SOLVED Which services should not be active simultaneously

[itskando]

I believe I read somewhere that
it is poor form to have certain services active simultaneously.

It might have had to do with permissions,
but the question isn't limited to that:

Which services should not be simultaneously active,
because they might conflict with each other?

I think I plan to use FTP, SMART, SMB/CIFS, SSH, UPS.
(I'm running a NAS server for media storage, PC backup, and Plex.)

I think it's only shares which conflict,
but I wanted to be sure.

Are there any services which I've overlooked,
which I should be using?

 

[fracai]

The recommendation is to not have multiple File Sharing services active at the same time as concurrent access to the same files over different services can lead to data corruption.

 

[itskando]

The recommendation is to not have multiple File Sharing services active at the same time as concurrent access to the same files over different services can lead to data corruption.

Under the freeNAS : Sharing documentation:

It is generally a mistake to share a pool or dataset with more than one share type or access method. Different types of shares and services use different file locking methods. For example, if the same pool is configured to use both NFS and FTP, NFS will lock a file for editing by an NFS user, but an FTP user can simultaneously edit or delete that file. This results in lost edits and confused users. Another example: if a pool is configured for both AFP and SMB, Windows users can be confused by the “extra” filenames used by Mac files and delete them. This corrupts the files on the AFP share. Pick the one type of share or service that makes the most sense for the types of clients accessing that pool, and use that single type of share or service. To support multiple types of shares, divide the pool into datasets and use one dataset per share.

If I need to keep SMB up for time-machine backup services,
should I be shutting it SMB services down when I turn on FTP (or SSH),
and then reverting to FTP off and SMB on when I'm finished?

.

I've only used FTP locally so far,
but I believe I'll eventually setup remote use.
In preparation for this:

What is the typical method of enabling and disabling services remotely?

Can the web browser GUI be accessed once an SSH connection has been made?
Does this mean it is best to always leave SSH enabled,
and to simply shut down SMB when altering files using SSH or
enabling FTP (for remote or local use),
being especially careful not to make use of
any two services simultaneously?

 

[fracai]

For that usage I wouldn't expect any issues. As the documentation mentions, it's concerned with file locking and concurrent access. Only TimeMachine needs to access the TimeMachine files and it won't have any reason to access the files than anyone else would be accessing via FTP or SSH.

Worry less about accessing the services simultaneously and more about accessing the same files. Odds are though, you'll have zero issues with having SMB, FTP, and SSH enabled. See other threads for concerns about making services available outside your local network. TL;DR: use a VPN.

 

[itskando]

For that usage I wouldn't expect any issues. As the documentation mentions, it's concerned with file locking and concurrent access. Only TimeMachine needs to access the TimeMachine files and it won't have any reason to access the files than anyone else would be accessing via FTP or SSH.

I agree about Time Machine.
I'm less worried about Time Machine and more about
simultaneous use with media storage.

Change permissions with FTP while
changing higher level path name with SSH while
viewing file contents with SMB and
transcoding contents with Plex.

That sort of thing.

.

Worry less about accessing the services simultaneously and more about accessing the same files.

That's definitely a concern, as described above.

If I'm going to edit my media files,
should I be shutting down Plex,
shutting down SMB, (specifically to be sure no one else is editing anything), and
making to be especially sure that I'm not editing a path in two ways, such as

• Changing a path name in FTP while also syncing the same path in FTP (using Transmit)
• Changing a path name in FTP while changing permissions of that path in SSH

.

Odds are though, you'll have zero issues with having SMB, FTP, and SSH enabled. See other threads for concerns about making services available outside your local network. TL;DR: use a VPN.

There's this guide to encrypting transmissions (prerequisite: own a domain).
Does this replace a VPN?

 

[j0hnby]

How many people are going to be accessing your server/sharing services?

 

[fracai]

Yeah, with a single user I can't see you running in to issues. Plex is read only for your media and it's transcoded files wouldn't be something you or another user would be concerned with.

Changing permissions while also changing a higher level path name seems like it would cause problems even locally, let alone via multiple file shares.

I think you're over-thinking this. I have two users, run SMB and SSH, modify files via both, and have never had an issue.

As for encryption replacing a VPN, encryption is better than plaintext, but it doesn't resolve any of the security deficiencies that may be present in the protocol. You want to make your attack surface as small as possible. A VPN does that. Adding SSL to a web site is good, but you can't really do that to SMB. Well, you could set up an SSL Tunnel, but that's just an inconvenient VPN.

 

[itskando]

How many people are going to be accessing your server/sharing services?

Yeah, with a single user I can't see you running in to issues. [...] I think you're over-thinking this. I have two users, run SMB and SSH, modify files via both, and have never had an issue.

Single plus 1-2 roommates for now;
once I go remote, I might open up to family and friends : j

Mostly, I'm trying to learn the ropes universally
so I have a better idea of best practices overall.

Sorry for being a stickler for added info;
I appreciate anything you have to add : j

As for encryption replacing a VPN, encryption is better than plaintext, but it doesn't resolve any of the security deficiencies that may be present in the protocol. You want to make your attack surface as small as possible. A VPN does that. Adding SSL to a web site is good, but you can't really do that to SMB. Well, you could set up an SSL Tunnel, but that's just an inconvenient VPN.

So, with respect to remote access and that guide:

• Skip the guide entirely,
• Pay for a domain (and whois support)
• Pay for a VPN

and be done with it?

 

[j0hnby]

I wouldn't worry so much then if your user group is small - most likely you'll be the only one going in via SSH right, and you can leave Plex running all the time - rarely changes your files, and transcoded ones are used by itself only.

As for worrying about changing paths and folder names via one sharing service and then expecting everything else to work - pretty sure any service relying on a specified path would fail if you changed it without updating your config - though some might just recreate that specified path....

Check out Cloudflare too, it's a good thing to fiddle with, and you can ssh your connection using it easily too.

 

[fracai]

So, with respect to remote access and that guide:

• Skip the guide entirely,
• Pay for a domain (and whois support)
• Pay for a VPN

and be done with it?

There's no need to pay for a domain (for a long time I used a no-ip address, but eventually got tired of confirming my access every month and I realized I already had a domain that I could slug a sub-domain on). If you do get a domain, everyone is going to offer some sort of whois privacy (if that's what you mean) either included or optional.

There's also no need to pay for a VPN. You can set one up with OpenVPN fairly easily and many routers include support for running it there instead of somewhere else on your network. There are also options like ZeroTier that might be easier (I keep meaning to, but haven't looked in to this yet).

 

[itskando]

There's no need to pay for a domain (for a long time I used a no-IP address, but eventually got tired of confirming my access every month and I realized I already had a domain that I could slug a sub-domain on).

So, free domain is possible, but long-term ends up being hassle?
Any citable guides to doing so, either way,
for those who read this and end up being curious?

There's also no need to pay for a VPN. You can set one up with OpenVPN fairly easily and many routers include support for running it there instead of somewhere else on your network. There are also options like ZeroTier that might be easier (I keep meaning to, but haven't looked in to this yet).

Someone mentioned OpenVPN alone isn't from ISP.
Is that something I should be concerned about?
Who else am I trying to be private from?

If I have roommates who don't want to deal with the slowdown of a VPN,
should I just jail openVPN in my freeNAS server?
Once that is setup, how do connecting devices join the VPN?
(Do they need to run openVPN also?
For example: a remote TV running Plex or a remote laptop of any given OS.)

 

[kdragon75]

So, free domain is possible, but long-term ends up being hassle?
Any citable guides to doing so, either way,
for those who read this and end up being curious?



Someone mentioned OpenVPN alone isn't from ISP.
Is that something I should be concerned about?
Who else am I trying to be private from?

If I have roommates who don't want to deal with the slowdown of a VPN,
should I just jail openVPN in my freeNAS server?
Once that is setup, how do connecting devices join the VPN?
(Do they need to run openVPN also?
For example: a remote TV running Plex or a remote laptop of any given OS.)

It might be helpful for you to read up on general IP networking and routing. from there look into the topic of VPN and how that relates to IP routing and tunneling. I don't mean to be rude but its just way to much to convey in a few posts and give you a full understanding of what's going on. You need to build a fundamental framework of knowledge from which to build and fit new concepts like client access VPN service (OpenVPN) and internet privacy VPN services (TunnelBear).

 

[itskando]

I don't mean to be rude but its just way too much

No rudeness taken.
I just take the keywords from these posts and
keep doing my own reading
while listening for general rules of thumb : j