Small Raspberry PI fileserver security

[ALF__]

Hello.

Im thinking of setting up a PI as a fileserver, just for personal useage, and maybe 2-3 different client pcs, both Linux and windows.
Now, i want this to be accessible via the internet. And wondering what would be the safest way in doing this.

I do have access-management in my router, however, im not sure if this is the best way to do this.

It will only be a very small storage space, for some small source-file for different hobby-Projects. So its not super Heavy duty critical.
The network setup will be that that one port will be open to the PI, and nothing else. But i mostly still worry that it can be used as a "backdoor"

Any ideas about what program for the filesharing would be great also.

[kikko]

Hi ALF__
I think Owncloud can suit all your needs, it builds on the PI (afaik) and has a client for other OSes like Windows.
Otherwise, you can set up a WebDAV on Apache HTTPD (don't know for other webservers), and share the files via HTTP(s)
The latter is a lighter solution, but I'm not sure if Windows has a native client
_________________
Regards

root is the root of all evil

[1clue]

ALF__,

I don't intend to be a killjoy.

If you intend this to be a useful file server, then you might want to explore other options. A pi would make a very slow file server. The networking and the "disk" subsystem all go through the same USB controller. Most (all? Not sure about the newer ones) can't saturate 100 mb/s, but even if they can then 100 mb/s is the TOTAL bandwidth that your file server could support, half of it networking and half "disk". My pi b+ tops out around 66 mb/s total bandwidth. That's just copying /dev/zero to a socket on a remote system, so it's not bound by anything except the weakest link.

Contrast that with gigabit ethernet that almost every normal NAS can give, and they have separate hardware for disks so all that gigabit bandwidth goes through the wire.

Back to being supportive:

If you're on a tight budget, or if you just want to see how this stuff goes together then a pi can be a file server and it can support reasonable security. I'm not being critical of any attempt to learn or to get by.

Having been around computer networking for decades and having built a number of file servers, you can pretty much count on the idea of a good homemade file server being more expensive than an equal quality commercially purchased unit.

[Ant P.]

[1clue]

[1clue]

And then encryption on top of file and network i/o might really trash performance. Maybe not so much with a newer pi, but possibly even so.

[1clue]

Sorry to beat a dead horse here. A final point is that while the OP mentioned wanting to access it from the outside, that doesn't mean it will always be accessed from the outside. Dragging files over to the file server from inside should be at or near wire speed.

There are lots of single-board computers out there that would be much more satisfactory than a pi for not much more money.

Look for something with gigabit ethernet and one or more SATA ports. I've found some for around $100.

If you want to know what I'm using, it's this: http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-LN7F-2758.cfm That's clearly out of the budget of most home users, but it's more than capable of being a SOHO access point and a file server simultaneously, and handling strong encryption too.

[ALF__]

Hello guys.

Thank you for all your answers.

Firstly, performance is not a problem in this case, as i stated, this will be for just a couple small sourcefiles, for my own personal Projects. that i sometimes work on on maybe Three different computers. And by that, space is not a problem either.


I have the pi laying around, and i have gentoo running on it.

The main problem i have is for safety for the rest of my network. The files on it is not business critical. Its just Learning and hobby Projects. But i dont want to set it up in a way it will be a potential backdoor to the other computers on the network. But ofcourse, its nice to protect the storage-space as much as possible.

I was thinking of maybe setting up a FTP just for easy cross platform access..

[1clue]

That information helps.

Stay away from ftp. It's a modern security nightmare.

Use sftp (part of/uses ssh). Or something else, but sftp is easiest IMO, and has an ftp-like syntax if you want that. I'd only login remotely using a limited user, not sudoer and not someone with permissions outside of his home directory.

Use fail2ban. Insist on high quality passwords. Make sure your ssh encryption cipher is not compromised.

You might mess with forcing an ssh key and a password in order to connect from outside. Or a VPN if you have that ability at your router. Don't use the pi as a vpn endpoint.

https://www.gentoo.org/support/security/