My Home NAS, Part 4

Having finished assembling the hardware and installing the base operating system for my home-grown NAS device, I've moved on to the fine art of tweaking.  For now, since there isn't a hard drive in the box for major storage, I'm focusing on two things: the long-term stability of the CompactFlash card, and the general security of the machine.

As far as the CompactFlash card is concerned, there are a few things left to do to optimize its performance.  I've read from various sources that flash media tends to have a limited lifetime, especially when written to frequently.  As I noted in part 3, I avoided creating any swap space for this very reason.  However, there are still a few areas of the Linux filesystem that could cause extremely frequent write access, and it'd be nice to avoid this.  Based on some useful instructions from another blog, I decided to mount a few areas of the filesystem in RAM rather than on the CF card itself.  To do this, I edited /etc/fstab to look like the following:

proc            /proc           proc    defaults        0       0
/dev/hda1       /               ext2    defaults,errors=remount-ro,noatime 0       1
tmpfs           /var/run        tmpfs   defaults,noatime  0       0
tmpfs           /var/log        tmpfs   defaults,noatime  0       0
tmpfs           /var/lock       tmpfs   defaults,noatime  0       0
tmpfs           /var/tmp        tmpfs   defaults,noatime  0       0
tmpfs           /tmp            tmpfs   defaults,noatime  0       0

One important feature of this setup is that pretty much everything is mounted with the "noatime" option; this keeps the filesystem from recording information about when files were last accessed.  Otherwise, every time we read a file, the system would write a little bit of information to the card, decreasing its overall lifespan.

Now, the mounting setup above is great if we never turn the machine off; however, as you may have guessed, rebooting or shutting down the machine would mean that everything in those tmpfs directories is lost for good.  So, as it turns out, it's not a bad idea to create a separate persistent version of at least some of it (especially /var/log) using cron jobs and init/shutdown scripts.  I followed the instructions in the blog referenced above pretty closely on this score, so I won't list the details here.

As far as security is concerned, there are a few things worth considering.  First, since this is going to be a "headless" box, I needed ssh access from other machines on my local network.  The Debian package manager makes this extremely easy to set up.  First, remove the installation CD from the list of possible package sources (/etc/apt/sources.list).  Then, just run apt-get install ssh. Once the installation is complete, you'll be able to log in from any computer on your local network using the machine's IP address (which you can find out by looking at the output of ifconfig eth0).

There are, naturally, some security concerns that arise when using ssh (or any other program that opens up ports to the outside world, as we'll see in a moment). To lock it down further, you might consider editing its configuration file (/etc/ssh/sshd_config) to include the following:

PermitRootLogin no

That'll keep users from logging on as root through an ssh session (you can still be root by using su once you've logged in as another user).

By default, there are a few additional services running in a Debian installation that should probably be disabled in this setup. For instance, we won't be needing RPC services, so we can remove them. If we weren't planning on sharing files over NFS, we could remove RPC services at this point. We also won't be needing the standard identd daemon running, so we can remove it too. I'd have more detailed instructions on how to do this, but I seem to have forgotten to document it; maybe I'll add it later. In any case, the end result (at least at this stage) is that the only open port is the one you're using for ssh.

That's about it for initial setup; I will probably not write much more about this for another couple of weeks, since it will probably take that long for me to get my hard drive(s) in, and that's the only step left in this process. Here's hoping it goes well!

Categories: