View previous topic :: View next topic |
Author |
Message |
ALF__ Apprentice
Joined: 30 Nov 2003 Posts: 246
|
Posted: Wed Aug 17, 2016 3:14 pm Post subject: Small Raspberry PI fileserver security |
|
|
Hello.
Im thinking of setting up a PI as a fileserver, just for personal useage, and maybe 2-3 different client pcs, both Linux and windows.
Now, i want this to be accessible via the internet. And wondering what would be the safest way in doing this.
I do have access-management in my router, however, im not sure if this is the best way to do this.
It will only be a very small storage space, for some small source-file for different hobby-Projects. So its not super Heavy duty critical.
The network setup will be that that one port will be open to the PI, and nothing else. But i mostly still worry that it can be used as a "backdoor"
Any ideas about what program for the filesharing would be great also. |
|
Back to top |
|
|
kikko Apprentice
Joined: 29 Apr 2014 Posts: 276 Location: Milan, IT
|
Posted: Wed Aug 17, 2016 9:57 pm Post subject: |
|
|
Hi ALF__
I think Owncloud can suit all your needs, it builds on the PI (afaik) and has a client for other OSes like Windows.
Otherwise, you can set up a WebDAV on Apache HTTPD (don't know for other webservers), and share the files via HTTP(s)
The latter is a lighter solution, but I'm not sure if Windows has a native client _________________ Regards
root is the root of all evil |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Thu Aug 18, 2016 1:26 am Post subject: |
|
|
ALF__,
I don't intend to be a killjoy.
If you intend this to be a useful file server, then you might want to explore other options. A pi would make a very slow file server. The networking and the "disk" subsystem all go through the same USB controller. Most (all? Not sure about the newer ones) can't saturate 100 mb/s, but even if they can then 100 mb/s is the TOTAL bandwidth that your file server could support, half of it networking and half "disk". My pi b+ tops out around 66 mb/s total bandwidth. That's just copying /dev/zero to a socket on a remote system, so it's not bound by anything except the weakest link.
Contrast that with gigabit ethernet that almost every normal NAS can give, and they have separate hardware for disks so all that gigabit bandwidth goes through the wire.
Back to being supportive:
If you're on a tight budget, or if you just want to see how this stuff goes together then a pi can be a file server and it can support reasonable security. I'm not being critical of any attempt to learn or to get by.
Having been around computer networking for decades and having built a number of file servers, you can pretty much count on the idea of a good homemade file server being more expensive than an equal quality commercially purchased unit. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Sat Aug 20, 2016 12:31 am Post subject: |
|
|
ALF__ wrote: | Any ideas about what program for the filesharing would be great also. |
Plain sshd on the Pi, sshfs-fuse on Linux clients, Filezilla on windows ones.
1clue wrote: | If you intend this to be a useful file server, then you might want to explore other options. A pi would make a very slow file server. [...]
Contrast that with gigabit ethernet that almost every normal NAS can give, and they have separate hardware for disks so all that gigabit bandwidth goes through the wire. |
I think gigabit would be overkill for something that, as stated, is going to be accessed over a home router connection. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Sat Aug 20, 2016 5:38 am Post subject: |
|
|
Ant P. wrote: | ALF__ wrote: | Any ideas about what program for the filesharing would be great also. |
Plain sshd on the Pi, sshfs-fuse on Linux clients, Filezilla on windows ones.
1clue wrote: | If you intend this to be a useful file server, then you might want to explore other options. A pi would make a very slow file server. [...]
Contrast that with gigabit ethernet that almost every normal NAS can give, and they have separate hardware for disks so all that gigabit bandwidth goes through the wire. |
I think gigabit would be overkill for something that, as stated, is going to be accessed over a home router connection. |
My home router connection is 65 mbps, which is the most I've ever got out of my pi when I pipe /dev/zero out to a socket on a remote box. If I had to both read data and send it is could do not better than half that, assuming that my "hard drive" were fast enough. Some of the cheap flash drives aren't very fast.
My isp offers speeds from 30/3 to 200/20. They're ready to roll out gigabit Internet to anyone willing to pay.
I live in a farm state, a small town. Nowhere near a big city. I know people right now who get 100+ mbps at rural addresses which are miles from the next house.
So in other words there are lots of places where a pi would max out at much less than half of the available bandwidth of a home Internet connection |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Sat Aug 20, 2016 5:46 am Post subject: |
|
|
And then encryption on top of file and network i/o might really trash performance. Maybe not so much with a newer pi, but possibly even so. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Sun Aug 21, 2016 5:32 pm Post subject: |
|
|
Sorry to beat a dead horse here. A final point is that while the OP mentioned wanting to access it from the outside, that doesn't mean it will always be accessed from the outside. Dragging files over to the file server from inside should be at or near wire speed.
There are lots of single-board computers out there that would be much more satisfactory than a pi for not much more money.
Look for something with gigabit ethernet and one or more SATA ports. I've found some for around $100.
If you want to know what I'm using, it's this: http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-LN7F-2758.cfm That's clearly out of the budget of most home users, but it's more than capable of being a SOHO access point and a file server simultaneously, and handling strong encryption too. |
|
Back to top |
|
|
ALF__ Apprentice
Joined: 30 Nov 2003 Posts: 246
|
Posted: Mon Aug 22, 2016 9:42 pm Post subject: |
|
|
Hello guys.
Thank you for all your answers.
Firstly, performance is not a problem in this case, as i stated, this will be for just a couple small sourcefiles, for my own personal Projects. that i sometimes work on on maybe Three different computers. And by that, space is not a problem either.
I have the pi laying around, and i have gentoo running on it.
The main problem i have is for safety for the rest of my network. The files on it is not business critical. Its just Learning and hobby Projects. But i dont want to set it up in a way it will be a potential backdoor to the other computers on the network. But ofcourse, its nice to protect the storage-space as much as possible.
I was thinking of maybe setting up a FTP just for easy cross platform access.. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Mon Aug 22, 2016 11:02 pm Post subject: |
|
|
That information helps.
Stay away from ftp. It's a modern security nightmare.
Use sftp (part of/uses ssh). Or something else, but sftp is easiest IMO, and has an ftp-like syntax if you want that. I'd only login remotely using a limited user, not sudoer and not someone with permissions outside of his home directory.
Use fail2ban. Insist on high quality passwords. Make sure your ssh encryption cipher is not compromised.
You might mess with forcing an ssh key and a password in order to connect from outside. Or a VPN if you have that ability at your router. Don't use the pi as a vpn endpoint.
https://www.gentoo.org/support/security/ |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|