My Backup Server

marasm · January 25, 2017, 6:14am

So I found a pretty good deal on craigslist that I just couldn't pass up. I have actually been looking at this exact case for quite some time now, and to find it on craigslist with a motherboard was a nice surprise.

The case is a Chenbro SR30169:

The motherboard is an Asrock Rack AD2550R/U3S3. Atom D2550, dual NIC, a bunch of SATA ports.

The case is currently going for $140 on newegg, and the motherboard is either over $200 on amazon or $150 on ebay. I got everything for $150.

The motherboard is a bit disappointing to me. I guess I should have done a bit of research, but it should do just fine for my use case. It seems to be limited to DDR3-1066 and 4GB. It came with 8GB installed, and it shows up. So that's cool. But it will not boot with two 8GB sticks.

So, as soon as I got home and booted it real quick to make sure it worked, I stripped a bunch of stuff out and looked for ways to improve and mod. First thing I decided to do is replace the front USB 2.0 with 3.0. That'll be here on Friday. Should help make backups (of the backup server) go quicker.

It came with a pretty cool looking chassis intrusion switch. I'll try to get a picture of it. It is only on the left side panel, though, so I was wanting to add one to the other side. And I also wanted to add one to the front door. First thing I need to figure out was how to wire these. Series? If any of the three switches opens it should register. The second thing I want to do is monitor these from within Linux. If any of the switches open I would want the ZFS pool to unmount and the disks containing the pool to encrypt. I would also need to figure out how to (securely) turn this security mechanism on and off.

Anyone have ideas on how to accomplish this?

Gamebase · January 25, 2017, 9:16am

First, you can wire the switches in series to achieve this, or add a few transistors. As of monitorings in Linux, you can use a port or driver from the motherboard if supported or create a simple SERIAL COM or USB board to activate a script within Linux. And for encryption you can Encrypt your entire volume. So that if it unmounts you need to enter the password to mount it again.

Dexter_Kane · January 25, 2017, 9:22am

Can you see if the switches have been activated from within the OS? On my server I have a script that runs every minute which checks a bunch of things and if certain conditions are met it unmounts and locks the disks, you could do something like that.

Dexter Kane's ultra paranoid encrypted NAS (Completed) Blog

@Atomic_Charge Submitted for the month of doing it. The goal of my encrypted NAS project is to set up encrypted storage which is automatically unlocked when the system is at home but will become locked if it is removed. This protects against someone physically stealing or removing the server. Obviously for more sensitive information you would keep it encrypted and unlock when needed to protect against someone gaining access to the server. But in my case that would be impractical and unnecessary. The original plan was to store keyfiles on my phone, so that the NAS could only be unlocked if it was on my local network and my phone was also connected to the network. But this would have been a problem if I needed to reboot the server remotely. For my new plan I will be storing the keys on a VPS. As the keys can only be accessed over the local network but the VPS is physically not in my house. This protects against a scenario in which someone just steals everything. Alternatively you could get a raspberry pi with a solar panel and hide it up a tree, or any other way of having the keyfiles logically available within a certain proximity but physically distant from the server. This blog isn't really meant as a guide but I will be including a lot of the steps (as well as links to guides I used at the bottom) which may help if someone wants to do something similar. I'd also like to say that I'm totally not an expert on any of this, and there are bound to be plenty of massive security flaws in this plan. Feel free to let me know what they are :P The original NAS [image] I am not beginning this project with empty disks. I already have a NAS system with around 20TB of data on it. But because I am using individual disk (not RAID or ZFS etc.) I can move data off a disk, encrypt it and move it back. It's going to take a while but it's straight forward enough. If you have a full backup then you could just encrypt everything then load the backup, but I don't have a full ba…

[Complete] Paranoid NAS Part 2: Mercury Kill switch (Get crackin' challenge) Blog

@Atomic_Charge @gearheadgirl27 This project is a follow up to the last of @Atomic_Charge 's challenges where I put on my tin foil hat and put together an ultra paranoid encrypted NAS. For this project I'm building a physical kill switch/intrusion detection system which will shut down or reset the NAS if it is tampered with. If paranoid mode is enabled this will cause it to lock the disks so that an attacker can't access the data, if paranoid mode is disabled the system can be brought back online and the disks unlocked automatically. Yes I know this is a terrible idea, I know that if there's one thing worse than full disk encryption for unrecoverable data loss it's full disk encryption with sudden power loss. Shhh. So the plan is to have a mercury switch that will detect movement of the case, and a micro switch which will detect when the side panel is removed. There will also be a hidden arm/disarm switch, because otherwise it's going to be a total pain in the arse. Now I know a little bit about electronics, but not a whole lot, so I'm not going to build this in to the power supply which would be a much more reliable option. Instead I'm going to connect it to either the power or reset switch connectors on the motherboard, as either way it will trigger a lock down of the disks if the system is in paranoid mode (for anyone unfamiliar with the previous project, when in paranoid mode the servers will ping each other every minute to see if they're still connected and lock the disks if they're not, so a reset or shutdown will trigger that). Thanks a lot to @Th3Z0ne for helping me out with the plan, and thanks for this helpful diagram: [image] Initial testing I'm still waiting on some of the parts to come from china, all I have so far are the relays, some wire, and a micro switch I stole from work. So for now I've just thrown something together to see how it will work and refine the plan. [image] For testing I have the vibration sensor connected to the…

If your motherboard doesn't have a way of interfacing with these switches you could use an arduino or something like that and just have a service running which monitors it and runs the unmount script when the switches are opened. You could simply use your sudo password to enable or disable the service or you could add some other kind of password system to it. If you wanted to physically activate/deactivate it then maybe a key switch or something like that.

marasm · January 28, 2017, 1:53am

Thanks, @Dexter_Kane. I remember reading your amazing exploits in paranoia. I will use some of your methods for my setup.

I got Fedora 25 Server installed, and I can see the intrusion contacts using sensors. Strangely, there are two listed. Intrusion0 opens and closes with the switch activation. Not sure what or where intrusion1 is, don't see it in the manual. Not super concerned about the second one.

I stopped by Ax-Man and picked up a few micro switches and some standoffs. My dad had a reed switch he gave me, and that combined with a tiny 2.5 inch hard drive magnet works very good for the front door. Now I just need to mount the micro switch on the other side panel and wire them all up.

I also got a panel-mount dual USB3 to replace the USB2. Unfortunately the product I received most definitely did not match the picture on Amazon. So I am going to have to get creative with that to get it to fit.