jdrch

Members
  • Content Count

    170
  • Joined

  • Last visited

  • Days Won

    2

Posts posted by jdrch


  1. Running into the same problem

    On 6/24/2020 at 11:34 AM, 7H0M4S said:

    Thanks for your feedback, but as i stated, i used to intall the service wihout troubles before using my credentials. As i can't go past the credential's step now i cannot complete the installation at all as a service ...

     

    Cheers

    Ah, so it is a bug in Resilio.


  2. Ha, I just realized the message Connection settings overridden by config actually means This state of this setting is not controlled or indicated in the web UI. Using

    "listen" : "0.0.0.0:8888"

    does in fact enable the web UI's accessibility to other machines on the LAN, it's just that the web UI won't indicate that to you.

    I'm now able to access Sync on the Ubuntu 20.04 machine from other machines on the LAN via Ubuntu20.04.IP.Address:8888.

    Problem solved!


  3. I'm running the latest Resilio Sync Home Pro on Ubuntu 20.04. I'd like to be able to access the Web UI from any machine on my network. Currently the setting to disable listening only to 127.0.0.1 is grayed out (see attached image) with the message Connection settings overridden by config, as shown below:

    Sync Home Pro HP ProBook 4530s.png

    To find out which config file was being used, I opened System Monitor, filtered the Processes tab for rslsync, and then looked at the Command Line column. There I found /

    usr/bin/rslsync --config /etc/resilio-sync/config.json

    Opening /etc/resilio-sync/config.json reads:

    {
        "storage_path" : "/var/lib/resilio-sync/",
        "pid_file" : "/var/run/resilio-sync/sync.pid",
    
        "webui" :
        {
            "listen" : "127.0.0.1:8888"
        }
    }


    Question:

    How do I enable the listening only setting in the UI via editing the config.json file? Changing

    "listen" : "127.0.0.1:8888" 

    to

    "listen" : "0.0.0.0:8888"

    has no effect on the web UI after I restart the Resilio Sync service using

    # service resilio-sync restart

    If I use

    "listen" : "0.0.0.0"

    instead and then restart the service, the web UI is no longer accessible at all.

    Any ideas?


  4. 5 minutes ago, chrisgull said:

    What you don't get from Windows Home/Pro that I find essential in Server is full storage virtualization features. 

    Fair enough. But you also have to accept what comes with that, too. Namely that enterprise products tend to beget enterprise prices by default unless you explicitly ask for an exception.


  5. 27 minutes ago, chrisgull said:

     

    FTR, your assumptions don't hold. I paid $12 on sale for my Windows Server 2016 Essentials license. Completely legal. I even called Microsoft to verify. List price was $399 for 2016, now $501 for 2019, but nobody seems to pay list price. Now, compare $12 - or $399, or $501 - over, say, five years to $1800 for Sync Business over five years.

    They do hold. The official list prices are what they are. The fact that you may have gotten a new BMW for the price of a used econobox doesn't change the fact that the BMW is a luxury car. When you take it in for service or try to buy aftermarket stuff for it, you're gonna pay just as much as someone who bought it at full price.

    Windows Server is an enterprise product with the usual enterprise trappings whether you paid $12 or nearly $7000 for it.

    Anyway, as staff already pointed out, all you have to do to resolve the issue is contact them directly. I had to do the same myself with TeamViewer because I'm on their free tier but I have so many client instances they thought I was a business. Took a couple weeks but all is good now. That's an easy solution anyone can manage.


  6. 2 hours ago, AOlives said:

    Do Home Pro users have Linux server support? I feel like that'd be a harder thing to limit.

    Non-Windows OSes don't use SKUs per se, plus because pretty much everything that isn't Windows, AIX, or macOS is free my aforesaid assumption of being able to afford an enterprise license by virtue of already paying thousands of USD for an OS license doesn't apply for those other OSes.

    Personally, I run Sync Home Pro on Windows 10 Home & Pro, Android, Ubuntu, Debian, Raspbian, and FreeBSD without any issue.

    UPDATE: manually updated to 2.7.0 on my FreeBSD and Windows machines with no issue.


  7. 1 minute ago, AOlives said:

    Current Pro Home users, who have followed the rules, shouldn't lose functionality,

    We should be grandfathered into server support.

    Grandfathering sounds like a workable solution in theory. Not sure if Resilio has that kind of license server-side granularity, but it would be a useful path forward.


  8. On 5/11/2020 at 1:06 PM, 7H0M4S said:

    Totally agree on this ! Please find a fair way and do not force users to move on a business license that doesn't fit their needs and is very, very expensive !

    What solution would you prefer?

    This is a common issue for just about all paid enterprise software: there's always some cutoff beyond which it's assumed you're running a business and can afford a business license.

    FTR, Windows Server pricing isn't inexpensive or free; so yes it is a reasonable assumption that anyone running WS can afford an enterprise level Sync license. And if you're not running a business, then you can get most of WS' non-domain functionality out of Pro, Pro for Workstations, or Enterprise. If you do need the domain functionality, then it is what it is. Neither Windows now Sync are free solutions; adjust your expectations accordingly.


  9. @PacketMan A couple things about that:

    1. There is no package available in the FreeBSD repos. To see for yourself, run
      pkg search rslsync
      on FreeBSD 12.1-RELEASE-p4. You'll get no results.
    2. The FreshPorts listing literally says there's no package available:
    Quote
    A package is not available for ports marked as: Forbidden / Broken / Ignore / Restricted
    PKGNAME: there is no package for this port: _LICENSE_RESTRICTED = delete-package delete-distfiles
    1. You can't compile it yourself either because it's closed source so there's nothing to compile from
    2. Besides all of that, the most recent version in the FreeBSD repos is 2.6.3, which is a version behind the current stable release

    Now, there are some other FreeBSD-based distros such as GhostBSD that have rslsync in their repos, but I suspect that's because they also use the TrueOS repos, which are a superset of FreeBSD's. I would not suggest anyone use TrueOS' downstream repos on raw FreeBSD unless they want to run into package state/dependency problems.


  10. Yw!

    Seafile is worse than Resilio Sync in every way IMO, but use what works best for you.

    8 hours ago, Mr Fethersmith said:

    So a running system has decrypted its disk already and the files are thus accesible. It is not encrypt-on-write, is it? (Maybe that does not even exist, sorry for my newbieness)

    Encrypted data is impossible to interpret without decryption. This means that all encrypted files must be decrypted before being read. With those 2 facts in mind, here's how full-disk encryption on computers works:

    1. The entire disk is encrypted, including the operating system (OS)
    2. At some point in the boot process, the bootloader (a small operating system that loads the requested OS into RAM and then hands off operation of the machine to it) realizes the disk the OS is on is encrypted, and requests the encryption key so it can start the OS
    3. The encryption key is provided in one of multiple ways depending on your config. We'll come back to this point later
    4. Now, this is the crucial part: the encryption key does not decrypt the entire disk at once. Rather, it decrypts data that is read from the disk in real-time and in memory so that the CPU can perform operations on it. All the data on the disk is still encrypted
    5. Similarly, all data the OS writes to disk is encrypted in memory before it's written to the disk. This includes data synced to Resilio folders on that disk.

    In other words, everything on the disk is always encrypted, regardless of machine state.

    Now, back to point 3. The key can be stored:

    1. internally on the computer itself, typically in a hardware component that we'll call an enclave for the sake of convenience
    2. externally. In this case, the key is provided by the user in the form of a password, biometrics, smart card, USB key, FIDO key, etc.

    Internal

    Pros:

    1. Convenient: machine can be restarted and booted up without the user being present. This is good for unattended updates and patching

    Cons:

    1. Because the encryption key is stored onboard, eventually at some point someone will discover an unpatchable vulnerability that can be used to extract it. You can avoid this by upgrading to a newer machine (security isn't inexpensive.)
    2. Enclave support in non-Windows OSes is hit or miss

    Windows and macOS have the best implementations of this.

    External

    Pros:

    1. Since the key is stored elsewhere, it's can be more difficult to crack than internal methods, especially if you use a FIDO 2FA token, for example

    Cons:

    1. Key has to be manually provided, which means OS can't automatically complete reboot and remote reboots are (mostly) impossible. OS can't effectively (kernel) patch itself There are ways around this but they're not inexpensive.

    Most OSes are on approximately equal footing here. It's gonna be easier on Windows and macOS but still possible otherwise.

    Now to something I forgot to talk about previously: the actual backup part of your strategy.

    You'll need to make backups of the synced files on the target devices, preferably to a separate disk. While that disk may be encrypted, it doesn't necessarily have to be, because Veeam Agent Free (Windows) and Restic (everything else) both allow encrypted backups.

    Another way

    Another way around this is to use Restic or Duplicati on one of (you only need one because they're all synced) your local machines + OpenVPN or Wireguard from the remote backup targets. Have the backup targets all connect to your LAN automatically via OpenVPN or Wireguard, then use Restic (which encrypts backups by default) or Duplicati (same) to push backups to the remote targets. Since the backups are encrypted with a locally stored key, you don't have to encrypt the targets, and your backups are both secure and unreadable by anyone without the password. This also eliminates the need for an extra disk at the target. You'll need to setup dynamic DNS on your local LAN so your remote targets always connect to the same URL. Set up unattended-upgrades on the remote Pis so they can keep themselves secure and updated.

    Much of this method is outside the scope of this forum as it doesn't involve Resilio Sync; I'd ask at r/OpenVPN, r/homelab, r/datahoarder, &/or r/raspberry_pi on Reddit if you have further questions.

    ______________________________________________________

    I know this is a lot to absorb at once, so don't be disappointed or overwhelmed if you don't understand it right away. None of this is easy. If you want to use Raspberry Pis, the Another way method might be the easiest, since Pis weren't designed with device security in mind and I don't think they support disk encryption very well. If you want to the targets themselves to be disk-encrypted then you need recent x86-64 PCs.


  11. The biggest problem with your idea is that sync != backup. While you can certainly use Resilio Sync, you'll need something else at the backup locations too.

    Quote

    if there is a way of installing a linux distro (or freebsd) that would encrypt files on write (even non-encrypted resilio folders).

    Not necessary. All you need is whole disk (or volume) encryption on the target device. This will render the entire device unreadable without your credentials. It's essential that you do this, because your friends and family are legally responsible for any data physically located in their homes. This means that if the data is readable, you open them to legal risks.

    Quote

    one can "deploy and forget" resilio instances?

    No computing system is 100% deploy and forget. Also, I'm not so sure about Pis and encrypted disk/volume support. A better option might be lightly used enterprise PCs such as any of these that fit these specs. Then you could install either Linux with disk/volume encryption +

    unattended upgrades

    or Windows 10 with Bitlocker (you'll need a PC with a TPM for this) and automatic updates enabled. Throw in TeamViewer and you can manage them remotely as needed.


  12. 2 minutes ago, eltopo said:

    I suggest that do NOT run rslsync as root. run it as a normal user with webui's listening port > 1024.

    It's standard Unix(-like) practice not to, but TBH I haven't seen any major case of compromised root process KOing a Unix(-like) OS in a very long time.

    The biggest reason not to, IMO, is that rslsync as root makes the user's own synced files read-only to them, which is problematic.


  13. I wrote a simple guide on how to do the above. It works on FuryBSD too and can also be used to switch an installation from being run under root to being run under user without resinstalling.

    For distributions such as GhostBSD that have an rslsync package available in their repos: the only thing in the instructions that might change is you install & update from the repo using your package manager instead of manually from the archive.

    Thanks @Alex. for the assistance.