Merge branch 'master' into v7

administrator-manual/en/.tx/config

@@ -126,13 +126,6 @@ source_lang = en
 type = PO
 
 
-[docs-v7.webtop4]
-file_filter = locale/<lang>/LC_MESSAGES/webtop4.po
-source_file = _build/locale/webtop4.pot
-source_lang = en
-type = PO
-
-
 [docs-v7.webmail]
 file_filter = locale/<lang>/LC_MESSAGES/webmail.po
 source_file = _build/locale/webmail.pot
@@ -189,13 +182,6 @@ source_lang = en
 type = PO
 
 
-[docs-v7.webvirtmgr]
-file_filter = locale/<lang>/LC_MESSAGES/webvirtmgr.po
-source_file = _build/locale/webvirtmgr.pot
-source_lang = en
-type = PO
-
-
 [docs-v7.backup]
 file_filter = locale/<lang>/LC_MESSAGES/backup.po
 source_file = _build/locale/backup.pot

administrator-manual/en/access.rst

@@ -69,3 +69,22 @@ Logout
 Terminate the current Server Manager session by going to the
 :guilabel:`root@host.domain.com` label on the upper right corner of the screen
 and by clicking on :guilabel:`Logout`.
+
+Session timeouts
+================
+
+By default (starting from |product| 7.5.1804), a Server Manager session
+terminates after **15 minutes of inactivity** and expires after **8 hours after
+the login**.
+
+The following shell command sets 15 minutes of idle timeout, and 24 hours of
+maximum session life time. Time is expressed in seconds: ::
+    
+    config setprop httpd-admin MaxSessionIdleTime 900 MaxSessionLifeTime 86400
+
+To disable the timeouts ::
+    
+    config setprop httpd-admin MaxSessionIdleTime '' MaxSessionLifeTime ''
+
+The new timeout values will affect new sessions. They do not change any active
+session.

administrator-manual/en/accounts.rst

@@ -371,6 +371,20 @@ User short name form
 
 To access a shared folder, see also :ref:`smb-access-section`.
 
+.. _home_bind-section:
+
+User home directories
+---------------------
+
+User home directories are stored inside :file:`/var/lib/nethserver/home` directory,
+in order to simplify the deployment of a single-growing partition system.
+
+The administrator can still restore the well-known :file:`/home` path using the bind mount: ::
+
+   echo "/var/lib/nethserver/home	/home	none	defaults,bind	0 0" >> /etc/fstab
+   mount -a
+
+
 .. _groups-section:
 
 Groups

administrator-manual/en/base_system.rst

@@ -246,7 +246,7 @@ Disable Let's Encrypt
 
 Let's Encrypt certificate can be disabled following these steps:
 
-1. Access the guilabel:`Server certificate` page, set as default the self-signed certificate or an uploaded one
+1. Access the :guilabel:`Server certificate` page, set as default the self-signed certificate or an uploaded one
 2. Open the shell and execute the following commands: 
 
    ::

administrator-manual/en/conf.py

@@ -93,7 +93,7 @@
 .. |product| replace:: NethServer Enterprise
 .. |product_voice| replace:: NethVoice
 .. |product_cti| replace:: NethCTI
-.. |download_site| replace:: `helpdesk.nethesis.it <http://helpdesk.nethesis.it/solution/folders/3000008164>`__
+.. |download_site| replace:: `helpdesk.nethesis.it <http://helpdesk.nethesis.it/solution/articles/3000073996-download-iso-nethserver-enterprise>`__
 .. |ks_keyboard| replace:: :samp:`us`
 .. |ks_timezone| replace:: :samp:`UTC`
 .. |ks_language| replace:: :samp:`en_US`

administrator-manual/en/fail2ban.rst

@@ -0,0 +1,124 @@
+========
+Fail2ban
+========
+
+Fail2ban scans log files (e.g. :file:`/var/log/apache/error_log`) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (Apache, Dovecot, Ssh, Postfix, etc).
+
+Fail2Ban is able to reduce the rate of incorrect authentications attempts however, it cannot eliminate the risk that weak authentication presents. To improve the security, open the access to service only for secure networks using the firewall.
+
+Installation
+============
+
+Install from the Software Center or use the command line: ::
+
+  yum install nethserver-fail2ban
+
+
+Settings
+========
+
+Fail2ban is configurable in the security category of the server-manager. Most of settings can be changed in the :guilabel:`Configuration` tab, only really advanced settings must be configured by the terminal. The :guilabel:`Ban status` tab displays the statistic and the banned IPs.
+
+Jails
+-----
+
+A jail is enabled and start to protect a service when you install a new module, the relevant jail (if existing) is automatically activated after the package installation.
+
+
+All jails can be disabled individually in the Jails settings.
+
+Number of attempts
+    Number of matches (i.e. value of the counter) which triggers ban action on the IP.
+
+Time span
+    The counter is set to zero if no match is found within "findtime" seconds.
+
+Ban Time
+    Duration for IP to be banned for.
+
+Recidive jail is perpetual
+    When an IP goes several time in jail, the recidive jail bans it for a much longer time. If enabled, it is perpetual.
+
+Network
+-------
+
+Allow bans on the LAN
+    By default the failed attempts from your Local Network are ignored, except when you enabled the option.
+
+
+IP/Network Whitelisting
+    IP listed in the text area will be never banned by fail2ban (one IP per line). Network could be allowed in the Trusted-Network panel.
+
+Email
+-----
+
+Send email notifications
+    Enable to send administrative emails.
+
+Administrators emails
+    List of email addresses of administrators (one address per line).
+
+Notify jail start/stop events
+    Send email notifications when a jail is started or stopped.
+
+Unban IP
+--------
+
+IPs are banned when they are found several times in log, during a specific find time. They are stored in a database to be banned again each time your restart the server or the service. To unban an IP you can use the :guilabel:`Ban status` tab.
+
+Tools
+=====
+
+Fail2ban-client
+---------------
+
+Fail2ban-client is part of the fail2ban rpm, it gives the state of fail2ban and all available jails: ::
+
+  fail2ban-client status
+
+To see a specific jail : ::
+
+  fail2ban-client status sshd
+
+To see which logfiles are monitored for a jail: ::
+
+  fail2ban-client get nginx-http-auth logpath
+
+Fail2ban-listban
+----------------
+
+Fail2ban-listban counts the IPs currently and totally banned in all activated jails, at the end it shows the IPs which are still banned by shorewall. ::
+
+  fail2ban-listban
+
+Fail2ban-regex
+--------------
+
+Fail2ban-regex is a tool which is used to test the regex on you logs, it is a part of fail2ban software. Only one filter is allowed per jail, but it is possible to specify several actions, on separate lines.
+
+The documentation is `readable at the fail2ban project <http://fail2ban.readthedocs.io/en/latest/filters.html>`_. 
+
+::
+
+  fail2ban-regex /var/log/YOUR_LOG /etc/fail2ban/filter.d/YOUR_JAIL.conf --print-all-matched
+
+You can also test custom regex directly: ::
+
+  fail2ban-regex /var/log/secure '^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$'
+
+Fail2ban-unban
+--------------
+
+Fail2ban-unban is used to unban an IP when the ban must be removed manually. ::
+
+  fail2ban-unban <IP>
+
+You can use also the built-in command with fail2ban-client: ::
+
+  fail2ban-client set <JAIL> unbanip <IP>
+
+Whois
+=====
+
+If you desire to query the IP ``whois`` database and obtain the origin of the banned IP by email, you could  Install the ``whois`` rpm.
+

administrator-manual/en/firewall.rst

@@ -201,7 +201,7 @@ When you create a port forward, you must specify at least the following paramete
 * The source port
 * The destination port, which can be different from the origin port
 * The address of the internal host to which the traffic should be redirected
-* It's possibile to specify a port range using a colon as separator in the source port field (eX: 1000:2000), in this case the field destination port must be left void
+* It's possible to specify a port range using a colon as separator in the source port field (eg: 1000:2000), in this case the field destination port must be left void
 
 Example
 -------
@@ -211,7 +211,7 @@ Given the following scenario:
 * Internal server with IP 192.168.1.10, named Server1
 * Web server listening on port 80 on Server1
 * SSH server listening on port 22 on Server1
-* Other services in the port range beetween 5000 and 6000  on Server1
+* Other services in the port range between 5000 and 6000  on Server1
 
 If you want to make the web server available directly from public networks, you must create a rule like this:
 
@@ -229,13 +229,13 @@ In case you want to make accessible from outside the SSH server on port 2222, yo
 
 All incoming traffic on firewall's red interfaces on port 2222, will be redirected to port 22 on Server1.
 
-In case you want to make accessible from outside the server on the whole port range beetween 5000 and 6000, you will have to create a port forward like this:
+In case you want to make accessible from outside the server on the whole port range between 5000 and 6000, you will have to create a port forward like this:
 
 * origin port: 5000:6000
 * destination port: 
 * host address: 192.168.1.10
 
-All incoming traffic on firewall's red interfaces on port range beetween 5000 and 6000 will be redirected to same ports on Server1.
+All incoming traffic on firewall's red interfaces on port range between 5000 and 6000 will be redirected to same ports on Server1.
 
 Limiting access
 ---------------
@@ -283,27 +283,96 @@ Traffic shaping
 In this way it is possible to optimize the transmission, check the latency and tune 
 the available bandwidth. 
 
-To enable traffic shaping it is necessary to know the amount of available bandwidth in both directions 
-and fill in the fields indicating the speed of the Internet link. Be aware 
-that in case of congestion by the provider there is nothing to do in order to improve performance. 
-
-Traffic shaping rules can be configured from the :menuselection:`Firewall rules` page,
-while the available bandwidth can be set from the :menuselection:`Network` page for all red interfaces.
-
-The system provides two levels of priority, high and low: as default all traffic has medium priority.
-It is possible to assign high or low priority to certain services based on the port used (eg low traffic peer to peer). 
-
-The system works even without specifying  services to high or low priority, 
-because, by default, the interactive traffic is automatically run at high priority 
-(which means, for example, it is not necessary to specify ports for VoIP traffic or SSH). 
-Also ICMP ping traffic is guaranteed high priority. 
+To enable traffic shaping it is necessary to know the exact amount of available download and upload bandwidth.
+Access the :guilabel:`Network` page and carefully set bandwidth values.
 
+If download and upload bandwidth are not set for a red interface, traffic shaping rules will not be
+enabled for that interface.
 
 .. note::
 
    Be sure to specify an accurate estimate of the bandwidth on network interfaces.
    To pick an appropriate setting, please do not trust the nominal value,
-   but use the online tools to test the real provider speed.
+   but use online tools to test the real provider speed.
+
+   In case of congestion by the provider, there is nothing to do in order to improve performance.
+
+
+Configuration of traffic shaping is composed by 2 steps:
+
+- creation of traffic shaping classes
+- assignment of network traffic to a specific class
+
+Classes
+-------
+
+Traffic shaping is achieved by controlling how bandwidth is allocated to classes.
+
+Each class can have a reserved rate. A reserved rate is the bandwidth a class will get only when it needs it.
+The spare bandwidth is the sum of not commited bandwidth, plus the committed bandwidth of a class but 
+not currently used by the class itself.
+
+Each class can have also a maximum rate. If set, the class can exceed its committed rate, up to the maximum rate.
+A class will exceed its committed rate only if there is spare bandwidth available.
+
+Traffic shaping classes can be defined under :guilabel:`Traffic shaping` page.
+When creating a new class, fill the following fields:
+
+* :guilabel:`Class name`: a representative name
+* :guilabel:`Min download (%)`: minimum reserved download bandwidth, if empty no download reservation will be created
+* :guilabel:`Max download (%)`: maximum allowed download bandwidth, if empty no upper limit will be set
+* :guilabel:`Min upload (%)`:  minimum reserved upload bandwidth, if empty no upload reservation will be created
+* :guilabel:`Max upload (%)`: maximum allowed download bandwidth, if empty no upper limit will be created
+* :guilabel:`Description`: optional description for the class
+
+The system provides two pre-configured classes:
+
+- :guilabel:`high`: generic high priority traffic, can be assigned to something like SSH
+- :guilabel:`low`: low priority traffic, can be assigned to something like peer to peer file exchange
+
+
+The system always tries to prevent traffic starvation under high network load.
+
+Classes will get spare bandwidth proportionally to their committed rate.
+So if class A has 1Mbit committed rate and class B has 2Mbit committed rate, class B will get twice the spare bandwidth of class A.
+In all cases all spare bandwidth will be given to them.
+
+
+For more info, see [#]_ .
+
+Advanced options
+----------------
+
+Under :guilabel:`Configure` page, the following options are available:
+
+- Enable TOS optimizations
+- Reserve bandwidth for VoIP (%)
+
+Enable TOS optimizations
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+This option is enabled by default and classify the traffic using TOS (Type Of Service) bits.
+
+The type of service field in the IPv4 header can identify the traffic type.
+It's used to specify a datagram's priority, request a route for low delay or maximize throughput.
+
+Built-in traffic shaping classes apply to the following TOS categories:
+
+- interactive
+- bulk
+
+
+Reserve bandwidth for VoIP (%)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This option is disabled by default.
+It takes a numeric value which identifies the percentage of total bandwidth reserved for VoIP traffic (SIP, RTP and STUN).
+
+Be sure to commit the right amount of bandwidth for each concurrent call. Each call requires:
+
+* ~32Kbps for G729 codec
+* ~40Kbps for GSM codec
+
 
 
 Firewall objects
@@ -325,7 +394,7 @@ There are 6 types of objects, 5 of them represent sources and destinations:
 
 .. index:: zone
 
-* *Zone*: representing networks of hosts, they must be expressed in CIDR notation. Their usage is for defining a part of a network with different firewall rules from those of the nominal interface. They are used for very specific needs.
+* Zone: representing networks of hosts, they must be expressed in CIDR notation. Their usage is for defining a part of a network with different firewall rules from those of the nominal interface. They are used for very specific needs.
 
 .. note:: By default, all hosts belonging to a zone are not allowed to do any type of traffic. It's necessary to create all the rules on the firewall in order to obtain the desired behavior.
 
@@ -367,3 +436,6 @@ To enable traffic only from well-known hosts, follow these steps:
 .. note:: Remember to create at least one DHCP reservation before enabling the IP/MAC binding mode,
    otherwise no hosts will be able to manage the server using the web interface or SSH.
 
+.. [#]
+   FireQOS tutorial:
+   https://github.com/firehol/firehol/wiki/FireQOS-Tutorial

administrator-manual/en/hotsync.rst

@@ -141,10 +141,12 @@ The following procedure puts the SLAVE in production when the master has crashed
 
     [root@slave]# /sbin/e-smith/signal-event post-restore-data
 
-7. if an USB backup is configured on MASTER, connect the backup HD to SLAVE
+7. update the system to the latest packages version ::
 
+    [root@slave]# yum clean all && yum -y update
+
+8. if an USB backup is configured on MASTER, connect the backup HD to SLAVE
 
-==================
 Supported packages
 ==================