Clear OS – Initial Thoughts

Spent a good part of my weekend building a box out of parts cobbled together in my garage for a ClearOS server. Thought I’d post some first thoughts on the process and why.

What’s it for?

I’d been thinking I needed a small business server for a while to help me manage some projects and as a testing and development platform. I need to be able to develop web applications locally, invoice some consulting projects and other uses.

Why ClearOS

Normally I’d use Ubuntu Server or Windows Server for projects like this. Ubuntu is my preferred Linux flavor, and it’s rare to find something that doesn’t work with it. A friend of mine pointed me to ClearOS, however. I really like the idea of a web-based interface for interacting with the server. For rolling out features quickly, I think this is the way to go for most deployments assuming your security is tight enough. So I thought I’d give it a try.

Pros and Cons

I am looking at the Community Edition. They have paid Home and Business editions as well as pre-built appliances you can order. It’s a subscription model and pricing is fairly reasonable at every level.

First the bad.

  • Their website and documentation is good but either lacking or not updated often. I was trying to install MySQL from the Marketplace. I could not find it no matter what I did. Everything I found indicated you should just be able to search for “MySQL” and click install. It did not show up. Eventually I figured out, as far as I can tell you install “MariaDB” and that installs MySQL and phpMyAdmin. At least for the Community Edition this seems to be a recurring problem.
  • Manually installing apps is confusing. It’s basically just the yum app in CentOS/Redhat, so no big deal. However, because of the documentation issue when I tried to just install MySQL manually I wasn’t even sure it worked. The manual installation instructions were confusing and had screenshots of things that just didn’t seem to exist. This could just be because I am using the Community Edition and some things are turned off. This is one of those things that would make it sort of hard to consider upgrading.
  • The setup process makes you register the server even if you are just using the Community Edition. Not a huge deal, as you get some Dynamic DNS stuff and a few other things. This is likely why their apps are so easy to work with. If you care about your privacy, this might be an issue. Installing these for clients, this is actually a pro, in my opinion.
  • It seemed like it turned on its DHCP server for some reason. I’m not sure if it was really on or if the GUI was just indicating it was on. I set it up as a private server and didn’t have it act as a DNS server. This could be bad if it turns a DHCP server on by default.

The Good

  • It was incredibly easy to install. The entire install process took no more than about twenty minutes. Initial configuration made sense and it didn’t need too many unnecessary steps.
  • The Marketplace makes it very easy to set your server up to do whatever you need. Do you want to build a firewall? You can choose the apps you need for that really easily. Do you need just a basic web server and nothing else? Easy to do that. A couple of clicks and you have it done.
  • There are templates for Public, Private and Gateway servers as well as other functions. This lets you deploy things much more quickly than setting up a server entirely from scratch.

Overall I’m pleased and look forward to using it. There are bugs for sure but I think that something like this could potentially shave off significant amounts of time in deployment. It is not good for all situations but for small to mid-size businesses it has a lot of potential.

 

How to Apply Cyberoam 10 Firmware Updates

A few times a year a notification on your Cyberoam’s dashboard that looks like this:

Cyberoam Update Notification

The update can be downloaded directly from the link and the update process is fairly painless. I’ve done this for two dozen or more units and never had one brick, so there’s very little worry here. Also the Cyberoam keeps two firmware images in memory so that if something goes wrong, it just boots from the last valid image (i.e. the one it’s running now). Still, I’d do this after hours and take a configuration backup first.

I recommend that you check my article on Automatic Cyberoam Backups and add them before going further.

Applying Cyberoam Firmware Updates

Step 1 – Take a manual backup of your Cyberoam. It’s fairly easy to do. Go to the Maintenance Menu under the System Menu on the left. Select the Backup and Restore tab and click the “Download Now” button. A file download of the configuration file will start. It’s a small file so even if you’re doing this over the internet, it shouldn’t take too long to finish.

Cyberoam E-mail Backup Configuration

Step 2 – Download the Firmware update. You can either get it from the message on your dashboard or from Cyberoam’s website directly. You’ll need to log into your customer account to get the download. I don’t suggest doing this because you have to answer a few questions about your device and if you make the wrong choice, this at best won’t work.

Step 3 – Go to the Mantenance Menu under the System Menu and select the Firmware Tab. You’ll see the two, or possibly more firmware images being stored on your device. The top one on the list will have an upwards pointing arrow next to it. See the image below. Note that the bottom one on the list is the one being used by the unit.

Cyberoam Firmware Update Screen Upload Icon Marked

Click on that upload icon.

Step 4 – Find the firmware file you downloaded in the second step with the “Choose File” button.

Cyberoam Upload Screen

Step 5 – You have two options at this point. You can click the “Upload and Boot” button and it will apply it immediately, or you can just click the upload firmware button. If you choose the latter, you can wait until a later time to apply the firmware. Note that when you just upload the firmware, it replaces the non-active image on your device.

Step 6 – If you clicked the “Upload and Boot” button, then as soon as the unit reboots, you are done. If you clicked the “Upload Firmware Button” you will have to tell it when to boot to the new image. To do so, click the two arrows icon on the top item on the list (the non-active image). See the image below:

Cyberoam Firmware Update Screen Boot Image Icon Marked

Once the Cyberoam has rebooted in either case you’ve updated the firmware. Most of the time if the image was bad, or something else goes wrong it just boots into the last working image. Most of the time if you just download the file again and try again this will resolve itself. If not you may either need to call customer support or wait for the next firmware image to come out.

Cyberoam Automatic Backups

It’s about that time again for a new firmware update on your Cyberoam devices and with firmware updates come configuration backups. I’m a big believer in automation, with backups.

One of the methods I implemented with my Cyberoam was the automatic e-mail backup. I am not a fan of the FTP backup as it sends a password to your FTP server in plain text over your LAN or the internet, which is no good. The e-mailed attachment backup is, in my opinion, much more secure.

Unlike Cisco backup files, Cyberoam encrypts the configuration file it sends out so even if someone breaks into you e-mail account, the passwords and other configuration data is secure. I have no idea what key they use, and when I opened the file up the first line looks like this:

Salted__tÐ ð8¸Y°×Ç­uùMúý1´ªeM@•ªøÙзRê8Ù%®Õ µd¾

That likely means that not only is the file encrypted but it’s got some extra random ‘salt’ data tacked on somewhere in the file, or in the key itself. This makes it harder to decrypt even if you know some text in the file because you have to know what the random data is too.

E-mailing the configuration file also lets you have a fairly secure off-site backup of your firewall. The file is relatively small so most e-mail systems will gladly accept the attachment. Mine for instance is about 430k in size.

How to Set Up Automated E-mailed Backups In Cyberoam 10

Step 1 – You should have already set up your SMTP server for notifications. If not, you’ll need to do so now. Click on the Configuration Menu, and then select the “Notifications” tab. Put the IP address of your SMTP server in the text box, as well as the port number (it’s usually 25, but check with your e-mail provider). If you need a username and password, check the authentication box and enter it. You’ll also need to provide the “From” email address, and the address you want the notifications to go to. Typically the From e-mail can be anything on your own server, but might need to be a valid e-mail address if you don’t host your own e-mail.

Here’s a sample configuration:

Cyberoam SMTP Settings

Click save, and you should be good to go. One way to test if this is working is to unplug one of your cables for a minute or two and plug them back in. You should get a Gateway down/up notification. I have looked for a ‘test’ button but have not found one anywhere.

Step 2 – Go to the Maintenance menu and select the “Backup and Restore Tab”.

You’ll see a few options here. If you click the “Download Now” button, you’ll immediately get a download of the backup. That’s how you do a manual backup.

For a scheduled backup decide how often you want the backup. Daily, Weekly, or Monthly. If you choose Weekly or Monthly you’ll get an email on the first day of that time period. So, Sunday or Monday for weekly, and the first day of the month for Monthly.

Select the E-Mail radio button, and enter the e-mail address you want it to go to. Please be aware that your SMTP server in the notifications menu has to be able to e-mail to the e-mail address you enter here, or it won’t work. Remember to hit the save button when you are done.

Here’s a sample configuration:

Cyberoam E-mail Backup Configuration

Cyberoam FleXi Port Devices

Cyberoam just put out a press release on their new FleXi Port devices. This is the sort of device large sites really need. You can plug your fiber, and high bandwidth copper lines directly into the firewall device, instead of doing ‘creative routing’ that the Cyberoam is so sensitive about.

It’s a good practice to hook your remote connectivity lines directly into the Cyberoam in my opinion. This insures all your data coming into your network is scanned before it gets anywhere that could cause damage. This eliminates having to put your firewall between your router and your network, making the Cyberoam a true Gateway device.

Anyway, here’s a link to Cyberoam’s page on the device.

http://www.cyberoam.com/flexiports.html

How To Child Proof Your Internet At Home For Free

A lot of people ask me this and unfortunately it’s one of those hard things to just tell someone how to do verbally. A lot of parents want to filter the internet for their kids, something that I don’t blame them for. I will post a few really hard to bypass methods, but this one is tough enough to get around that your average middle schooler probably won’t have enough skill or knowledge to bypass. It is also super easy to implement.

This is the DNS blocking method of parental control. The great thing about it is that you don’t need any special software on your kid’s computer. This is filtered past the router level and for the most part works very well.

The quick and dirty method of blocking adult content is by using OpenDNS’s preconfigured FamilyShield Method. I would also like to point out that a nice side effect of this method is your internet will be a bit faster as far as finding websites are concerned. A drawback is you might see just a touch more advertising when you make a typo on a web address.

Use Open DNS FamilyShield

Step 1 – Log into your router. You can check my “Setup Home Wi-Fi” article for how to child proof your router. Added benefit, this will keep people on the street out of your home internet service too.

Step 2 – Go to the section where you set up your DHCP server, most of the time this is under network settings. On Cisco/Linksys routers (which I recommend) this actually on the first screen you see (basic setup). Look at the DNS servers. Usually this will have your router address under the fist entry. Change the DNS settings here to:

DNS 1: 208.67.222.123
DNS 2: 208.67.220.123

Click Save

Step 3 – Once these changes are committed (make sure your router address is not in the DHCP server DNS list), reboot everything in your house so they get the new DNS settings.

This is all you should have to do, you may need to reboot things a few times before it takes effect. If you’ve got some weird brand of router this will still work, but you’ll want to go to opendns.com and check out their instructions, they’ve got a pretty comprehensive router database.

Note: If you have AT&T DSL, their tech support people can probably walk you through this. Just tell them you’d like to change your DNS servers to OpenDNS so you can filter the internet for your kids. Just give them the numbers above and they will likely walk you through all this if you have one of their 2WIRE modems.

Now a lot of IT professionals will tell you this is fairly easy to bypass. If you’ve got a kid who’s really good with computers, they might figure out how to bypass it. If you are a parent, e-mail me and I can tell you how to bypass this on your own devices.

I have a somewhat more advanced, more difficult to bypass method involving a Cisco/Linksys router and DD-WRT that I’ll be publishing soon. It’s cheaper than what I consider the BEST method, but definitely not free (unless you’ve already got the router, don’t mind messing with it and don’t mind paying roughly $5 more a month for internet).

Quite frankly this is not the best option but it’s free, and for most families it’s good enough. If you want to know how to do this right and make it tough for your children to get around even if they know that one kid who knows everything about computers, check back here for an article on one of the best pieces of hardware a parent can buy.

If you found this information useful please comment (I LOVE novel length comments!), Facebook about the blog, tweet the article (check out the buttons below) or send me a note on the contact form up above. Also check out that Amazon ad below, there’s usually something good in the rotation.