General NAS-Central Forums

Welcome to the NAS community
It is currently Sat Nov 18, 2017 2:09 pm

All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Tue Dec 02, 2014 7:17 pm 
Offline

Joined: Tue Dec 02, 2014 6:49 pm
Posts: 1
Hi all,

Recently I had the privilege to configure a Medion NAS P89631 for somebody.
The only problem I had with the device, was the lack of security for setting up a safe FTP solution.

With some research on the webs, I managed to secure it just fine using SSH keys and SFTP.
For those interested in how I did it, I've made some sort of English how-to manual.

It also contains some links for reference, I hope this is not a problem for the board admins.
Here goes:

********************************************************************************
Install Dropbear to Medion Nas Version Life P89631:

Prerequisites:
- Knowledge of the Medion NAS manual and options
- Access to the backdoor of the NAS
- General knowledge of Telnet, Putty and SSH
- Dropbear and SFTP software
- Knowledge of tarring/zipping files
- General knowledge of Linux will come in handy

Usefull links:
http://zyxel.nas-central.org/wiki/Telnet_backdoor
http://www.ualberta.ca/CNS/RESEARCH/LinuxClusters/pka-putty.html
http://kb.site5.com/shell-access-ssh/how-to-generate-ssh-keys-and-connect-to-your-account-with-putty
http://www.mikrocontroller.net/articles/P89626/dropbear
http://manpages.ubuntu.com/manpages/lucid/man8/dropbear.8.html

How this document works:
Lines started with an $- character are command lines, which you will need to enter in the Telnet and/or Putty prompt of the NAS. Type only the text, AFTER the $- character
If you have a different version of the Medion NAS, some paths and folders may be different from what is written here. Keep that in mind.

Installing Dropbear:
Download the following debian package:
https://packages.debian.org/squeeze/armel/dropbear/download

Extract the data.tar file from the dropbear_0.52-5+squeeze1_armel.deb package and again extract the following files from the tar archive:
- usr\sbin\dropbear COPY TO /i-data/Z1F4Y7V4/admin/bin/dropbear
- usr\sbin\dropbearkey COPY TO /i-data/Z1F4Y7V4/admin/bin/dropbearkey

Settings:
- Log in on the Medion NAS (http://<ip-of-NAS>)
- Go to NAS via Telnet (http://<ip-of-NAS>/r38939,/adv,/cgi-bin/remote_help-cgi?type=backdoor)
- Make both files executable
$ cd /i-data/Z1F4Y7V4/admin/bin/
$ chmod +x dropbear
$ chmod +x dropbearkey

- Generate RSA keys:
$ cd /i-data/Z1F4Y7V4/admin/bin/
$ ./dropbearkey -t rsa -f dropbear_rsa_host_key


In the "/i-data/Z1F4Y7V4/admin/bin/" directory, create the file "start_dropbear.sh" with the following content:
=======================================================
#!/bin/sh

set -x
cd $(dirname ${0})
killall dropbear

./dropbear -I 480 -j -k -r dropbear_rsa_host_key -E

=======================================================

Make the .sh script executable:
$ cd /i-data/Z1F4Y7V4/admin/bin/
$ chmod +x start_dropbear.sh


Edit the file "/usr/local/zy-pkgs/etc/init.d/ZYPKG_DEPS"
Add the line "/i-data/Z1F4Y7V4/admin/bin/start_dropbear.sh" below START-UP (DON'T REMOVE THIS LINE!)

It should look like this:
=======================================================
# Dependency for zypkgs

# START-UP (DON'T REMOVE THIS LINE!)
/i-data/Z1F4Y7V4/admin/bin/start_dropbear.sh
/usr/local/zy-pkgs/etc/init.d/DyDNS
/usr/local/zy-pkgs/etc/init.d/BackupPlanner
/usr/local/zy-pkgs/etc/init.d/NFS


# SHUTDOWN (DON'T REMOVE THIS LINE!)
/usr/local/zy-pkgs/etc/init.d/NFS
/usr/local/zy-pkgs/etc/init.d/BackupPlanner
/usr/local/zy-pkgs/etc/init.d/DyDNS

=======================================================

After a restart the SSH server will run. Alternatively, you can start it with this command:
$ /i-data/Z1F4Y7V4/admin/bin/start_dropbear.sh

You can now use Putty with password authentication to connect to the NAS.

Setup SSH for SFTP:
To allow authentication through SSH without passwords, you will need to setup an authorized_keys store for each user. Default, only root has a home directory in place. To setup a home directory for other users, you will need to edit the file /etc/passwd.

This poses several problems. After every reboot the passwd file gets restored back to its previous settings. Second, each directory created in the /home/shares folder also disappears after a reboot. You can work around this problem, by copying the passwd file and automate the creation of the home folders through the start_dropbear.sh script.

The entries for root and a custom user (e.g. user1) in the /etc/passwd file would look like this:
root:x:0:0:root:/root:/bin/sh
user1:x:505:500:type&admin:/home/shares:/bin/sh
user2:x:505:500:type&admin:/home/shares:/bin/sh


This tells us the root has a home folder on /root, while user1 and user 2 have their home folders on /home/shares. In fact, every user created on the NAS will share their home folder on /home/shares
In order to setup SSH for root, we only need to create a .ssh folder and copy a public key to it.

However, to give each user access to their own .ssh folder, we need to change the passwd file accordingly for each user, like this:
user1:x:505:500:type&admin:/home/shares/ user1:/bin/sh
user2:x:505:500:type&admin:/home/shares/ user1:/bin/sh

etc.

First we need to make a copy of the /etc/passwd file and store it in our central admin location:
$ cp /etc/passwd /i-data/Z1F4Y7V4/admin/bin/passwd
$ vi /i-data/Z1F4Y7V4/admin/bin/passwd


Change the user entries to give each user their own /home/shares/<username>- folders, so they will look like this:
root:x:0:0:root:/root:/bin/sh
user1:x:505:500:type&admin:/home/shares/user1:/bin/sh
user2:x:505:500:type&admin:/home/shares/user2:/bin/sh


Now we need to edit the start_dropbear.sh script so it will have the following content:
=======================================================
#!/bin/sh

set -x
cd $(dirname ${0})
killall dropbear

# START DROPBEAR WITH SSH AUTHENTICATION ONLY
mkdir -p /root/.ssh/
mkdir -p /home/shares/user1/.ssh
mkdir -p /home/shares/user2/.ssh
cp /i-data/Z1F4Y7V4/admin/bin/ pubkey1 /root/.ssh/authorized_keys
cp /i-data/Z1F4Y7V4/admin/bin/ pubkey2 /home/shares/user1/.ssh/authorized_keys
cp passwd /etc/passwd
./dropbear -I 480 -j -k -s -r dropbear_rsa_host_key -E

=======================================================

As you can see here, the script creates the home folders and the .ssh folder with the mkdir command. The public keys (pubkey1 and pubkey2 in this example) which we will create in the next step, will be copied with the cp command to the folder of each user.

Now it’s time to create the right keyset with puttygen.exe for Windows.
- Open puttygen.exe
- Create a new SSH-2 RSA key with 2048 bits
- Enter a key passphrase to encrypt the key on disk (and confirm the same passphrase)
- Save the private key to disk. You will need this key on your client to connect to the NAS
- Copy the data from the field "Public key for pasting into OpenSSH authorized_keys file:"
- Paste the key into a custom named file, e.g. pubkey1 in the folder /i-data/Z1F4Y7V4/admin/bin/
- Make sure you create a keyset for each user to increase security (so user2 gets pubkey2, etc.)
- Give the created pubkeys the proper permissions with the following command:
$ cd /i-data/Z1F4Y7V4/admin/bin/
$ chmod 600 pubkey1
$ chmod 600 pubkey2


Continue doing this for every user required to authenticate through SSH.
You're now able to connect to your NAS with Putty while using a private and public key.
Make you sure you set the right private key .ppk file when connecting.
To do this, go to Connection > SSH > Auth and point to your .ppk file.

Install SFTP server to Medion Nas:
To connect to SFTP by SSH, we will need to install the openssh-server package:
https://packages.debian.org/squeeze/armel/openssh-server/download

Extract the data.tar file from the openssh-server_5.5p1-6+squeeze5_armel.deb package and again extract the following files from the tar archive:
- usr\lib\openssh\sftp-server COPY TO /i-data/Z1F4Y7V4/admin/bin/sftp-server

The sftp-server file actually needs to be placed in the /usr/lib folder. However the /usr filesystem has no free space. We can solve this by creating softlink to that destination:

$ mount -n -o remount,rw /usr
$ ln -s /i-data/Z1F4Y7V4/admin/bin/sftp-server /usr/lib/sftp-server
$ mount -n -o remount,ro /usr


After a reboot SFTP should be functioning.

********************************************************************************

Badabada that's all folk!

Hope it's understandable enough to follow. If I've made errors, giant missteps or typo's anywhere in this document, feel free to address me on that.
In fact, all reactions and feedback are most welcome.

Regards,

B.M.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group