• A 24/7 machine (running all the day)
• Small
• Quiet
• Low power consumption
• Easily expandable with new disks without losing data
• RAID 5
• Break the TB barrier
• Being able to transfer saturating the Gigabit ethernet port
• With a customized Linux OS

And well, I think that I have been able to get all my objectives. This is my first modding, so I encountered lot of problems. Sure the next time I will do it better.

The following sections are a worklog of how I made this machine. Enjoy it.

The Hardware

This is the list of the hardware components I finally chose for the machine.

For the modding of this machine I have been highly inspired in one of the Mashie Designs. Credits for him and its useful web page. There is lot of information in the forums. I spent several nights reading them.

The motherboard, Mini-ITX, is really small as you can see in this photo. The power supply is external and the unique fan I needed was the one for the CPU. The Celeron-M processor consumption is very low (it is a mobile cpu) and so is the dissipated heat. I could have unmount the fan but it was so quiet that I decided to keep it and reduce the temperature a bit.

For the controller, I went with the HighPoint 2310. It supports 4xHDD SataII and RAID 5. It is not a pure hardware SATAII controller (it is CPU assisted) but in this machine, the Celeron will be exclusively helping the controller, so the final performance was very good and I didn’t need to buy an expensive hardware SATAII controller.

I didn’t find a smaller case for the NAS. Next time, probably, I will made my own case. Anyway, I had to do lot of modifications to the Venus case. Mainly, I used the dremel to cut the metal so the RACK fit in.

The RACK in its final position. This model fits five drives within a three (5.25”) bay fitting. It’s equipped with a hot swappable fan that may be detached. The fan was too noisy to me so I tried the machine without the fan but the temp of the HDDs reached 55º. So, finally, I decided to buy a new fan that was almost inaudible (a 8.9 dB Sharkoon fan). This fan and the CPU fan are the unique fans in the machine.

As you can see in this photo, the controller is really small and there is enough space for the sata cables.

I needed a new front panel for the case. I made it with two layers. The first one was cut from a Styroglass sheet (7,5mm)

For the second layer I used a 1mm aluminium sheet. Both layers were glued with epoxy.

This is a photo of the front panel before being painted.

The front panel was sanded, primed and painted in black 3 times. I made a hole for inserting a keylock and another one for a power led.

And… the final look of the machine, the monster.

The hard disks are hot-swappables. I inserted the four hard disks in the rack and the machine was ready for installing the operating system.

I used this power meter to determine an approximation of what it costs to have this machine running 24h per day. When the disks are not being used the meter reports 60w. This is 43Kwh in a month = 4.07 €/month. Something my electricity bill can afford without too much worries.

The Software

For the operating system, I used a customized Gentoo distribution. I followed this guide to create the image. The operating system was installed in a 64Mb Compact Flash card. That way all the RAID is exclusively for data storage.

The image I generated is about 45Mb with the following packages:

• Metalog for logging
• Openssh for remote access
• Smartmontools for S.M.A.R.T monitoring of the hard disks
• Dhcpcd, a DHCP client
• Lm_sensors to control system temperatures
• Net-snmp, a SNMP server to allow my main server gather information and generate graphs for this machine
• Ntp for time synchronization with my server
• Samba for sharing the folders.

The kernel I chose was the 2.6.19. The drivers distributed by HightPoint were perfectly compatible with this kernel. I can’t say the same about the tools. They are distributed as rpm (only binaries) and lot of problems appeared. This really sucks. Sources and tar.gz should be distributed to be compatible with all the linux distros.

If you want the image I am using, email me and I will send it to you (with all the sources if you want).

And that is all for my new RAID5 1′5TB machine. It has been a hard work but I have learned a lot. Don’t hesitate to write here if you want more information, discuss details, give your opinion, etc.

Thanks for reading, see you in the next article.

My host is joining the Fon Movement, a free WiFi community oriented towards sharing home internet connections to the world. Sharing your connection allows you to use any Fon node in the world for free.

There are already lots of nodes around the globe. You can check your neighborhood here.

What really impressed me is that they are selling is FON Social Router (La Fonera) for just 5 €/$. A 802.11g router with a linux 2.4.0 inside! I couldn’t resist such a bargain.

If you live in Spain, like me, Pc Actual is offering the router, 400 skypeout minutes, skype starter kit and a guide of Pc Tricks in this page.

And now, waiting for it…

I’m really surprised with the Quality-Price ratio offered by this product. For less than 60€ I have an unit that properly notifies events (on battery event, on line power event, on low battery event, etc), mails me when each of this events get fired and monitors UPS status in real time. And all of this compatible with my Gentoo Linux.

Programs for Linux that come with the product are binaries without source code. I found troubles with some of them (I was unable to send customized mails) so I started looking for a open source solution. And here I faced NUT.

Network UPS Tools is a collection of programs for monitoring and administering UPS hardware under Linux using a client/server architecture. After hours investigating (Belkin FH6350efUNV unit is not officially supported by the last version 2.0.1) I discovered the driver that worked perfectly with my hardware: Powermust Driver. Powermust reports all the information (with the exception of the temperature variable) I had with the propietary software distributed by Belkin. All the notification system works perfectly with this driver.

So, if you are looking for a cheap and effective UPS unit for your linux, I really recommend buying one of the Belkin F6H series.

1. Master the Operating System you use

Stay away from the Windows vs Linux wars. Choose the OS you like and learn about it. Most of the security breaks are due to administration errors: not staying up to date, running services not needed, bad password policies…

Using Linux is itself no guarantee of security. You have to manage it properly.

Personally I am in love with Gentoo Linux: a Linux distribution from programmers to programers.

2. Have your system updated (automatically if possible)

Security bugs are discovered every day (Bugtraq List). So you should be updating your system everyday and doing it as automatically as possible. In Windows you have Windows Update for updating the operating system. Software not part of the operating system should be updated independently.

For Gentoo, you can have all your system updated easily:

These two lines will only synchronize with the latest packages and show you the info. The integration process should be done manually to detect potential issues.

You can check for known security vulnerabilities in Gentoo Linux using the Gentoo Linux Security Announcements (GLSA) (currently a service in beta)

At the moment glsa-check is an experimental tool.

3. Run the minimum number of services

Do not have services you do not need. Every installed service may be a new security hole on your computer. Some linux distributions come with a generic configuration with a lot of default services you won’t need. Disable all the services and start activating the ones you need. That is exactly what you get when you start installing Gentoo from scratch.

4. Firewall your system

Have a robust (highly configurable and with a decent support for logging and alerts) firewall installed on your server and configure it properly.

Linux firewalls are based on Iptables. This is a great tutorial on Iptables. Ulogd is a daemon for iptables very useful to have an independent log file for your firewall.

5. Use encryption when connecting with your server

Do not use telnet, rlogin or ftp. Those protocols go across the Internet unencrypted. In Windows, if you use Terminal Services enable encryption. In linux, OpenSSH is the right tool.

OpenSSH allows you to encrypt all traffic and provides tunnelling for the rest of the ports. Use OpenSSH with the RSA/DSA authentication. I always have with me the private key in my USB removable device. If you examine your logs you will see dozens of attempts per day trying to log into your machine. If you have your server connected 24h/day you should have this port well secured. Disable direct root login and try to use a high level port. OpenSSH offers you sftp, the encrypted version of ftp.

6. Detect changes to important system files

You want to know every change that is made to your system files, at least to the critical ones. AIDE is your friend here. It works by making cryptographic hashes for the files to be checked. Those hashes should be stored in a safe device: a read-only one, for example.

7. Check against rootkits

You don’t want rootkits in your computer. So, you should be doing continuous checkings against this. I recommend to run both Rootkit Hunter and chkrootkit every day.

8. Scan all your logs to detect suspicious activity

You should watch all your logs everyday. Doing this automatically is prone to errors, so you should have a daemon doing this for your and emailing you when it finds something suspicious. Logwatch is an useful tool for this. It will send you emails every day with automatically generated reports.

9. Continuously monitor your system

It is vitally important that you continuously monitor the health of your system to detect anomalies: cpu usage, network traffic, memory usage, system temperature, hdd status, etc. Cacti (a back-end for RRDtool) is ideal for this.

10. Automatize as much as possible

Minimize the things you manually do. You have Task Scheduler in Windows and Cron Jobs in Linux. For example, these are the some tasks I have automatized in my server:

Synchronize to the latest stable packages.

Check for known vulnerabilities in the system.

Run AIDE to detect changes in system files.

Look for rootkits with chkrootkit.

Look for rootkits with rkhunter.

Generate reports from system logs.

Check for new network ports opened.

And that makes ten guidelines. I know I leave lot of topics (nessus, snort, etc) but they will have to wait for other posts. I hope you have enjoyed this recommendations. Do not hesitate to give comments here.

I wanted to start a topic (the first on Linux, I promise more on this) about the hardware machine where this blog is hosted: a machine installed in one corner of my living room. I bought the box to be the server for all my machines at home (personal computer, media center, videogame consoles, ip camera, fileserver…). Being network security one of my hobbies I am always playing with security tools. That is one of the reasons why I decided to host this blog in my home server: to play with a new toy.

In the past, whenever I installed a linux distribution (SUSE most of the times) I always finished mutating it to my own distribution due to the fact that these clasic distributions evolve too slow. This was frustrating and time consuming for me because I had to mantain lot of packages and some big changes (gcc, glibc) could break the system. When I was starting to build my own personal distribution (based on Linux From Scratch) I discovered Gentoo. Gentoo Linux is the perfect distribution to me. It is based on source (every package you install must be compiled) and it is continuously evolving like an organic system.

This is the current hardware configuration for my Linux Box:

• Shuttle Barebone ST62k
• Pentum IV Celeron 2.4Ghz 1Gb Ram
• Crystalfontz CFA-631 LCD Module

I have an internet connection with a dynamic IP. To be always accessible I’m using the services from DynDNS.

And that is enough for today, my next article on this topic will be about tips & tricks on security to avoid to be owned.