Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Small Raspberry PI fileserver security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ALF__
Tux's lil' helper
Tux's lil' helper


Joined: 30 Nov 2003
Posts: 143

PostPosted: Wed Aug 17, 2016 3:14 pm    Post subject: Small Raspberry PI fileserver security Reply with quote

Hello.

Im thinking of setting up a PI as a fileserver, just for personal useage, and maybe 2-3 different client pcs, both Linux and windows.
Now, i want this to be accessible via the internet. And wondering what would be the safest way in doing this.

I do have access-management in my router, however, im not sure if this is the best way to do this.

It will only be a very small storage space, for some small source-file for different hobby-Projects. So its not super Heavy duty critical.
The network setup will be that that one port will be open to the PI, and nothing else. But i mostly still worry that it can be used as a "backdoor"

Any ideas about what program for the filesharing would be great also.
Back to top
View user's profile Send private message
kikko
Apprentice
Apprentice


Joined: 29 Apr 2014
Posts: 256
Location: Milan, IT

PostPosted: Wed Aug 17, 2016 9:57 pm    Post subject: Reply with quote

Hi ALF__
I think Owncloud can suit all your needs, it builds on the PI (afaik) and has a client for other OSes like Windows.
Otherwise, you can set up a WebDAV on Apache HTTPD (don't know for other webservers), and share the files via HTTP(s)
The latter is a lighter solution, but I'm not sure if Windows has a native client
_________________
Regards

root is the root of all evil
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Thu Aug 18, 2016 1:26 am    Post subject: Reply with quote

ALF__,

I don't intend to be a killjoy.

If you intend this to be a useful file server, then you might want to explore other options. A pi would make a very slow file server. The networking and the "disk" subsystem all go through the same USB controller. Most (all? Not sure about the newer ones) can't saturate 100 mb/s, but even if they can then 100 mb/s is the TOTAL bandwidth that your file server could support, half of it networking and half "disk". My pi b+ tops out around 66 mb/s total bandwidth. That's just copying /dev/zero to a socket on a remote system, so it's not bound by anything except the weakest link.

Contrast that with gigabit ethernet that almost every normal NAS can give, and they have separate hardware for disks so all that gigabit bandwidth goes through the wire.

Back to being supportive:

If you're on a tight budget, or if you just want to see how this stuff goes together then a pi can be a file server and it can support reasonable security. I'm not being critical of any attempt to learn or to get by.

Having been around computer networking for decades and having built a number of file servers, you can pretty much count on the idea of a good homemade file server being more expensive than an equal quality commercially purchased unit.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5594

PostPosted: Sat Aug 20, 2016 12:31 am    Post subject: Reply with quote

ALF__ wrote:
Any ideas about what program for the filesharing would be great also.

Plain sshd on the Pi, sshfs-fuse on Linux clients, Filezilla on windows ones.

1clue wrote:
If you intend this to be a useful file server, then you might want to explore other options. A pi would make a very slow file server. [...]
Contrast that with gigabit ethernet that almost every normal NAS can give, and they have separate hardware for disks so all that gigabit bandwidth goes through the wire.

I think gigabit would be overkill for something that, as stated, is going to be accessed over a home router connection.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Sat Aug 20, 2016 5:38 am    Post subject: Reply with quote

Ant P. wrote:
ALF__ wrote:
Any ideas about what program for the filesharing would be great also.

Plain sshd on the Pi, sshfs-fuse on Linux clients, Filezilla on windows ones.

1clue wrote:
If you intend this to be a useful file server, then you might want to explore other options. A pi would make a very slow file server. [...]
Contrast that with gigabit ethernet that almost every normal NAS can give, and they have separate hardware for disks so all that gigabit bandwidth goes through the wire.

I think gigabit would be overkill for something that, as stated, is going to be accessed over a home router connection.


My home router connection is 65 mbps, which is the most I've ever got out of my pi when I pipe /dev/zero out to a socket on a remote box. If I had to both read data and send it is could do not better than half that, assuming that my "hard drive" were fast enough. Some of the cheap flash drives aren't very fast.

My isp offers speeds from 30/3 to 200/20. They're ready to roll out gigabit Internet to anyone willing to pay.

I live in a farm state, a small town. Nowhere near a big city. I know people right now who get 100+ mbps at rural addresses which are miles from the next house.

So in other words there are lots of places where a pi would max out at much less than half of the available bandwidth of a home Internet connection
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Sat Aug 20, 2016 5:46 am    Post subject: Reply with quote

And then encryption on top of file and network i/o might really trash performance. Maybe not so much with a newer pi, but possibly even so.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Sun Aug 21, 2016 5:32 pm    Post subject: Reply with quote

Sorry to beat a dead horse here. A final point is that while the OP mentioned wanting to access it from the outside, that doesn't mean it will always be accessed from the outside. Dragging files over to the file server from inside should be at or near wire speed.

There are lots of single-board computers out there that would be much more satisfactory than a pi for not much more money.

Look for something with gigabit ethernet and one or more SATA ports. I've found some for around $100.

If you want to know what I'm using, it's this: http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-LN7F-2758.cfm That's clearly out of the budget of most home users, but it's more than capable of being a SOHO access point and a file server simultaneously, and handling strong encryption too.
Back to top
View user's profile Send private message
ALF__
Tux's lil' helper
Tux's lil' helper


Joined: 30 Nov 2003
Posts: 143

PostPosted: Mon Aug 22, 2016 9:42 pm    Post subject: Reply with quote

Hello guys.

Thank you for all your answers.

Firstly, performance is not a problem in this case, as i stated, this will be for just a couple small sourcefiles, for my own personal Projects. that i sometimes work on on maybe Three different computers. And by that, space is not a problem either.


I have the pi laying around, and i have gentoo running on it.

The main problem i have is for safety for the rest of my network. The files on it is not business critical. Its just Learning and hobby Projects. But i dont want to set it up in a way it will be a potential backdoor to the other computers on the network. But ofcourse, its nice to protect the storage-space as much as possible.

I was thinking of maybe setting up a FTP just for easy cross platform access..
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Mon Aug 22, 2016 11:02 pm    Post subject: Reply with quote

That information helps.

Stay away from ftp. It's a modern security nightmare.

Use sftp (part of/uses ssh). Or something else, but sftp is easiest IMO, and has an ftp-like syntax if you want that. I'd only login remotely using a limited user, not sudoer and not someone with permissions outside of his home directory.

Use fail2ban. Insist on high quality passwords. Make sure your ssh encryption cipher is not compromised.

You might mess with forcing an ssh key and a password in order to connect from outside. Or a VPN if you have that ability at your router. Don't use the pi as a vpn endpoint.

https://www.gentoo.org/support/security/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum