Base system

Note

Documentation about the old Server Manager is available here.

This chapter describes all available modules at the end of installation. All modules outside this section can be installed from the Software center page.

The default installation includes the following main modules:

While the root user can see all configuration pages, access of each section and application may be also delegated to specific users. See Role delegation.

Many Server Manager applications use netdata to display useful charts. Since netdata is not installed by default, you can install it from Software center.

System

The System page is the landing section after a successful login. The page will display the status and configuration of the system.

From the system dashboard, the administrator can:

  • change the machine FQDN and server Alias
  • set upstream DNS servers
  • configure Date and time
  • customize the organization details

The basic system includes also:

Network

Besides all features available in the old Server Manager (see Network), this page allows to:

  • check network status with integrated diagnostic tools like ping, trace route and name lookup
  • create a logical network interface without a role: such an interface can be used later in other modules like Dedalo hotspot

Services

A remote system can connect to a network service, which is a software running on NethServer itself.

Each service can have a list of “open” ports accepting local or remote connections. To control which zones or hosts can access a network service, see Firewall and gateway.

Existing services can be started and stopped directly from the Services page.

Storage

The storage section configures and monitors disks. The administrator can mount new local or remote disks, manage RAID arrays and LVM volumes.

SSH

The SSH page displays the number of current SSH connections. From this section the administrator can change the OpenSSH listening port, disable root login and password authentication.

By default, SSH access is limited to root user and all users inside the designated administrative group (Domain Admins). It is possible to selectively grant SSH and SFTP access to some groups, while administrators are always granted access to SSH and SFTP.

SSH and SFTP permissions are available once the System > Settings > Shell policy > Override the shell of users has been enabled. If Override the shell of users is disabled, only users with Shell option can access the Server Manager, and delegation is not required any more.

Settings

The settings page allows the configuration of some options which could impact multiple system applications.

Smart host

Many system applications, like cron, can generate mail notification. If the server can’t directly deliver those mails, the administrator can configure a SMTP relay. When the smarthost is enabled, all mail messages will be delivered to the configured server.

Email notifications

As default, notifications are sent to the local root maildir. The administrator can change the root forward address adding one or more mail address to the Destination field.

It’s also a good practice to set a custom Sender address: messages from the root user (like cron notifications) will be sent using the specified address. A good value could be: no-reply@<domain> (where <domain> is the domain of the server). If not set, messages will be sent using root@<fqdn> as sender address.

Server Manager

As default, access to the Server Manager is granted from all firewall zones. From this section the administrator can restrict the access to the Server Manager only to a list of trusted IP addresses.

Log files

All log files are managed by logrotate. Logrotate is designed to ease administration of a large numbers of log files. It allows automatic rotation, compression, and removal of log files. Each log file may be handled daily, weekly, monthly.

The administrator can set logrotate defaults from this page. The configuration will apply to all applications. But please note that some applications can override such configuration to meet specific needs.

Configuration hints

Most Server Manager pages can display some configuration hints to help guide the administrator on a better system configuration. Hints are just suggestions and can be disabled from this menu.

Password change

The settings page also includes a panel to let users change their password, including the root user.

Shell policy

This setting can be used to enable or disable the shell that is needed to use new Server Manager and the SSH service. If this option is enabled the user’s shell setting under the Users and Groups page is ignored and it is considered always enabled.

User settings page

When the Enable user settings page options is enabled, users can change their password and other settings on a web page outside Cockpit (on port 443). The default page is /user-settings. This feature can be enabled only if Shell Policy is enabled as well.

The access to the page can be limited only from Trusted Networks.

Logs

The system provides an indexed log named journal. Journal can be browsed from this page: messages can be filtered by service, severity and date.

Applications

The Applications page lists all installed applications. An application is a Server Manager module usually composed by multiple pages including a dashboard, one or more configuration sections and the access to application logs. A click on the Settings button will open the application.

There are also simpler applications which include only a link to an external web pages. To access such applications click on the Open button.

Shortcuts

The administrator can add shortcuts to applications which are frequently used. Applications with a shortcut, will be linked to the left menu.

Only root user has access to this feature.

Add to home page

Launcher is an application of the new Server Manager available to all users on HTTPS and HTTP ports. The launcher is accessible on the server FQDN (eg. https://my.server.com) and it’s enabled if there is no home page already configured inside the web server (no index page in /var/www/html)

Installed applications can be added to the launcher by clicking on the Add to home page button. All users will be able to access the public link of the application.

Only root user has access to this feature.

Removing applications

To remove an installed module click Remove button on the corresponding application.

Warning

When removing a module other modules could be removed, too! Read carefully the list of affected packages to avoid removing required features.

This feature is not available in NethServer Enterprise.

Terminal

Execute a standard shell inside a terminal directly accessible from the browser. The shell and the processes will run with the user privileges.

Role delegation

On complex environments, the root user can delegate the access of some section to specific groups of local users.

A local user can be delegated to access:

  • one or more pages of the System section
  • one or more installed applications
  • one or more main sections between Subscription, Software Center

Role delegation is based on local groups, each user belonging to the group will be delegated. Users inside the domains admins are automatically delegated to all panels.

To create a new delegation, access the User & Groups page under the group section, then edit an existing group or create a new one. Select one or more items from the System views and Applications menus.

Even if a user has been delegated, it must be explicitly granted the shell access before being able to log into the Server Manager.

The following pages are always accessible to all users:

  • dashboard
  • applications
  • terminal

Two-factor authentication (2FA)

Two-factor authentication (2FA) can be used to add an extra layer of security required to access the new Server Manager. First, users will enter user name and password, then they will be required to provide a temporary verification code generated by an application running on their smartphone.

2FA is disabled by default. Each user can enable it by accessing the Two-factor authentication section under Settings page, then following these steps:

  1. download and install the preferred 2FA application inside the smartphone
  2. scan the QR code with the 2FA application
  3. generate a new code and copy it inside Verification code field, than click Check code
  4. if the verification code is correct, click on the Save button

Two-factor authentication can be enabled for:

  • the new Server Manager
  • SSH when using username and password (access with public key will never require 2FA)

Recovery codes

Recovery codes can be used instead of temporary codes if the user cannot access the 2FA application on the smartphone. Each recovery code is a one-time password and can be used only once.

To generate new recovery codes, disable 2FA, then re-enable it by registering the application again following the above steps.

Smartphone applications

There are several commercial and open source 2FA applications:

Available for both Android and iOS:

Emergency recovery

In case of emergency, 2FA can be disabled accessing the server from a physical console like a keyboard and a monitor, a serial cable or a VNC-like connection for virtual machines:

  1. access the system with user name and password

  2. execute:

    rm -f ~/.2fa.secret
    sudo /sbin/e-smith/signal-event -j otp-save
    

Eventually, the root user can retrieve recovery codes for a user. Use the following command and replace <user> with the actual user name :

oathtool -w 4 $(cat ~<user>/.2fa.secret)

Example for user goofy:

# oathtool -w 4 $(cat ~goofy/.2fa.secret)
984147
754680
540025
425645
016250