Using Centos 7 as a Time Capsule Server

What follows below is a modified version of Darcyliu install script. I’ve changed it to account for changes resulting from the newer versions of netatalk.

Starting Point

# For this project, I start with a Centos 7 – Minimal install.  Install the Centos 7 – Minimal distribution. After install, update the packages to current:

yum -y upgrade

# then reboot the server:

reboot

# When the server is finished rebooting, it is time to get to work.   First, lets enable EPEL and install the first group of packages:

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y rpm-build gcc make wget
# install netatalk
yum install -y avahi-devel cracklib-devel dbus-devel dbus-glib-devel libacl-devel libattr-devel libdb-devel libevent-devel libgcrypt-devel krb5-devel mysql-devel openldap-devel openssl-devel pam-devel quota-devel systemtap-sdt-devel tcp_wrappers-devel libtdb-devel tracker-devel bison
yum install -y docbook-style-xsl flex dconf perl-interpreter
# Now we need to build up netatalk.  At the time of the writing 3.1.11 is the current version.
wget http://www003.upp.so-net.ne.jp/hat/files/netatalk-3.1.11-1.3.fc29.src.rpm
# Install the source RPM for Netatalk:
rpm -ivh netatalk-3.1.*
# Build the RPM from sources
rpmbuild -bb ~/rpmbuild/SPECS/netatalk.spec
# Next install the netatalk binary
yum -y install ~/rpmbuild/RPMS/x86_64/netatalk-3.1.*
# Lets add the config files
# configuration
cat >> /etc/avahi/services/afpd.service << EOF
<?xml version=”1.0″ standalone=’no’?>
<!DOCTYPE service-group SYSTEM “avahi-service.dtd”>
<service-group>
<name replace-wildcards=”yes”>%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>
EOF
cat >> /etc/netatalk/AppleVolumes.default << EOF
/opt/timemachine TimeMachine allow:tmbackup options:usedots,upriv,tm dperm:0775 fperm:0660 cnidscheme:dbd volsizelimit:200000
EOF
cat >> /etc/nsswitch.conf << EOF
hosts: files mdns4_minimal dns mdns mdns4
EOF
cat >> /etc/netatalk/afp.conf << EOF
[Time Machine]
path = /opt/timemachine
valid users = tmbackup
time machine = yes
EOF
cat >> /etc/netatalk/afpd.conf << EOF
– -transall -uamlist uams_randnum.so,uams_dhx.so,uams_dhx2.so -nosavepassword -advertise_ssh
EOF
# Add a user. This user id and password is what you’ll use when you mount the Time Machine folder. Also create the directory tree and change its ownership.
useradd tmbackup
mkdir -p /opt/timemachine
chown tmbackup:tmbackup /opt/timemachine
# Set firewall commands
firewall-cmd –zone=public –permanent –add-port=548/tcp
firewall-cmd –zone=public –permanent –add-port=548/udp
firewall-cmd –zone=public –permanent –add-port=5353/tcp
firewall-cmd –zone=public –permanent –add-port=5353/udp
firewall-cmd –zone=public –permanent –add-port=49152/tcp
firewall-cmd –zone=public –permanent –add-port=49152/udp
firewall-cmd –zone=public –permanent –add-port=52883/tcp
firewall-cmd –zone=public –permanent –add-port=52883/udp
firewall-cmd –reload
# Enable and start the services
systemctl enable avahi-daemon
systemctl enable netatalk
systemctl start avahi-daemon.service
systemctl start netatalk
systemctl restart avahi-daemon.service
systemctl restart netatalk
# set password for tmbackup
passwd tmbackup
A word about strategies.  If you want to back up more than one Mac, you can simply have the users share the login and password and as long as the Macs have different names, there will be no collisions in files created. Just use a good password to encrypt each backup.
I’m not a huge fan of sharing credentials. in fact, I think its a bad idea.  In order to use more than one login, create all the users and set a good password for each. Next, edit ( /etc/netatalk/afp.conf ) and add a duplicate of the entry above and change the share name (the string in between the brackets) and valid user to match the user id.  Do one entry for each user id.
[Time Machine1]
path = /opt/timemachine/user1
valid users = user1
time machine = yes

[Time Machine2]
path = /opt/timemachine/user2
valid users = user2
time machine = yes
[Time Machine3]
path = /opt/timemachine/user3
valid users = user3
time machine = yes
Next create user ids, folders in /opt/timemachine and change the owenrship of each user id
# EG:
adduser user1
adduser user2
adduser user3
mkdir -p /opt/timemachine/user1
mkdir -p /opt/timemachine/user2
mkdir -p /opt/timemachine/user3
chown user1:user1 /opt/timemachine/user1
chown user2:user2 /opt/timemachine/user2
chown user3:user3 /opt/timemachine/user3
# Now set a password on each:
passwd user1
passwd user2
passwd user3
Lastly, reboot the server just to make sure all the services start.  Next, attach to the server.  If you are on the same network, then you should see the server in your browse list.  If the server is on a different subnet, then you’ll have to point to the server manually.  Here’s how:
With Finder being the current app in the forground. Click Go -> Connect to Server
For server address, type the IP of the server and press enter:
afp://x.y.z.c
Fill in the login and password from those that you just created.
Next “Open Time Machine Preferences…”
Select your new disk.

iOS 8 – Apple Can Not Recovery Device Data

icon_overview_ios8_hero_large

A PDF surfaced titled “Legal Process Guidelines, U.S. Law Enforcement”.  The PDF outlines the process and procedures for Law Enforcement (LE) for contacting Apple. The document, with respect to iOS 8 says “For all devices running iOS 8.0 and later versions, Apple will no longer be performing iOS data extractions as the data sought will be encrypted and Apple will not possess the encryption key.”

For iOS 7 and earlier, “Apple can perform this data extraction process on iOS devices running iOS 4 through iOS 7. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, iMessage, MMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party app data. ”

All that said, data privacy on the iOS devices seem to be moving in the right direction. However, there are other ways to attack the data. iOS backups, iCloud, weak pass phrases and/or security questions, and do not forget about rogue base stations and access points, can yield the data without having to crack the encryption.

Want to read the Apple guidelines? Here you go!

Centos 6.5 – Becoming A Time Machine Network Backup Server

I have been looking for the parts required to put together so that I can backup all the macs on a linux server hosted here in my lab.  What follows is the my “yum ready” instructions.

  • Start With Centos 6.5 Minimal Distribution
  • We need to create the file space where the Time Machine is going to save the files. I chose /home/tony/timemachine
    • Create the user:
      adduser tony #create user
      passwd tony  #set password
    • Create the path:
      mkdir -p /home/tony/timemachine
    • Set ownership:
      chown -R tony.tony /home/tony
  • Install wget
    yum -y wget
  • Install the EPEL Repository
    wget http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
    yum localinstall epel-release-6-8.noarch.rpm
  • Use Yum to install the required packages:
    yum -y install netatalk avahi  dbus nss-mdns
  • Set services to start at boot:
    chkconfig netatalk on
    chkconfig messagebus on
    chkconfig avahi-daemon on
  • Now configure netatalk by posting this line at the very bottom of the file:
    - -transall -uamlist uams_randnum.so,uams_dhx.so,uams_dhx2.so -nosavepassword -advertise_ssh
    (Yes, just like that)
  • Edit /etc/netatalk/AppleVolumes.default and create the network shares. You’ll need one for each laptop you want to backup:
    /home/tony/timemachine allow:tony options:usedots,upriv,tm dperm:0775 fperm:0660 cnidscheme:dbd
  • Next edit /etc/nsswitch.conf
    hosts:      files mdns4_minimal dns mdns mdns4
  •  Create  /etc/avahi/services/afpd.service with the contents:

    <?xml version=”1.0″ standalone=’no’?>
    <!DOCTYPE service-group SYSTEM “avahi-service.dtd”>
    <service-group>
    <name replace-wildcards=”yes”>%h</name>
    <service>
    <type>_afpovertcp._tcp</type>
    <port>548</port>
    </service>
    <service>
    <type>_device-info._tcp</type>
    <port>0</port>
    <txt-record>model=TimeCapsule</txt-record>
    </service>
    </service-group>

  • Remove the ssh service from Avahi
     mv /etc/avahi/services/ssh.service /etc/avahi/services/ssh.service.disabled
  •  IPTABLES are running by default, so add the following to open up some ports and then save the iptables config:

    iptables -I INPUT -p udp –dport 548 -j ACCEPT
    iptables -I INPUT -p tcp –dport 548 -j ACCEPT
    iptables -I INPUT -p tcp –dport 5353 -j ACCEPT
    iptables -I INPUT -p udp –dport 5353 -j ACCEPT
    iptables -I INPUT -p udp –dport 5354 -j ACCEPT
    iptables -I INPUT -p tcp –dport 5354 -j ACCEPT

    service iptables save
  • 
    

    Start the required services:

    service avahi-daemon start
    service messagebus start
    service netatalk start

 

When you open Time Machine on your mac (mine is a MacBook Air running Mavericks), click the locked padlock to allow changes, which also enables the add/remove a backup disk. Click Add/remove and you should see your network Time Machine disk.

“security” via n8xja in Google Reader 2012-12-23 17:00:07

Aurich Lawson

2012 was an “exciting” year for OS X security—at least if you’re a security expert or researcher. There were plenty of events to keep people on their toes. Although Apple took some egg on the face for some of them, overall, the company came out ahead when it came down to keeping users safe.

At least that’s the opinion of some security researchers who followed OS X developments throughout the year.

Back to the Flashback

Remember Flashback? That malware first made its way onto the Mac in 2011, but never became widespread enough for most users to even become aware of it—until earlier this year. Suddenly, Apple was faced with arguably the first truly high-profile malware to appear on OS X, right as Apple was appearing more than ever in the media.

Read 23 remaining paragraphs | Comments

“security” via n8xja in Google Reader 2012-12-23 17:00:07

Aurich Lawson

2012 was an “exciting” year for OS X security—at least if you’re a security expert or researcher. There were plenty of events to keep people on their toes. Although Apple took some egg on the face for some of them, overall, the company came out ahead when it came down to keeping users safe.

At least that’s the opinion of some security researchers who followed OS X developments throughout the year.

Back to the Flashback

Remember Flashback? That malware first made its way onto the Mac in 2011, but never became widespread enough for most users to even become aware of it—until earlier this year. Suddenly, Apple was faced with arguably the first truly high-profile malware to appear on OS X, right as Apple was appearing more than ever in the media.

Read 23 remaining paragraphs | Comments