username and password you like but once again make a note of it.

 CREATE USER 'kodi' IDENTIFIED BY 'password';

The first time Kodi connects it needs to be able to create it's databases, we need to grant the account full access. We will lock that down later to secure our MySQL if we want to use it for other things then Kodi as well.

GRANT ALL ON *.* TO 'kodi';

Test to connect to the database from another machine. Either via MySQL command line tool, the same we used on the Pi, or download MySQL Workbench and test the connection. If all is working just type quit and press enter to return to the main shell.

Setup kodi

Then we need to make a backup of our current media library. I'm using OpenELEC but most Kodi versions should be the same. In the Kodi UI goto System/Settings -> Video -> Library and select Export library. If you don't see the last options make sure that Settings Oprions is set to Advanced in the lower left corner of the screen. Select Multiple files, this will create .nfo files along side all the media files. I already use this setup since I scan all my libraries With local information only. This is by far the safest way to migrate your library otherwise you have to scrape all the media again. So if you use local information only on your scrapes your good to go. Otherwise do the export!

Now we need to setup Kodi to use the MySQL server. Connect to the Kodi with SSH, username and password depends on the distribution you used to install your Kodi. The location of the userdata folder also varies from different distributions. I have one XBMC installed on a Raspberry Pi where the path is /home/pi/.kodi/userdata. On the OpenELEC installs I'm doing this for the userdata folder is located in /storage/.kodi/userdata/.

When you have found the folder you need to create a file named advancedsettings.xml. You can also do this via smb share if that is enabled on your Kodi machine. I prefer to do it over SSH to prevent any encoding issues. If you want to you can try it out by going \\{ip of kodi}\userdata.

sudo advancedsettings.xml

In this file we will put the configuration for accessing our MySQL server.

<advancedsettings>
  <videodatabase>
    <type>mysql</type>
    <host>{IP address or FQDN of your MySQL server}</host>
    <port>3306</port>
    <name>{prefix of your db name, I used kodi_video}</name>
    <user>kodi</user>
    <pass>{password you selected}</pass>
  </videodatabase> 
  <musicdatabase>
    <type>mysql</type>
    <host>{IP address or FQDN of your MySQL server}</host>
    <port>3306</port>
    <name>{prefix of your db name, I used kodi_music}</name>
    <user>kodi>/user>
    <pass>{password you selected}</pass>
  </musicdatabase>
  <videolibrary>
    <importwatchedstate>true</importwatchedstate>
    <importresumepoint>true</importresumepoint>
  </videolibrary>
</advancedsettings>

Save the file and reboot your Kodi machine. Depending on distribution you may need to do sudo reboot. Once it recycles you can scan your locations again, it will use the local .nfo files you already had or the once created during your export.

Securing MySQL again

We don't want the kodi MySQL user to have full access going forward. If your not using your MySQL for anything else then you can leave it be, but I want to secure mine. So back to the SSH console on the MySQL server.

mysql -uroot -p

You will once again be prompted for your MySQL root password and then dropped into the MySQL console. So now we check the name of the databases.

mysql&amp;amp;amp;gt; show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| kodi_music52 |
| kodi_video93 |
| mysql |
| performance_schema |
+--------------------+
5 rows in set (0.00 sec)

So we have the kodi_ databases named after the <name> parameter in our advancedsettings.xml. Now we revoke all the access we gave the kodi account.

REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'kodi';

And then only grant it full access to the two kodi_ databases.

GRANT ALL ON `kodi%`.* TO 'kodi';
flush privileges;

Setting up the other Kodi

Once all this is up and running setting up the second one is really easy. If you enabled SMB shares on OpenELEC like I did you just connect to the first kodi like \\kodi\UserData copy the advancedsettings.xml and sources.xml to the other kodies UserData share. If you don't have SMB enabled you have to edit the files via SSH.

 

11Feb/160

AWS EC2 Linux: Enable SSH password logon

Amazon AWS EC2 instances are by default secured with ssh certificates. This is great for security until you need to provide a UAT duplicate for an external user or developer. You don't want to share your certificate with them and setting up a new one is more work than this quick fix. The security isn't as important on a UAT or test system as it is on a production system so for this use case we can go for lower security.

To enable users to access we first need to set a password on the ec2-user account. It's highly recommended that you select a strong password!

sudo passwd ec2-user

Then we need to allow password only connections. We edit the ssh settings, find the line PasswordAuthentication no and change it to PasswordAuthentication yes.

sudo nano /etc/ssh/sshd_config

Then we need to restart the ssh service.

sudo service sshd restart

Now you can login to you Amazon AWS EC2 instance with only a password. To secure the server again just change the PasswordAuthentication line back to no.