meshcentral – solution libre pour remplacer teamviewer

Développé par Ylian Saint-Hilaire, ingénieur chez Intel, MeshCentral permet la prise de contrôle de machines/serveurs via un agent Windows/Linux/MacOS à installer, en exécution seule (type Teamviewer QuickSupport) ou via la technologie Intel AMT (Active Management Technology). MeshCentral vous fournit, en plus de l’agent, le serveur associé qui centralise toutes les connexions des agents. Le projet a débuté en 2017 et est maintenant passé en version 2.0. MeshCentral vous propose bien évidemment la prise en main du bureau distant, l’accès à une ligne de commande le transfert des fichiers et un tchat.

Pré-requis

Vous devez disposer d’une machine linux debian buster 10. Ce tutoriel a été testé et validé depuis un hôte proxmox via un conteneur LXC.

Installation de Node.js

# apt update && apt upgrade -y
# apt install npm

Créer et vous placer à l’endroit où vous souhaitez installer Meshcentral. Par exemple /opt/meshcentral :

# mkdir /opt/meshcentral && cd /opt/meshcentral

Installation de Meshcentral

# npm install meshcentral
npm WARN npm npm does not support Node.js v10.15.2
npm WARN npm You should probably upgrade to a newer version of node as we
npm WARN npm can't make any promises that npm will work with this version.
npm WARN npm Supported releases of Node.js are the latest release of 4, 6, 7, 8, 9.
npm WARN npm You can find the latest version at https://nodejs.org/
npm WARN deprecated mkdirp@0.5.4: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN saveError ENOENT: no such file or directory, open '/opt/meshcentral/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/opt/meshcentral/package.json'
npm WARN meshcentral No description
npm WARN meshcentral No repository field.
npm WARN meshcentral No README data
npm WARN meshcentral No license field.
+ meshcentral@0.5.0-w
added 158 packages from 151 contributors in 15.998s

Installer un reverse proxy Nginx

Afin d’utiliser vos certificats et protéger l’application vous pouvez associer à Meshcentral un reverse proxy. Ici un exemple avec nginx :

# apt install nginx-light

Modifier les lignes 2 et 7 du fichier /etc/nginx/nginx.conf

# vi /etc/nginx/nginx.conf

Remplacer :

worker_processes auto;
worker_connections 768;

par :

worker_processes 1;
worker_connections 1024;

Editer le fichier /etc/nginx/sites-available/default ou ajouter votre propre site :

# vi /etc/nginx/sites-available/default

server {
    listen 80;
    server_name hello.mondomaine.fr;

    location / 
    {
            proxy_pass http://127.0.0.1:800/;
            proxy_http_version 1.1;

            # Inform MeshCentral about the real host, port and protocol
            proxy_set_header X-Forwarded-Host $host:$server_port;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
    }
}


server {
    listen 443 ssl;
    server_name hello.mondomaine.fr;

    # MeshCentral uses long standing web socket connections, set longer timeouts.
    proxy_send_timeout 330s;
    proxy_read_timeout 330s;

    ssl on;
    ssl_certificate /etc/ssl/certs/wildcard.mondomaine.fr.pem;
    ssl_certificate_key /etc/ssl/private/wildcard.mondomaine.fr.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
    ssl_dhparam /etc/ssl/private/dhparams.pem;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/certs/MaCA.crt;

    location / 
    {
        proxy_pass http://127.0.0.1:4430/;
        proxy_http_version 1.1;

        # Allows websockets over HTTPS.
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Inform MeshCentral about the real host, port and protocol
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }   
}

Valider la configuration et arrêter pour l’instant nginx

# nginx -t
# systemctl stop nginx

Synthèse des commandes disponibles pour exécuter meshcentral :

# cd /opt/meshcentral/node_modules/meshcentral
# node meshcentral --help
MeshCentral v0.5.0-w, remote computer management web portal.
This software is open source under Apache 2.0 licence.
Details at: https://www.meshcommander.com/meshcentral2

Run as a background service
   --install/uninstall               Install MeshCentral as a background service.
   --start/stop/restart              Control MeshCentral background service.

Run standalone, console application
   --user [username]                 Always login as [username] if account exists.
   --port [number]                   Web server port number.
   --mpsport [number]                Intel AMT server port number.
   --redirport [number]              Creates an additional HTTP server to redirect users to the HTTPS server.
   --exactports                      Server must run with correct ports or exit.
   --noagentupdate                   Server will not update mesh agent native binaries.
   --listuserids                     Show a list of a user identifiers in the database.
   --resetaccount [userid]           Unlock an account, disable 2FA and set a new account password.
   --adminaccount [userid]           Promote account to site administrator.
   --cert [name], (country), (org)   Create a web server certificate with [name] server name.
                                     country and organization can optionaly be set.

Lancer Meshcentral sans fichier de paramètres :

#  node /opt/meshcentral/node_modules/meshcentral/meshcentral --cert hello.mondomaine.fr

MeshCentral HTTP redirection server running on port 800.
Generating certificates, may take a few minutes...
Generating root certificate...
Generating HTTPS certificate...
Generating MeshAgent certificate...
Generating Intel AMT MPS certificate...
MeshCentral v0.5.0-w, Hybrid (LAN + WAN) mode.
Loaded web certificate from "https://127.0.0.1:443/", host: "hello.mondomaine.fr"
  SHA384 cert hash: 5871d503c304a770cd1f54a68cd6ae1ce9261fc99a7f440b6b9ee505beb2280312aeee69604959c88fe1fd6656770c6c
  SHA384 key hash: 0fa4a244756be277fce70f1020c51f0abe088c4a11f95d7b5b65b3145204444cd7a01f4995a5f3d3f6bc4f7990c8a749
MeshCentral HTTP server running on port 4430, alias port 443.
SMTP mail server localhost working as expected.

Exemple de fichier de configuration /opt/meshcentral/meshcentral-data/config.json

{
  "__comment__" : "MeshCentral",
         "settings": {
        "Cert": "hello.mondomaine.fr",
        "_WANonly": true,
        "_LANonly": true,
        "Port": 4430,
        "AliasPort": 443,
        "RedirPort": 800,
        "AgentPong": 300,
        "MpsPort": 0,
        "TlsOffload": "127.0.0.1",
        "mongodb": "mongodb://127.0.0.1:27017/meshcentral",
        "mongodbcol": "meshcentral"
    },
    "smtp": {
        "host": "localhost", "port": 25,
        "from": "noreply@mondomaine.fr",
        "tls": false
    },
    "domains": {
        "": {
        "Title": "MeshCentral HELLO for MONDOMAINE.FR",
        "Title2": "MONDOMAINE",
        "TitlePicture": "logos_mondomain.png",
        "certUrl": "https://127.0.0.1:443/",
        "Footer": "MONDOMAINE",
        "_auth": "ldap",
        "_ldapUserName": "displayName",
        "_ldapUserBinaryKey": "objectSid",
        "_ldapOptions":
        {
            "_url": "ldap://10.0.210.7:389",
            "_bindDN": "CN=monutilisateur,CN=Users,DC=mondomaine,DC=fr",
            "_bindCredentials": "secret",
            "_searchBase": "DC=mondomaine,DC=fr",
            "_searchFilter": "(sAMAccountName={{username}})"
            }
        }
    }
}
# node /opt/meshcentral/node_modules/meshcentral/meshcentral

MeshCentral HTTP redirection server running on port 800.
Generating certificates, may take a few minutes...
Generating root certificate...
Generating HTTPS certificate...
Generating MeshAgent certificate...
Generating Intel AMT MPS certificate...
MeshCentral v0.5.0-w, Hybrid (LAN + WAN) mode.
Loaded web certificate from "https://127.0.0.1:443/", host: "hello.mondomaine.fr"
  SHA384 cert hash: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  SHA384 key hash: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MeshCentral HTTP server running on port 4430, alias port 443.
SMTP mail server localhost working as expected.

Installer meshcentral en tant que service pour systemd

# node /opt/meshcentral/node_modules/meshcentral/meshcentral --install
Installing MeshCentral as background Service...
Writing config file...
Enabling service...
Starting service...
Done.

Supprimer meshcentral en tant que service pour systemd

# node /opt/meshcentral/node_modules/meshcentral/meshcentral --uninstall
Uninstalling MeshCentral background service...
Stopping service...
Disabling service...
Removing config file...
Done.

Vous pouvez maintenant gérer meshcentral.service avec la commande systemctl

# systemctl start meshcentral.service
# systemctl restart meshcentral.service
# systemctl stop meshcentral.service
# systemctl status meshcentral.service
● meshcentral.service - MeshCentral Server
   Loaded: loaded (/etc/systemd/system/meshcentral.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-03-31 12:29:26 CEST; 21s ago
 Main PID: 12328 (node)
    Tasks: 22 (limit: 4915)
   Memory: 151.0M
   CGroup: /system.slice/meshcentral.service
           ├─12328 /usr/bin/node /opt/meshcentral/node_modules/meshcentral/meshcentral
           └─12355 /usr/bin/node /opt/meshcentral/node_modules/meshcentral/meshcentral --launch 12328

Migrer la base sqlite vers mongodb

D’après la documentation officielle, il est conseillé de migrer la base sqlite en mongodb pour des parcs importants

# systemctl stop meshcentral.service
# node /opt/meshcentral/node_modules/meshcentral/meshcentral --dbexport
Exported 14 objects(s) to /opt/meshcentral/meshcentral-data/meshcentral.db.json.
# apt install gnupg
# wget -qO - https://www.mongodb.org/static/pgp/server-4.2.asc | sudo apt-key add -
# echo -e '\n## MongoDB\ndeb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main' >> /etc/apt/sources.list
# apt update
# apt install -y mongodb-org
# systemctl daemon-reload
# systemctl enable mongod
# systemctl start mongod
# systemctl status mongod

Importer la base locale vers mongodb

# node /opt/meshcentral/node_modules/meshcentral/meshcentral --mongodb mongodb://127.0.0.1:27017/meshcentral --dbimport
Installing mongodb...
Resetting main indexes...
Resetting events indexes...
Resetting power events indexes...
Resetting server stats indexes...
Imported 14 objects(s) from /opt/meshcentral/meshcentral-data/meshcentral.db.json.

Backup automatique mongodb

# crontab -e

## MongoDB backup
00 23 * * * /usr/bin/mongodump --archive=/opt/meshcentral/meshcentral-data/backup.mongodb > /dev/null 2>&1

fail2ban pour sécuriser meshcentral

Editer le fichier /etc/fail2ban/filter.d/meshcentral-filter.conf :

# vi /etc/fail2ban/filter.d/meshcentral-filter.conf

[Definition]
failregex=^ meshcentral http.*: Failed \S+ for .*? from <HOST> port \d*
ignoreregex=

Editer le fichier /etc/fail2ban/jail.d/meshcentrail-jail.conf :

# vi  /etc/fail2ban/jail.d/meshcentrail-jail.conf

[meshcentral]
enabled = true
port = 443
filter = meshcentral-filter
logpath = /var/log/meshcentral/auth.log
maxretry = 3
findtime = 3600
bantime = 86400
backend = %(dropbear_backend)s
#  fail2ban-client status meshcentral

Status for the jail: meshcentral
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- File list:    /var/log/meshcentral/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:

Les agents meshcentral

C:\&gt; meshagentXX.exe -h
Mesh Agent available switches:
  run               Start as a console agent.
  connect           Start as a temporary console agent.
  start             Start the service.
  restart           Restart the service.
  stop              Stop the service.
  state             Display the running state of the service.
  -signcheck        Perform self-check.
  -install          Install the service from this location.
  -uninstall        Remove the service from this location.
  -nodeidhex        Return the current agent identifier.
  -fullinstall      Copy agent into program files, install and launch.
  -fulluninstall    Stop agent and clean up the program files location.
  -proxy:host:port  Specifiy an HTTPS proxy (after -fullinstall only).
  -tag:xxx          Specifiy a agent tag  (after -fullinstall only).
  -resetnodeid      Reset the NodeID next time the service is started.

L’URL fournissant les agents par exemple : https://hello.mondomaine.fr/meshagents?id=X&meshid=XXXXXXXXXXXXXXXXXXXXXXXXX&installflags=X

  • id=4 -> x64
  • id=3 -> x86
  • flags=0 -> CLI + GUI
  • flags=1 -> GUI
  • flags=2 -> CLI

Modifier le template

Modifier l’image page d’accueil et le favicon

# cp /root/favicon.ico /opt/meshcentral/node_modules/meshcentral/public/favicon.ico

# cp /root/mainwelcome.jpg /opt/meshcentral/node_modules/meshcentral/public/images/mainwelcome.jpg

Modifier le style css

# vi /opt/meshcentral/node_modules/meshcentral/public/styles/style.css

Supprimer le welcomeText à la ligne 33 :

# cp /opt/meshcentral/node_modules/meshcentral/views/translations/login_fr.handlebars /opt/meshcentral/node_modules/meshcentral/views/translations/login_fr.handlebars.ori

# vi /opt/meshcentral/node_modules/meshcentral/views/
translations/login_fr.handlebars
...
<div id="welcomeText">&nbsp;</div>
...

Supprimer les CGU dans le footer

supprimer la ligne 1026

# cp /opt/meshcentral/node_modules/meshcentral/views/translations/default_fr.handlebars /opt/meshcentral/node_modules/meshcentral/views/translations/default_fr.handlebars.ori

# /opt/meshcentral/node_modules/meshcentral/views/translations/default_fr.handlebars

supprimer la ligne 233

# cp /opt/meshcentral/node_modules/meshcentral/views/translations/login_fr.handlebars /opt/meshcentral/node_modules/meshcentral/views/translations/login_fr.handlebars.ori

# vi /opt/meshcentral/node_modules/meshcentral/views/translations/login_fr.handlebars

Passage de Node.js sur les backport debian

Afin de bénéficier des mises à jour automatiques de Meshcentral depuis l’interface et corriger les erreurs de la version de debian il est conseillé de migrer vers le node.js backport

# npm update
npm WARN npm npm does not support Node.js v10.15.2
npm WARN npm You should probably upgrade to a newer version of node as we
npm WARN npm can't make any promises that npm will work with this version.
npm WARN npm Supported releases of Node.js are the latest release of 4, 6, 7, 8, 9.
npm WARN npm You can find the latest version at https://nodejs.org/

Vérifier la version

npm -v
5.8.0

Ajouter le dépôt

more /etc/apt/source.list
deb http://deb.debian.org/debian buster-backports main contrib non-free 
# apt install node-npm-package-arg=6.1.1-1~bpo10+1
# apt install npm=6.14.3+ds-1~bpo10+1

Vérifier de nouveau la version

# npm -v
6.14.3

Bibliographie

  • https://github.com/Ylianst/MeshCentral
  • http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide.pdf
  • http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2InstallGuide.pdf