LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Totally securing a home server and NAS (https://www.linuxquestions.org/questions/linux-security-4/totally-securing-a-home-server-and-nas-462411/)

meles meles 07-09-2006 05:17 PM
Totally securing a home server and NAS
 
'oomans,

Is it possible to set up a totally secure network and NAS, yet still have the data stored thereon accessible via the internet ? What we want to do is have a fileserver available on our network where data is stored in an encrypted form, and made available to a remote user securely. We currently have several remote users using laptops who we would wish to have access to data on the secure server - perhaps via some form of VPN.

How do we go about setting up such a system ? We're thinking of building a new server, perhaps based on a mini-ITX board for low power consumption. Can anyone recommend a suitable distro - preferably one easily installed, administered and secured by a small brained kreecher ? How do we secure the data on the server ? Can we use something like TrueCrypt on a RAID 5 array ? (At the moment all data on our laptops are secured using Truecrypt, but we can't find out if it can be used on a server)

anomie 07-09-2006 08:19 PM
Quote:
Is it possible to set up a totally secure network and NAS, yet still have the data stored thereon accessible via the internet ?
No way. A totally secure system is one that is unplugged from any network and encased in cement. No joke.

It's difficult to answer your question without knowing more details. At a glance I'd suggest setting up a ssh server and following some basic points:
1. Allow only pubkey authentication.
2. Disable ssh protocol version 1.
3. Disallow root login via ssh.
4. If your remote user will always be connecting from the same IP or network, restrict access using iptables/netfilter and tcp_wrappers.
5. Tell it to listen on a non-standard port. (e.g. 55)

That, and your vigilant monitoring, will make it very secure. From there, enable the sftp subsystem and let the user access the data that way. I believe there are even some nice, pretty GUI frontends for sftp.

Encrypting the data on the server is your last line of defense in this case. Be thinking about restricting access to the server first.

anomie 07-09-2006 08:21 PM
As for distros, they're all pretty similar for what you're trying to do, IMO. You can secure most of them following the same steps.

Go for something popular if you want a large user base (i.e. support). FC, SuSE, Debian, etc., etc.

meles meles 07-10-2006 12:31 PM
We agree that total security is almost impossible, but we'd like to get close - after all, our server will contain the battleplans for when we rise up to overthrow 'oomanity and regain our rightful place at the top of the pecking order.

We're thinking of setting up a server running NASLite and using Truecrypt to encrypt the data stored on the system. The server will be accessed only by trusted badgers using laptops linked via a VPN.

Recommendations for the VPN would be useful: we're currently thinking of using a hardware VPN/Router/ wifi access point. The data encryption is there as a fallback in case the physical security of the server is ever compromised - we'd like it to default to encrypted status if ever it is physically compromised, ie a Mr Plod type 'ooman turns up and carts it away for the Feds to inspect.

Should NASLite be unsuitable, we're thinking of the following other options and would be grateful of comments from those of you that may have used them:

* Clark Connect
* Xandros Server
* SME server 7


All times are GMT -5. The time now is 03:30 PM.