This NAS solution uses OpenSSH for secure transport over a TCP connection, and NFS to mount the volume on your local computer. The hardware of the NAS server is the low-cost Bifferboard.
I’m using an external hard disk via USB which is partitioned in two parts – /dev/sda1 (1GB) and the rest in /dev/sda2. Once you have installed Debian on Bifferboard, here are the commands which further transform your Bifferboard into a secure NAS:
apt-get update apt-get -y install nfs-kernel-server vi /etc/default/nfs-common # update: STATDOPTS='--port 2231' vi /etc/default/nfs-kernel-server # update: RPCMOUNTDOPTS='-p 2233' mkdir -m 700 /root/.ssh # add your public key for "root" in /root/.ssh/authorized_keys echo '/mnt/storage 127.0.0.1(rw,no_root_squash,no_subtree_check,insecure,async)' >> /etc/exports mkdir /mnt/storage chattr +i /mnt/storage # so that we don't accidentally write there without a mounted volume cat > /etc/rc.local <<EOF #!/bin/bash # allow only SSH access via the network /sbin/iptables -P FORWARD DROP /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT # TCP initiated by server /sbin/iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT # DNS traffic # mount the storage volume here, so that any errors with it don't interfere with the system startup /bin/mount /dev/sda2 /mnt/storage /etc/init.d/nfs-kernel-server restart EOF # allow only public key authentication fgrep -i -v PasswordAuthentication /etc/ssh/sshd_config > /tmp/sshd_config && \ mv -f /tmp/sshd_config /etc/ssh/sshd_config && \ echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config reboot
There are two things you should consider with this setup:
- You must trust the “root” user who mounts the directory! They have full shell access to your NAS.
- A not-so-strong SSH encryption cipher is used, in order to improve the performance of the SSH transfer.
On the machine which is being backed up, I use the following script which mounts the NAS volume, starts the rsnapshot backup process and finally unmounts the NAS volume:
#!/bin/bash
set -u
HOST='192.168.100.102'
SSHUSER='root'
REMOTEPORT='22'
REMOTEDIR='/mnt/storage'
LOCALDIR='/mnt/storage'
SSHKEY='/home/famzah/.ssh/id_rsa-home-backups'
echo "Mounting NFS volume on $HOST:$REMOTEPORT (SSH-key='$SSHKEY')."
N=0
for port in 2049 2233 ; do
N=$(($N + 1))
LPORT=$((61000 + $N))
ssh -f -i "$SSHKEY" -c arcfour128 -L 127.0.0.1:"$LPORT":127.0.0.1:"$port" -p "$REMOTEPORT" "$SSHUSER@$HOST" sleep 600d
echo "Forwarding: $HOST: Local port: $LPORT -> Remote port: $port"
done
sudo mount -t nfs -o noatime,nfsvers=2,proto=tcp,intr,rw,bg,port=61001,mountport=61002 "127.0.0.1:$REMOTEDIR" "$LOCALDIR"
echo "Doing backup."
time sudo /usr/bin/rsnapshot weekly
echo "Unmounting NFS volume and closing SSH tunnels."
sudo umount "$LOCALDIR"
for pid in $(ps axuww|grep ssh|grep 6100|grep arcfour|grep -v grep|awk '{print $2}') ; do
kill "$pid" # possibly dangerous...
done
Update, 29/Sep/2010 – performance tunes:
- Added “async” in “/etc/exports”.
- Removed the “rsize=8192,wsize=8192” mount options – they are auto-negotiated by default.
- Added the “noatime” mount option.
- Put the SSH username in a variable.
Resources:
/contrib/famzah 