Home Office Server Security

George Toft george at georgetoft.com
Tue Apr 2 19:45:37 MST 2013


semi-coherent ramblings follow - I wanted to give you some stuff to consider

Think about your threats and the countermeasures.  Encrypting a drive 
mitigates the risk of exposed data in case of hardware theft, and is 
totally useless if the attacker can access the data over the network.  
Network encryption mitigates eavesdropping - what are the chances of 
that happening at home - do you have wireless?  WEP is real-time 
crackable, and in 2006 I went to a seminar where a guy claimed WPA was 
crackable in a couple hours - maybe that's why the keys rotate 
frequently.  RAID mitigates against drive failure, and RAID5 is nice, 
but what about recovery?

Control your network, use secure protocols, use access controls, lock up 
the server/bolt it to the floor/whatever.  If you want to use an 
encrypted volume to store your data, SSH in, mount it manually and enter 
the key - how often do you reboot? 2-3 times a year?  Better to have a 
filesystem that requires a passwd on mount than something that feeds the 
key in and unlocks it for you - what kind of security is that?  Why even 
bother - the benefit of encryption is lost, unless you have a key server 
on your network that is hardened and locked up tight so it doesn't get 
stolen too.

Use whatever RAID you are comfortable with.  I've tried RAID5 and RAID1, 
and RAID1 is by far the easiest to recover from.  RAID0 is a disaster 
waiting to happen.  Some people have had no problems with RAID5, but it 
seems almost as many find RAID5 such a PITA that they swear "never again!"

I did RAID1 with two drives bought at the same time.  Sure enough one 
drive failed, and I was too busy to address it.  A couple months later 
the other drive failed.  Duh!  Same drive manufacturer, same model, 
almost same manufacture date - yeah, I asked for that.  You might want 
to use different drive manufacturers to mitigate that risk.

In addition to the file server, have a back up server and backup daily.  
This compensates for the inevitable "Oh! No!" moment when you delete a 
directory that you didn't mean to - you have yesterday's snapshot to 
recover from.  Imagine how heroic I looked when I came home and my wife 
told me she deleted all the pictures from blah blah by accident.  No 
problem - go to backup server, scp the directory back to the server, 
done.  But that raises consistency checking issues - you have to make 
sure the backup is complete to mitigate the risk of a backup fault.

And don't forget anti-virus checking :)

Regards,

George Toft

On 4/2/2013 8:20 AM, Nathan England wrote:
>
> Hello Hello,
>
> I will soon be building a new server for my home office. I do various 
> consulting jobs and have access to data that my customers consider 
> highly personal or private, some of which I've signed NDA's in order 
> to have access to. The current server stores my client data, various 
> source code files, but it also doubles as my personal data store. All 
> my personal projects along with videos and pictures, audio files and 
> everything that all of us parents and geeks would want to store.
>
> My new hardware will have multiple drives in a raid configuration. I 
> have not completely decided on how that will be configured. I would 
> like your opinions on the best methods of securing a server. I am not 
> against having to type in an encryption passphrase each time the 
> machine boots, but as it will be headless, I'd really rather not, but 
> hoping beyond setup I will not need to reboot it often it is an option.
>
> What options should I consider for protecting the data on the hard 
> drives and still provide some sane level of usability from a 
> workstation somewhere else?
>
> I appreciate your thoughts!
>
> Nathan
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



More information about the PLUG-discuss mailing list