bask185
Posts: 120
Joined: Thu Mar 09, 2017 11:39 am
Location: Netherlands

Alternative for Samba NAS

Mon Sep 10, 2018 8:20 am

I have been using a RPI3 as a network attached storage for quite some time now and I have been very very happy so far.

I now have a new laptop with W10 and it cannot see the smb drive. I suspect that the rpi uses smb v1 and I have to enable it in W10 (or upgrade the rpi) but that is not my biggest issue atm.

I want to be able to acces my RPI from outside my network. If I make photo's with my android phone, I want to be able to transfer them to the NAS when I am at work for instance.

I believe I correctly forwarded the ports on my router but so for I have not been succesfull so far. I also don't know what I have to type behind my home's IP adress. + I heared that it is not entirely safe.

Anyways I am looking for a substitute for my samba server. My only 2 demands are:
- android, linux and windows 10 machines have to able to work with it.
- I want acces from outside my LAN. And preferbly also safe unlike what I am doing now.

I don't want version control stuff. I use it mainly for media and photo's and stuff.

What is for my demands, the best software to use?

tpyo kingg
Posts: 640
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Alternative for Samba NAS

Mon Sep 10, 2018 8:46 am

I would test if you can use the Raspberry Pi's built-in SFTP server (it's part of the OpenSSH server) and configure the clients for that. SFTP is about as secure as you can get given the limitations of the clients, especially if they can be set to use keys.

I recall reading that there are some graphical SFTP clients and front-ends for Vista10 as well as the older legacy systems. The older legacy systems apparently had a way to integrate SFTP into MSIE or Edge or whatever. sshfs might be one option if there is not default SFTP integration in the file manager. In the worst case you have FileZilla and WinSCP.

The Linux systems have SFTP support built into the file managers, but there is also sshfs if needed.

As for Android you'll have to search the store. Often, many "FTP" clients actually support SFTP, even though it is a completely different protocol.
Last edited by tpyo kingg on Mon Sep 10, 2018 8:49 am, edited 2 times in total.

Heater
Posts: 13928
Joined: Tue Jul 17, 2012 3:02 pm

Re: Alternative for Samba NAS

Mon Sep 10, 2018 8:47 am

I strongly suspect that using SAMA over the public internet is a really bad idea from a security point of view. Not only have their been exploits that can grab or modify your files but also exploits that can allow an attacker to get admin privileges. See for example:
https://security.stackexchange.com/ques ... e-internet

I don't know what state SAMBA is in now a days but I would not trust it. At least not without setting up a VPN but that starts to become hard work.

Perhaps have a look at using dropbox https://www.raspberrypi.org/magpi/dropbox-raspberry-pi/
Memory in C++ is a leaky abstraction .

bask185
Posts: 120
Joined: Thu Mar 09, 2017 11:39 am
Location: Netherlands

Re: Alternative for Samba NAS

Tue Sep 11, 2018 6:02 am

Heater wrote:
Mon Sep 10, 2018 8:47 am
I strongly suspect that using SAMA over the public internet is a really bad idea from a security point of view. Not only have their been exploits that can grab or modify your files but also exploits that can allow an attacker to get admin privileges. See for example:
https://security.stackexchange.com/ques ... e-internet

I don't know what state SAMBA is in now a days but I would not trust it. At least not without setting up a VPN but that starts to become hard work.

Perhaps have a look at using dropbox https://www.raspberrypi.org/magpi/dropbox-raspberry-pi/
My Pi has a ssd of a few TB, that + dropbox = no love. I could propably let my Pi copy stuff from a dropbox folder to the drive and than delete the content of that folder to safe space, but that would not work the otherway arround. Besides I don't want to depend on external cloud services, so no google, no Icloud, no dropbox


This site looks promising: https://pimylifeup.com/raspberry-pi-owncloud/ what do you think about it??

tpyo kingg
Posts: 640
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Alternative for Samba NAS

Tue Sep 11, 2018 7:18 am

bask185 wrote:
Tue Sep 11, 2018 6:02 am
This site looks promising: https://pimylifeup.com/raspberry-pi-owncloud/ what do you think about it??
It's ownCloud which is a fancy way of doing WebDAV and means that all activity will be shoehorned into the web browser. That's an accepted practice these days but using native tools is, in my opinion, easier both in setup and daily use. Having stronger encryption than TLS would be more secure, so I'd still recommend SSH/SFTP. There is a lot of activity with ownCloud and a good support community.

However, first try this: while on your LAN, using your GNU/Linux system, open the file manager and press ctrl-L. Then enter the URL for your Raspberry Pi using the LAN address. It'll be something like this:

sftp://bask185@192.168.1.32/home/bask185/

It will then ask for either the password for the RPi or your SSH key's passphrase. Once logged in, you will be able to see, drag, drop, add, change, and remove files just as if they were on the same machine all while using the native file tools.

ejolson
Posts: 3837
Joined: Tue Mar 18, 2014 11:47 am

Re: Alternative for Samba NAS

Tue Sep 11, 2018 7:30 am

bask185 wrote:
Tue Sep 11, 2018 6:02 am
This site looks promising: https://pimylifeup.com/raspberry-pi-owncloud/ what do you think about it??
That seems like a well written, reasonable and up-to-date tutorial. The tutorial recommends using a self-signed TLS certificate, which is simpler than setting up a free certificate from a registered authority. In fact, for personal use, a self-signed certificate is probably more secure as well.

I've heard of OwnCloud before but never explored the website. It appears to be an active open source project with the option of buying a commercial version. I did not read the license, but for personal use I can't imagine much going wrong. It's interesting that the whole thing is written in PHP so as to be portable to any hosting environment. It is accessible through a web browser and also through custom clients on many operating systems. Pushing everything through a web server has the advantage of making the files available from even the most limited access points.

Although I have a VPN setup which allows access to my Pi remotely, OwnCloud also looks like a convenient way to satisfy my filesharing tasks.

Heater
Posts: 13928
Joined: Tue Jul 17, 2012 3:02 pm

Re: Alternative for Samba NAS

Tue Sep 11, 2018 8:20 am

tpyo kingg,
Having stronger encryption than TLS would be more secure, so I'd still recommend SSH/SFTP.
Could you elaborate on why you think TLS is some how insecure or less secure than SSH/SFTP? Or link us to some explanation of that statement?

I have never experienced or read anything that suggests TLS is less secure than SSH/SFTP. They are both used where security is of prime importance by many systems. For example in VPNs.

The creators of OpenVPN take an opposite view:

TLS is the latest evolution of the SSL family of protocols developed originally by Netscape for their first secure web browser. TLS and its SSL predecessors have seen widespread usage on the web for many years and have been extensively analyzed for weaknesses. In turn, this analysis has led to a subsequent strengthening of the protocol such that today, SSL/TLS is considered to be one of the strongest and most mature secure protocols available. As such, we believe TLS is an excellent choice for the authentication and key exchange mechanism of a VPN product.

https://openvpn.net/index.php/open-sour ... s-tls.html

Whilst both TLS and SSH/SFTP can often be used to the same ends they are rather different things designed for different use cases.
Memory in C++ is a leaky abstraction .

tpyo kingg
Posts: 640
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Alternative for Samba NAS

Tue Sep 11, 2018 9:28 am

Again, I'm not saying TLS is bad, just that it has a long ways to go still. It is better than SSL which was itself better than raw text.

The browsers' certficate trust model for TLS leaves a lot to be desired in particular which is the main objection I had in mind and independent of the choice of ciphers which is often suboptimal too. Here is a purely technical examination of how it is weak.

http://www.mouedine.net/relayd/

And here is a discussion about the choices of cipher suites.

https://www.acunetix.com/blog/articles/ ... hardening/

TLS is not insecure by current public moods but it still has a ways to go. There are many examples of browsers being involuntarily (or voluntarily) loaded with extra certs which allow MitM. If you search, you can find news of spyware deployments in the wild made by various states using similar technical methods. That is very hard with SSH/SFTP because SSH/SFTP just uses the keys directly unless one goes out of one's way to sign the keys and turn them into certificates and even then you are in charge of the whole chain of trust. Thus while there is a bit more overhead you are guaranteed to be connecting only to the intended host because you confirm the keys one-to-one.

VPNs also fall behind a generation or two in regards to choice of cipher suites, as seen in their respective documentation

HTTP(S) is stateless. SFTP(SSH) is stateful. That makes a difference too.

ejolson
Posts: 3837
Joined: Tue Mar 18, 2014 11:47 am

Re: Alternative for Samba NAS

Tue Sep 11, 2018 9:48 am

Heater wrote:
Tue Sep 11, 2018 8:20 am
Could you elaborate on why you think TLS is some how insecure or less secure than SSH/SFTP? Or link us to some explanation of that statement?
As far as I can tell, both TLS and SSH implement perfect forward secrecy.

I suspect for many (as explained in the above post simultaneously submitted as I submitted this one) the main weakness of TLS is not the encryption but the way each global signing authority creates a possible point of failure for the whole scheme. On the other hand, the weakness of SSH is opposite in nature: there is no built-in chain of trust, each public key must be independently verified and very few people bother to do so.

Unless you are hording data valuable to nation states or targeted by criminal organisations, filesharing using TLS through OwnCloud should be just fine. In either case, it's likely more secure than a port directly forwarded to a Samba server.

Heater
Posts: 13928
Joined: Tue Jul 17, 2012 3:02 pm

Re: Alternative for Samba NAS

Tue Sep 11, 2018 11:31 am

tpyo kingg,

I'm no security expert but...
Again, I'm not saying TLS is bad, just that it has a long ways to go still.
That does not explain anything it just reiterates the statement I'm asking about.
The browsers' certficate trust model for TLS leaves a lot to be desired in particular which is the main objection I had in mind...
Perhaps but now we are talking about how browsers implement TLS. Not TLS itself. Browsers are a seive of never ending security holes anyway.
..and independent of the choice of ciphers which is often suboptimal too
That is an implementation/configuration issue.
Here is a purely technical examination of how it is weak.

http://www.mouedine.net/relayd/
I think you have the wrong link there. That does not talk about TLS weaknesses it's about blocking sites with PF and relayd.
TLS is not insecure by current public moods but it still has a ways to go. There are many examples of browsers being involuntarily (or voluntarily) loaded with extra certs which allow MitM. If you search, you can find news of spyware deployments in the wild made by various states using similar technical methods.
We are talking about browsers again, not TLS as such.
HTTP(S) is stateless. SFTP(SSH) is stateful. That makes a difference too.
Could you explain what difference? We want secure connections, be they long lived and persistent or short request, response sessions.

Anyway, now we are talking about a totally differnt thing again, HTTP over TLS, not TLS itself.

When I use TLS with my database connections or may NATS messaging system or my VPNs, etc, I am my own certificate authority, both clients and servers have certs so that they can authenticate each other.

Anyway, SSH has issues of it's own:

For example this vulnerabilty that has been in place for decades and only discovered last month:
https://www.bleepingcomputer.com/news/s ... o-decades/

Or the ongion discovery of SSH vulberabilities:
https://www.cvedetails.com/vulnerabilit ... enssh.html

Or the Four SSH Vulnerabilities You Should Not Ignore:
https://www.cyberark.com/blog/four-ssh- ... ot-ignore/


My take away from all this is:

a) Both SSH and TLS are as secure as the human race knows how and on a par with each other.

b) Security is not a program or protocol that magically secures everthing. It's an ongoing process that demands vigilence. Constantly keeping an eye open for news of new vulnerabilty discoveries, constandly upgrading, patching and reconfiguring systems as new issues come to light.

c) A lot of security issues are not actualy to do with the crypto or protocol is use but how it is used. The systems surrounding it.
Memory in C++ is a leaky abstraction .

tpyo kingg
Posts: 640
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Alternative for Samba NAS

Tue Sep 11, 2018 12:04 pm

Heater wrote:
Tue Sep 11, 2018 11:31 am
Could you explain what difference? We want secure connections, be they long lived and persistent or short request, response sessions.
https://en.wikipedia.org/wiki/Stateless_protocol

HTTP/HTTPS is stateless. Connections for each and every page and object on those pages are one-off. All of them.

SFTP is stateful. The server keeps up with what you are working on and, among other things, leaves the connection open until you decide to close it.

That favors SFTP in this use-case, if the choice is just between the two, though there are other factors to consider.

The PF+relayd example shows how trivial, from a technical perspective, it is to abuse the certificate hierarchy in the case of HTTP+TLS. As to OpenVPN if you read the documentation you will see which cipher suites it (still) uses. Same for TLS support on the web servers. CBC-based ones should not be used and 3DES went out at the turn of the millenium.

Anyway, the discussion seems far away from the topic of just copying files in the easiest way possible. If your Raspberry Pi has SSH running please try the demo listed in one of my earlier posts above using ctrl-L in the file manager. File transfer can be that easy.

Heater
Posts: 13928
Joined: Tue Jul 17, 2012 3:02 pm

Re: Alternative for Samba NAS

Tue Sep 11, 2018 12:44 pm

tpyo kingg,
HTTP/HTTPS is stateless. Connections for each and every page and object on those pages are one-off. All of them.

SFTP is stateful. The server keeps up with what you are working on and, among other things, leaves the connection open until you decide to close it.
Very true. But I don't understand how stateless or otherwise makes it more or less secure. Anyway, we are again talking about HTTP not TLS. TLS connections can be stateless and persistent and often are.
That favors SFTP in this use-case, if the choice is just between the two, though there are other factors to consider.
I would also suggest SFTP. That is what it is designed for.

That PF+relayd example is cool. But it requires that "the « ca.crt » need to be installed on all the computers in the network (lan)." That means all the client machines have to be hacked for it to work. Well, if the client or server at the ends of your TLS connections are already rooted you can't really blame TLS for what happens next.
OpenVPN if you read the documentation you will see which cipher suites it (still) uses.
Are you say that the OpenVPN hardening suggestions here https://community.openvpn.net/openvpn/wiki/Hardening are not hard enough? If so I'd really like to know how and what to do about it. I have VPN's that I don't want broken. Thanks.
Memory in C++ is a leaky abstraction .

tpyo kingg
Posts: 640
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Alternative for Samba NAS

Tue Sep 11, 2018 1:15 pm

Heater wrote:
Tue Sep 11, 2018 12:44 pm
Are you say that the OpenVPN hardening suggestions here https://community.openvpn.net/openvpn/wiki/Hardening are not hard enough? If so I'd really like to know how and what to do about it. I have VPN's that I don't want broken. Thanks.
I'm fairly conservative on those topics so I'd say the short answer is, "no", the hardening listed there is not hard enough at least for my tastes. But then I am not a cryptographer, just following the edges of the online tech discussions picking up crumbs here and there. The CBC versions of ciphers and various old algorithms (blowfish, 3des, rc4, arcfour, cast, etc) are to be avoided these days and the EC ciphers used when possible.

OpenVPN errs on the side of backwards compatibility so you can upgrade to the new version of OpenVPN across the board using the current ciphers, good and bad. Then when all the servers and clients are upgraded, fix the ciphers too. That should prevent broken VPNs in both contexts of broken.

Heater
Posts: 13928
Joined: Tue Jul 17, 2012 3:02 pm

Re: Alternative for Samba NAS

Tue Sep 11, 2018 1:30 pm

tpyo kingg,

Like you I'm not a cryptographer. Though I did find bugs in the implementation of a crypto system used by NATO years ago. But that is another story.

I try and keep up with the latest advice from the experts. Getting more and more paranoid as I watch Black Hat and DEFCON conference presentations on YouTube...

I'm going to take that as "hard enough". Yes they allow use of old weak versions of ciphers and algorithms but they do state the risks and tell how to prevent the use of such things. I have no need for any such backward compatibility.

Thanks.
Memory in C++ is a leaky abstraction .

ejolson
Posts: 3837
Joined: Tue Mar 18, 2014 11:47 am

Re: Alternative for Samba NAS

Tue Sep 11, 2018 4:18 pm

Heater wrote:
Tue Sep 11, 2018 11:31 am
When I use TLS with my database connections or may NATS messaging system or my VPNs, etc, I am my own certificate authority, both clients and servers have certs so that they can authenticate each other.
The tutorial for OwnCloud created their own TLS certificates. However, the documentation for OwnCloud discusses installing a Let's Encrypt certificate.

When using a web browser to access your files, a self-signed certificate doesn't increase security unless you delete all other built-in certificates. This would, of course, make the web browser useless for web browsing. OwnCloud has custom clients for most operating systems which might make it easier to avoid trusting the many signing authorities present by default in a browser. A quick read through the documentation for the Microsoft Windows client did not find a discussion on increasing security in this way.

Still, if https is good enough for online transactions using credit cards, it is probably fine for other types of personal data as well. OwnCloud looks to me a likely solution for the file sharing described in the original post.

andrum99
Posts: 933
Joined: Fri Jul 20, 2012 2:41 pm

Re: Alternative for Samba NAS

Tue Sep 11, 2018 6:07 pm

bask185 wrote:
Mon Sep 10, 2018 8:20 am
I have been using a RPI3 as a network attached storage for quite some time now and I have been very very happy so far.

I now have a new laptop with W10 and it cannot see the smb drive. I suspect that the rpi uses smb v1 and I have to enable it in W10 (or upgrade the rpi) but that is not my biggest issue atm.
New versions of Windows 10 ship with SMBv1 support completely disabled by default - see https://support.microsoft.com/en-gb/hel ... in-windows for details. This means that you won't see any samba shares on your Pi appear in "Network" within File Explorer on your laptop, since this uses the "computer browsing" feature of SMBv1 which is no longer present in SMBv2 and 3. The samba shares on your Pi should still be accessible from your laptop though, since both the Pi and Windows 10 speak SMBv2 and 3. Have you tried accessing the Pi using a UNC path - e.g. \\PiHost\nameofshare? Or using the IP address in the UNC path instead of the hostname - e.g. \\192.168.1.3\nameofshare? Both of these should work fine.

As others have said - trying to send SMB of any version over the public internet is a *really* bad idea.

Heater
Posts: 13928
Joined: Tue Jul 17, 2012 3:02 pm

Re: Alternative for Samba NAS

Tue Sep 11, 2018 6:49 pm

ejolson,
The tutorial for OwnCloud created their own TLS certificates. However, the documentation for OwnCloud discusses installing a Let's Encrypt certificate.
I have no idea about OwnCloud but I have been using certs from Let's Encrypt for web servers since they started up. If only because it stops Chrome and Firefox complaining about self signed certs.

Is that secure? I'm not sure. What if my domain name gets high jacked and the high jacker has trusted certs? Then people end up thinking they are connecting to me when the are not and offering up their passwords to the highjacker.

Meanwhile for other TLS connections I am my own Certificate Authority. Both ends of the link need certs signed by me. I don't have to trust anyone else out there.
When using a web browser to access your files, a self-signed certificate doesn't increase security unless you delete all other built-in certificates.
Could you explain that to me because I don't understand the need to delete all other certs in the browser. Or link to an explanation.
Memory in C++ is a leaky abstraction .

ejolson
Posts: 3837
Joined: Tue Mar 18, 2014 11:47 am

Re: Alternative for Samba NAS

Tue Sep 11, 2018 10:15 pm

Heater wrote:
Tue Sep 11, 2018 6:49 pm
ejolson,
The tutorial for OwnCloud created their own TLS certificates. However, the documentation for OwnCloud discusses installing a Let's Encrypt certificate.
I have no idea about OwnCloud but I have been using certs from Let's Encrypt for web servers since they started up. If only because it stops Chrome and Firefox complaining about self signed certs.

Is that secure? I'm not sure. What if my domain name gets high jacked and the high jacker has trusted certs? Then people end up thinking they are connecting to me when the are not and offering up their passwords to the highjacker.

Meanwhile for other TLS connections I am my own Certificate Authority. Both ends of the link need certs signed by me. I don't have to trust anyone else out there.
When using a web browser to access your files, a self-signed certificate doesn't increase security unless you delete all other built-in certificates.
Could you explain that to me because I don't understand the need to delete all other certs in the browser. Or link to an explanation.
You already said it: If you run the sole certificate authority you don't have to trust anyone else.

epoch1970
Posts: 3894
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Alternative for Samba NAS

Tue Sep 11, 2018 10:56 pm

What ever happened to this thread...
bask185 wrote:
Mon Sep 10, 2018 8:20 am
My only 2 demands are:
- android, linux and windows 10 machines have to able to work with it.
- I want acces from outside my LAN. And preferbly also safe unlike what I am doing now.

I don't want version control stuff. I use it mainly for media and photo's and stuff.

What is for my demands, the best software to use?
A server with a web interface will work best if you want access from mobile devices.
Plex does photos and videos, music etc. It offers remote HTTPS access to your server via plex.tv (?), it is simple to setup and secure. There are apps for Plex, in addition of the modern (reactive) web interface.
Pydio, owncloud/nextcloud, Cosy are alternatives for photos and files.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

Heater
Posts: 13928
Joined: Tue Jul 17, 2012 3:02 pm

Re: Alternative for Samba NAS

Wed Sep 12, 2018 12:04 am

epoch1970,
What ever happened to this thread...
The question was answered, we moved on to discussing more interesting things.
Plex does photos and videos, music etc. It offers remote HTTPS access to your server via plex.tv (?), it is simple to setup and secure. There are apps for Plex, in addition of the modern (reactive) web interface.
Plex is shutting down:
https://variety.com/2018/digital/news/p ... 202936840/
Memory in C++ is a leaky abstraction .

epoch1970
Posts: 3894
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Alternative for Samba NAS

Wed Sep 12, 2018 6:38 am

Heater wrote:
Wed Sep 12, 2018 12:04 am
Plex is shutting down:
https://variety.com/2018/digital/news/p ... 202936840/
Oh, interesting, thanks.
But in fact I wasn't thinking of a serverless solution; The Plex server SSO "feature" (I find it irritating personally) is independent from Plex Cloud, and unless Plex shuts down operations as a whole, I doubt they would remove that.
I still suggest installing a Plex server on the OP's Pi and seeing how remote access works its magic.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

bask185
Posts: 120
Joined: Thu Mar 09, 2017 11:39 am
Location: Netherlands

Re: Alternative for Samba NAS

Fri Sep 14, 2018 6:24 am

epoch1970 wrote:
Tue Sep 11, 2018 10:56 pm
What ever happened to this thread...
bask185 wrote:
Mon Sep 10, 2018 8:20 am
My only 2 demands are:
- android, linux and windows 10 machines have to able to work with it.
- I want acces from outside my LAN. And preferbly also safe unlike what I am doing now.

I don't want version control stuff. I use it mainly for media and photo's and stuff.

What is for my demands, the best software to use?
A server with a web interface will work best if you want access from mobile devices.
Plex does photos and videos, music etc. It offers remote HTTPS access to your server via plex.tv (?), it is simple to setup and secure. There are apps for Plex, in addition of the modern (reactive) web interface.
Pydio, owncloud/nextcloud, Cosy are alternatives for photos and files.
You sir, derserve a kudo.

Return to “General discussion”