A recap about the Zentrox development

wervice

Wervice

Posted on September 28, 2024

A recap about the Zentrox development

What am I working on?

I am working on a project called Zentrox. Zentrox is an open source tools to remotely adminster your linux home lab servers/devices.
https://github.com/wervice/zentrox

How far am I with Zentrox?

Zentrox is still its beginnings. I am currently working on creating a test release so people can actually try the project for the first time. It currently does not support as many features as some other applications for server admin.

Screenshot of the current Zentrox frontend

Where am I going with my project?

Zentrox is supposed to get more features like a media center, package update automation and more. It is only developed by me, so I can not guarantee that I will add a feature. The project lacks documentation as well, but having learned from my re-write to Rust, I will add docs.

What technologies does Zentrox use (+ Some well deserved credits).

Backend

Zentrox backend was originally written in JavaScript with Node.JS as its runtime. This became annoying to develop and pretty slow, which is why I decided to re-write it in Rust 🦀 - Yes I re-wrote several thousand lines of undocumented JavaScript code to Rust, as a hobby project.

So, what framework do I use? Zentrox uses the actix_web framework which is a great library. My DevExp. with this tool was nice. It has good documentation and powerful tools. It was easy to implement for me as I was previously using Express.JS and Flask (Python). Actix also has other helper libraries for files, cookies, sessions,... which I use in my project as well.

Frontend

The frontend of Zentrox is written using React. Of course I did not write this frontend without any frameworks. I use Next.JS by Vercel as a framework. Zentrox also uses a UI library called shadcn. Shadcn is an amazing library. It made devloping frontend a lot easier when you do not have to build everything from the ground up. I'd also like to give some credit to Radix UI, as this is what Shadcn uses for its components. :-)

How does Zentrox work?

⚠️ The following text is technical.

Zentrox has three parts. The frontend (FE), the backend (BE) and the application programming interface (API). The API is only used to communicate between frontend and backend and is not meant for use with extensions, but I am not trying to prevent that either. It will just require authentication on the server-side to work.

Auth

When you first set up Zentrox by running install.bash, you are asked to set an admin username and password. You can also enable two factor authentication using OTP there.

⚠️ 🤓

You password is then hashed using OpenSSL. It uses the Sha512 algorithm with salting and PBKDF2.
This makes it hard for hackers to brute-force your password.
The same happens when logging in with the login-provided password.
This process makes the login a bit slower than with blank Sha256 (the previous attempt), but I consider the lag to be negligible.
I used this document from OWASP as a reference.

When the user now logs in the stored password and entered password are compared, and if enabled the OTP token is also checked. The an encrypted cookie is stored on the users side that links to a database with a token that will then verify if a user is logged in. The cookie will not contain any sensitive data from then on.

As soon as the user logs out, the cookie is invalidated and the token invalidated.

Privilege escalation

Some things like managing the firewall require admin permissions. My inital attempt was to create another system user for zentrox with a password known to the Zentrox password.
Instead of going this route, I am simply using sudo and writing the password to sudos' stdin.

Vault

Vault is a key component of Zentrox. It is a self-hosted encrypted data storage. The files are located in ~/zentrox_data.
But how does it work? To use Vault, a user has to create a new vault by setting a password. The user can then upload a file to vault. The file gets encrypted using AES 256 GCM. Before this can happen, the encryption key is derived from the password using salted argon2. This makes brute-forcing and dictionary attacks very time consuming and expensive. The uploaded file is stored with an encrypted file name.

This entire procedure only provides protection from the file being viewed. It does not yet protect against ransomware or wipers.

Dead code

I've been working on Zentrox for ~6 months at the time of writing this article. Initially, Zentrox was meant to be a way to link my existing Codelink projects together by providing a hub for the applications. Thus Zentrox started a sub-project of Codelink and was later split off, because it went in a different direction than what I planned.
Today, the Codelink project is not maintained, as Zentrox occupied my time working on hobby projects.

users.c

I wanted Zentrox to be able to create system users on its own. I was unable to get useradd and adduser to work like I planned. This was necessary as I was using vsftpd and wanted to use a system user instead of a vsftpd virtual user.

So, I did the most rational thing that I could have done there. /s
I started learning C, to write a program that modifies the /etc/shadow and /etc/passwd files of a users machine. (We are in the section "Dead Code", this code never made it into any releases and I always had a disclaimer in the repo or Zentrox about this code.).

Here is an image of the C code:

Screenshot of some C code made with carbon.now.sh

I realized that it would probably not be such good of an idea to modify system files using self-built code and I purged the entire idea. I learned some C on the way there and I think that pretty cool!

Mapbase

I was looking for an easier way to store Zentrox configuration and some variables than making a file for every variable, because that was how I did it for a long time.
I settled on making my own little key-value store/database. I called it Mapbase and wrote it in Go. This was a fun experience, but has now been replaced with a .toml file, as Mapbase is not really that different from toml, but was a bit tedious to work with especially considering it added yet another language to Zentrox. Here is a meme showing what the Zentrox language statistics looked around that time (Go not included):

Meme about Zentrox source code

The old frontend

The old frontend was nice, but I removed it because it became anoying to work with. It has now been replaced with the React frontend I described in the beginning of this post.
It once looked like this:

Screenshot of the old Zentrox frontend

Thanks to everyone who made be aware of bugs and things not to do :-)

Please let me know what you think about Zentrox and this post in the comments. Have a nice day.

💖 💪 🙅 🚩
wervice
Wervice

Posted on September 28, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related