Merge pull request #490 from NethServer/master

Multiple releases

administrator-manual/en/bandwidth_monitor.rst

@@ -1,3 +1,5 @@
+.. _ntopng-section:
+
 =================
 Bandwidth monitor
 =================

administrator-manual/en/base_system2.rst

@@ -103,9 +103,16 @@ The administrator can mount new local or remote disks, manage RAID arrays and LV
 SSH
 ---
 
-The :index:`ssh` page displays the number of current SSH connection.
-From this section the administrator can change the OpenSSH listening port, disable root login or
-password authentication.
+The :index:`SSH` page displays the number of current SSH connections. From this
+section the administrator can change the OpenSSH listening port, disable root
+login and password authentication.
+
+It is possible to selectively grant SSH and :index:`SFTP` access to some groups,
+while administrators are always granted access to SSH and SFTP.
+
+SSH and SFTP permissions are available once the :guilabel:`System > Settings >
+Shell policy > Override the shell of users` has been enabled.
+
 
 .. _settings-section:
 
@@ -161,6 +168,22 @@ Password change
 
 The settings page also includes a panel to let users change their password, including the root user.
 
+Shell policy
+^^^^^^^^^^^^
+
+This setting can be used to enable or disable the shell that is needed to use new Server Manager
+and the SSH service. If this option is enabled the user's shell setting under the :guilabel:`Users and Groups` page is ignored
+and it is considered always enabled.
+
+User settings page
+^^^^^^^^^^^^^^^^^^
+
+When the :guilabel:`Enable user settings page` options is enabled, users can change their password and other settings on a web page outside
+Cockpit (on port 443). The default page is :guilabel:`/user-settings`. This feature can be enabled only if
+:guilabel:`Shell Policy` is enabled as well.
+
+The access to the page can be limited only from Trusted Networks.
+
 .. _logs-section:
 
 Logs
@@ -277,6 +300,12 @@ under :guilabel:`Settings` page, then following these steps:
 3. generate a new code and copy it inside :guilabel:`Verification code` field, than click :guilabel:`Check code`
 4. if the verification code is correct, click on the :guilabel:`Save` button
 
+Two-factor authentication can be enabled for:
+
+- the new Server Manager
+- SSH when using username and password (access with public key will never require 2FA)
+
+
 Recovery codes
 --------------
 
@@ -304,5 +333,20 @@ a serial cable or a VNC-like connection for virtual machines:
 
 1. access the system with user name and password
 2. execute: ::
+
      rm -f ~/.2fa.secret
      sudo /sbin/e-smith/signal-event -j otp-save
+
+Eventually, the root user can retrieve recovery codes for a user.
+Use the following command and replace ``<user>`` with the actual user name : ::
+
+  oathtool -w 4 $(cat ~<user>/.2fa.secret)
+
+Example for user ``goofy``: ::
+
+  # oathtool -w 4 $(cat ~goofy/.2fa.secret)
+  984147
+  754680
+  540025
+  425645
+  016250

administrator-manual/en/dedalo.rst

@@ -1,3 +1,5 @@
+.. _dedalo-section:
+
 ================
 Hotspot (Dedalo)
 ================

administrator-manual/en/disaster_recovery.rst

@@ -49,6 +49,7 @@ Please, follow below steps:
    to be restored directly from the :guilabel:`From backup` field.
 
 5. Map network interface names from the backup to the running system.
+   This step is required only if :guilabel:`Restore network configuration` option is enabled.
 
 6. Click the :guilabel:`Restore` to start the restore process.
 
@@ -62,9 +63,11 @@ Please, follow below steps:
    To restore all files, click on :guilabel:`Restore` button under the **Data Backup** section,
    select the name of the backup and click the :guilabel:`Restore` button.
 
-   Please bear in mind that the restore process can last from minutes to hours depending
-   on the storage backend speed.
+Please bear in mind that the restore process can last from minutes to hours depending
+on the storage backend speed.
 
+If the :guilabel:`Restore network configuration` was not enabled, further steps
+may be required to restore all applications. See :ref:`skip-network-restore-section` for more details.
 
 Old Server Manager
 ------------------
@@ -165,3 +168,115 @@ the configuration at boot-time, to ensure a minimal network
 connectivity and login again on the Server Manager.
 
 
+.. _skip-network-restore-section:
+
+Skip network restore
+--------------------
+
+Network configuration is restored by default, but sometimes it is necessary to restore an 
+installation on a different hardware without migrating the network configuration.
+This is a common scenario when moving a virtual machine from a VPS provider to another.
+
+To disable the network restore, make sure to disable the :guilabel:`Restore network configuration` option from
+the new Server Manager.
+
+Since some application configurations depend on network interface names, not everything can be automatically restored.
+
+DHCP
+^^^^
+
+DHCP servers on non-existing interfaces will be deleted.
+If needed, please reconfigure the DHCP from the Server Manager.
+See also :ref:`dhcp-section` for more general information.
+
+Samba Active Directory
+^^^^^^^^^^^^^^^^^^^^^^
+
+.. warning::
+
+  Restoring a local Samba Active Directory without the :guilabel:`Restore
+  network configuration` option enabled is highly discouraged. Read carefully this section.
+
+Samba Active Directory requires a network bridge and an additional, free IP
+address in the green zone for the local running container.
+
+If both the bridge exists and the IP address suits the current network
+configuration, the container will continue running after the restore.
+
+Otherwise Samba Active Directory is forcibly stopped.
+To enable it again:
+
+- from the :guilabel:`Network` page, create the bridge, e.g. ``br0``
+- find an unused IP address in your green network, e.g. ``192.168.1.11``
+- reconfigure the container from command line: ::
+
+    config setprop nsdc bridge br0 status enabled
+    signal-event nethserver-dc-change-ip 192.168.1.11
+
+- fix the DC sysvol ACLs: ::
+
+    /etc/e-smith/events/actions/nethserver-dc-sysvolreset
+
+More info about :ref:`ad-local-accounts-provider-section`.
+
+Firewall
+^^^^^^^^
+
+At the end of restore the firewall will:
+
+- delete all WAN providers
+- delete all zones connected to non-existing network interface
+- disable all rules using a non-existing zone or a non-existing role
+
+The administrator can access the Server Manager to create missing zones and roles.
+Finally, all previously disabled rules can be manually enabled again.
+
+See :ref:`firewall_new-section`.
+
+Web proxy
+^^^^^^^^^
+
+Web proxy priority rules using non-existing zones will be disabled.
+Before re-enabling such rules, make sure the zones have been created.
+
+More info on priority rules: :ref:`squid_rules-section`.
+
+OpenVPN tunnels
+^^^^^^^^^^^^^^^
+
+OpenVPN tunnel servers contain a field named :guilabel:`Public address`.
+If such field uses only public DNS names, no action is required.
+Otherwise, insert the new public IP address inside the field and update tunnel clients accordingly.
+
+See also OpenVPN :ref:`ovpn_tunnel-section`.
+
+OpenVPN roadwarrior
+^^^^^^^^^^^^^^^^^^^
+
+OpenVPN roadwarrior server exposes a field named :guilabel:`Contact this server on public IP / host`.
+If such field uses only public DNS names, no action is required.
+Otherwise, insert the new public IP address inside the field and update roadwarrior clients accordingly.
+
+See also OpenVPN :ref:`ovpn_roadwarrior-section`.
+
+IPSec tunnels
+^^^^^^^^^^^^^
+
+Only IPSec tunnels configured with a dynamic red interface will be disabled.
+Access the Server Manager, edit the disabled tunnel by selecting a new red interface and enable it again.
+
+More info at :ref:`ipsec-section`.
+
+Dedalo hotspot
+^^^^^^^^^^^^^^
+
+Dedalo hotspot will be disabled if the system does not have a network interface configured with the ``hotspot`` role.
+If the Dedalo is disabled, just reconfigure following :ref:`dedalo-section` chapter.
+
+ntopng
+^^^^^^
+
+ntopng must be reconfigured. Access the :guilabel:`Bandwidth monitor` page inside the old Server Manager.
+Then enable the service and select network interfaces to monitor.
+
+See also :ref:`ntopng-section`.

administrator-manual/en/index.rst

@@ -64,6 +64,7 @@ Administrator Manual
     :maxdepth: 1
 
     launcher
+    sandbox
 
 .. toctree::
    :maxdepth: 1

administrator-manual/en/locale/es/LC_MESSAGES/blacklist.po

@@ -0,0 +1,118 @@
+# #-#-#-#-#  blacklist.pot (NethServer 7)  #-#-#-#-#
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) 2020, Nethesis Srl and the NethServer project contributors
+# This file is distributed under the same license as the NethServer package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# 
+# #-#-#-#-#  blacklist.pot (NethServer Enterprise 7)  #-#-#-#-#
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) 2020, Nethesis Srl and the NethServer project contributors
+# This file is distributed under the same license as the NethServer Enterprise package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# 
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: NethServer Enterprise 7\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2020-03-10 10:33+0100\n"
+"PO-Revision-Date: 2020-03-10 09:33+0000\n"
+"Language-Team: Spanish (https://www.transifex.com/nethserver/teams/35834/es/)\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Language: es\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: ../../blacklist.rst:3
+msgid "Threat shield"
+msgstr ""
+
+#: ../../blacklist.rst:7
+msgid ""
+"The configuration page of this module is available only in the new Server "
+"Manager."
+msgstr ""
+
+#: ../../blacklist.rst:10
+msgid ""
+"The threat shield blocks connections to and from malicious hosts, preventing"
+" attacks, service abuse, malware, and other cybercrime activities. The "
+"package can be installed both on firewalls and on machines without a red "
+"interface, like mail servers or PBXs."
+msgstr ""
+
+#: ../../blacklist.rst:15
+msgid "Configuration"
+msgstr ""
+
+#: ../../blacklist.rst:17
+msgid ""
+"First, access the threat shield web interface to set the download URL for "
+"the blacklists."
+msgstr ""
+
+#: ../../blacklist.rst:19
+msgid ""
+"After setting the URL, the administrator can choose what :index:`blacklist` "
+"categories should be enabled. Each category can have a "
+":guilabel:`Confidence` score between 0 and 10. Categories with a higher "
+"confidence are less prone to false positives."
+msgstr ""
+
+#: ../../blacklist.rst:23
+msgid "Enabled categories will be automatically updated at regular intervals."
+msgstr ""
+
+#: ../../blacklist.rst:25
+msgid ""
+"The download URL must contain a valid GIT repository. Administrators can "
+"choose a public repository, like `Firehol ipsets one "
+"<https://github.com/firehol/blocklist-ipsets>`_, or subscribe to a "
+"commercial service. If the machine has a Community or an Enterprise "
+"subscription, the access to the URL will be authenticated using system id "
+"and secret."
+msgstr ""
+
+#: ../../blacklist.rst:30
+msgid ""
+"Experienced administrators can also `setup their own blacklist server "
+"<https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-"
+"blacklist.html#setup-a-blacklist-server>`_."
+msgstr ""
+
+#: ../../blacklist.rst:33
+msgid "Whitelist"
+msgstr ""
+
+#: ../../blacklist.rst:35
+msgid ""
+"In case of a false positive, a host or a CIDR can be added to the local "
+":guilabel:`Whitelist`. If the firewall module is installed, the whitelist "
+"will also accept host and CIDR firewall objects."
+msgstr ""
+
+#: ../../blacklist.rst:38
+msgid ""
+"Hosts should be added to the whitelist only for a limited period of time. As"
+" a best pratice, when a false positive is found, please report it to the "
+"blacklist maintainer."
+msgstr ""
+
+#: ../../blacklist.rst:42
+msgid "Incident response"
+msgstr ""
+
+#: ../../blacklist.rst:44
+msgid ""
+"The :guilabel:`Analysis` page displays most recent attacks which can be "
+"filtered by source, destination, protocol and port. Using the "
+":guilabel:`Check IP address` section, administrators can also check if a "
+"given IP has been blacklisted by an enabled category."
+msgstr ""
+
+#: ../../blacklist.rst:47
+msgid ""
+"For advanced log analysis with regular expressions support, use the "
+":guilabel:`Logs` page."
+msgstr ""