General NAS-Central Forums

Welcome to the NAS community
It is currently Sat Oct 21, 2017 4:50 am

All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Thu Sep 11, 2014 4:54 pm 
Offline

Joined: Thu Sep 11, 2014 4:00 am
Posts: 1
Location: Finland
I have been setting up NSA-325v2 (fw 4.70) for automatically pulling in backups from a hosted web server. I also set up the built in logs to record any issues detected in my scripts, and to email me if needed. I thought that I'd share the logging setup and also how to set up gmail (or virtually any other email) to work with the logs when the default SMTP port 25 is blocked by your ISP. I did not find documentation for these elsewhere.

Setting up outgoing email to use TLS and port 465

The web interface does not allow the admin to specify a port (nor set up TLS security) for outgoing email. Outgoing email uses port 25 by default. Many ISPs block that outgoing port. You can still use Google mail if you configure the port manually to 465 and the connection to use TLS security. The username and mail server information can and should be set via the web interface at Maintenance->Log page and under Report config. The configuration is in the file /etc/msmtprc, but a reboot (or changing any mail server parameters) will overwrite the file and lose all our changes. We can use cron from the Tweaks zypkg http://zyxel.nas-central.org/wiki/3rd_party_zypkgs#Tweaks to counter that as decribed below. NSA uses msmtp http://msmtp.sourceforge.net/ as the mail client.

Steps:

Log in as root via telnet.

Add the following script to a file, for example to /i-data/md0/admin/enable_emailTLS.sh

Code:
#!
cat <<EOF | cat - /etc/msmtprc > /etc/msmtprc.tmp; mv /etc/msmtprc.tmp /etc/msmtprc; chmod 0600 /etc/msmtprc
defaults
port 465
tls on
tls_starttls off
tls_certcheck off
EOF

This will prepend our default connection parameters to the configuration file. It sets the mail server connection to use port 465 and to use TLS security and to skip server certificate validation. Google mail will accept these.

Change file permissions for the script
Code:
chmod u+x /i-data/md0/admin/enable_emailTLS.sh

To get our settings restored after a reboot add this line to cron setting on the Tweaks configuration web page to make Tweaks call our script at reboot.
Code:
@reboot /i-data/md0/admin/enable_emailTLS.sh

You can also run the script manually, but just once between each reboot.

An easy way to test is to go to the Maintenance->Log page and under Report config->Report setting activate email alert. Now if you try to log in to the web interface with a wrong username/password it will be logged as an alert and the system will send an email.


Using logging in shell scripts

You can add entries to the Maintenance->Log page and create alerts that will trigger email notifications.

The command for that is

Code:
zylogger -s source -p priority -f facility logstring...

For example
Code:
zylogger -s 31 -p 1 -f 0  Alert message test

will produce a backup alert in the log. Or
Code:
zylogger -s 31 -p 6 -f 0  Info message test

will produce a backup info message.

I did not find any documentation for this, but with some experimenting I found out how to use it.

The source parameter specifies the class that is shown on the log page.
The values that produce an entry in the log are listed below.
Code:
0 default
1 content-filter
2 content-filter-forward
3 user
4 myzyxel-dot-com
5 zysh
6 idp
9 file-manage
10 app-patrol
11 ike
12 ipsec
13 firewall
14 sessions-limit
16 policy-route
18 system
19 connectivity-check
20 device-ha
21 routing-protocol
22 nat
23 pki
24 interface
25 account
26 port-grouping
27 force.auth
28 storage
29 share
30 application
31 backup
32 autoupload
33 action-log


The priority parameter is the severity that is shown on the log. Severity value "alert" will trigger an email.
priority (Severity):
Code:
0 emerg
1 alert
2 crit
3 error
4 warn
5 notice
6 info


The log does not show anything that corresponds to the facility parameter, so I did not find out the values for that. But some value must be specified.

I will be happy to hear if anyone has more information.


Top
 Profile  
 
PostPosted: Mon Mar 20, 2017 9:21 pm 
Offline

Joined: Sun Mar 12, 2017 8:45 pm
Posts: 1
Thanks a lot for help!!

I have added these lines to /etc/msmtprc
Code:
  port 465
  tls on
  tls_starttls off
  tls_certcheck off


The script doesn't work...

Code:
root@NSA325-v2:~# /i-data/md0/admin/enable_emailTLS.sh
-sh: enable_emailTLS.sh: not found
root@NSA325-v2:~# cd /i-data/md0/admin/
root@NSA325-v2:/i-data/85642451/admin# ls
download            zy-pkgs
enable_emailTLS.sh  zyfw
root@NSA325-v2:/i-data/85642451/admin#

root@NSA325-v2:/i-data/85642451/admin# /i-data/85642451/admin/enable_emailTLS.sh
-sh: /i-data/85642451/admin/enable_emailTLS.sh: not found
root@NSA325-v2:/i-data/85642451/admin#


Any ideas?
Anyone else was successful?


Top
 Profile  
 
PostPosted: Mon Sep 18, 2017 6:08 pm 
Offline

Joined: Sun Mar 31, 2013 10:07 am
Posts: 68
Thanks jari. Great post. Nice and easy to make any script log and send email. Exactly what I wanted! Thanks


Top
 Profile  
 
PostPosted: Tue Sep 19, 2017 7:13 am 
Offline

Joined: Sun Apr 29, 2012 5:24 pm
Posts: 2303
Imho, for safe using TLS you need to specify path to file, containing certificates of trusted Certification Authorities. Quote from http://msmtp.sourceforge.net/doc/msmtp.html#TLS-commands
Quote:
‘tls [(on|off)]’
Enable or disable TLS (also known as SSL) for secured connections. You also need ‘tls_trust_file’ or ‘tls_fingerprint’, and for some servers you may need to disable ‘tls_starttls’.

Quote:
‘tls_trust_file [file]’
Activate server certificate verification using a list of truted Certification Authorities (CAs). The file must be in PEM format. Some systems provide a system-wide default file, e.g. /etc/ssl/certs/ca-certificates.crt on Debian-based systems with the ‘ca-certificates’ package. An empty argument disables this. You should also use ‘tls_crl_file’.

Besides:
Quote:
‘tls_certcheck [(on|off)]’
Enable or disable checks of the server certificate.
WARNING: When the checks are disabled, TLS sessions will be vulnerable to man-in-the-middle attacks!

There is also default msmtp configuration file available to check, focusing on TLS connection:
http://msmtp.sourceforge.net/doc/msmtprc.txt

CA certificates, extracted from Mozilla are available worlwide on curl dev's site:
Code:
curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC


Who is online

Users browsing this forum: Yahoo [Bot] and 44 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group