Category: Security & Networking

Backup, Networking, Security

Old Storage, New To You: It’s Time To Consider Buying Refurbished Hard Drives

by

For the entirety of my time buying drives, going back many years, I’ve bought only new hard drives. For my servers, I’ve tried to buy NAS grade drives. NAS drives, compared to a desktop drive, are rated for more continuous operation and load.

But, my redundant backup strategy can be expensive, so while my NAS is using NAS drives I bought new, I decided for one of my two redundant backup locations, I’d try a pair of refurbished drives. I went with an outlet called Goharddrive. They sell through Amazon, eBay, Newegg, etc. Another called Serverpartdeals seems to have good reviews overall, through multiple sources.

From what my research seems to indicate, these two at least have good reputations for offering items that are not likely to fail quickly, and if they do, they quickly honor their five year warranty. Seagate and Western Digital have cut back the warranty period on some drives to 3 years, but still offer some drives at the 5 year mark. So, these refurbished drives, even if they fail, will be replaced during that period. They are designed for high data use as they were likely pulled out of data centers and other enterprise uses.

There are definitely advantages to these refurbished drives even for a primary function. But the lesson is, you shouldn’t use a refurbished drive without redundancy. But the same applies to new drives. New drives may last less time than a refurbished one, or more. So, the lesson in the end is to make sure that you never rely on a single drive regardless.

Here’s a link to a 10TB hard drive sold by Goharddrive via Amazon. A similar new NAS drive is running over double that. Assuming you get 3-5 years out of it, which is guaranteed, you may be taking a risk, but its an acceptable one. So, it’s perfect for sending my files to from my primary NAS, and will sit at a family member’s home as a backup server. Definitely cheaper than the cloud.

 

Building My NAS: Choosing The Software To Manage My Network Attached Storage

by

I have gone through a lot of evolution of computer technology over the years, not only the technology, but my thinking. I remember my first server, which doubled as a NAS. It was a yellow full tower server system and had wheels . Why yellow? It was really inexpensive. But it was also really overbuilt for what I needed. I never filled all the bays and I never used it to its full capacity. And technology changed. I started building smaller, rather than overbuilding. I’ve gone from desktop, to laptop, to small PC, to mini PC, which is an evolution conversation in itself.

When my home built NAS died in the middle of the night some years ago, I ran to the store and bought a commercial NAS, because I was at the point in my life where I didn’t want to deal with another home build. So I went with a NAS and then a dedicated home server next to the NAS. And that was partly because the commercial NAS software was limiting and the manufacturer has stopped updating my model, but also because the hardware in NASes is always behind what you can get if you build it yourself. So, by investing in a NAS case, a motherboard, and using open-source, I can in future swap out the motherboard, upgrade the RAM, etc and continue…provided I keep to the same software platform.The lifespan is much longer.

I could run all my applications on the NAS, especially with the new hardware, but I want something that acts like an appliance…something that only is storage and storage related functions. I don’t want to clutter it with other things, even though it means another system to run server functions. Last time, I installed Linux and configured it. But there is software to make a computer a dedicated appliance, so it eliminated all the work I had to do to get everything working.

There are three popular options for NAS software…TrueNAS, Unraid, and OpenMediaVault.

TrueNAS has a commercial and a community version. It comes in the classic Core version, based on FreeBSD and the newer Linux based Scale. I get the impression impression Scale is the future for the project. Scale allows for containers and virtual machines if you want to run your applications on top of it. For the drives, it offers ZFS and the ability to deploy object storage similar to Amazon’s S3. ZFS is an incredibly robust filesystem.

Unraid, by comparison, is also commercially supported, with a license cost of $49 to $249, which includes the software. The most expensive membership at $249 is lifetime, which means updates for life, and the others offer updates for a year with a fee to upgrade after that. Even with no updates, some security patches are still offered for the older versions. The advantage of Unraid is it can manage drives that vary in size, speed, brand, and filesystem…so no RAID technology. Instead, it uses a dedicated parity drive, and offers a cache drive for speed.

Openmediavault is somewhere closer to Unraid in its simplicity, but has no commercial cost. It seems to be in the middle of the option here and can veer toward the Unraid feature set or the TrueNAS ones.

I ended up with TrueNAS, because I wanted the features it offered for data storage. I’ll be talking more about that, but setting it up took more time to restore my data than it did to set it up. It is now handling 100% of the file serving the previous server did. I still have backup and other redundancy functions to configure, but I’m 100% back online.

Building My New Network Attached Storage(NAS): A Change of Plans, Keeping Up With The Jonsbo

by

Despite the fact that my ODroid H4+ had an issue, I still remained committed to the course of action of building a NAS to replace my commercial one. So, even as I pursue the Odroid H4+, I decided to explore the other option I’d explored. My original plan was build a mini-ITX NAS. And so, feeling nervous about the ODroid future, I decided to revisit that plan.

I really wanted a low power, small NAS, but while I liked the simplicity of the Odroid 4 drive case, the experience of assembling the case made me a bit concerned about how running a case that is supported entirely by the drives might work out. I decided, since I need to have a secondary location to store the backup for the NAS, I would use this for that, and I’d go more conventional for the primary location. That is a bit more than I’d budgeted for, so this is going to have to last me a while.

On reading a lot of commentary on Mini-ITX NAS cases, I had decided on the Jonsbo line of NAS cases. There’s the Jonsbo N2, which supports five hard drives, or the slightly larger Jonsbo N3, which supports eight hard drives. While I opted for the N2, I can understand some wanting the extra space for future expansion.

The budget board I opted to try is also a N100, the same line I’d been advocating for. There are a variety of variations of this board sold. For example, by CWWK. Or HKUXZR. Or Dytebeply. With minor variations, these boards contain 6 SATA ports…5 of which are via an expansion chip, which may cause throughput issues. They also have 4 2.5 gigabit ethernet ports and 2 M.2 ports on the board. Reading a lot of reviews of these boards, it takes a long time to post, may have limited RAM options, but a lot of people are using these boards, it seems. I’ll be talking a bit more about how I might set up the options I’ve chosen.

If I only wanted a 2 drive NAS, the Aoostar mini PC would be tempting.

The next challenge is how I am going to configure this. There are a lot of decisions, even once I have the hardware.

Monitoring with Uptime Kuma

by

Earlier today, the server that hosts Gadget Wisdom was down for ten minutes. This happens every so often, and the server is due for replacement one of these days as the oldest one I have. But one of the problems I have is that local monitoring is…well, local. You shouldn’t run your monitoring solely on the server you are monitoring. You need something external as well.

So, enter Uptime Kuma. Uptime Kuma came onto the scene two years ago, as a self-hosted version of something like UptimeRobot(which does offer a free tier). There are other self-hosted products as well, but I was able to get this running in a short period of time and it provides exactly what I want, and it looks like it has an active development team.

So, what features does Uptime Kuma offer?

  • Dozens of notification methods to configure….email, messaging, SMS, etc.
  • HTTP, ping, as well as server specific monitoring.
  • Useful Stats and Graphs
  • Optional Public Status Pages

So, now, I’m waiting for my next downtime, to see how exactly this works in production, but just having the ability to remotely monitor and get notifications is another tool in my monitoring arsenal.

Multiple Vulnerabilities found in Wink and Insteon Systems

by

Rapid 7 reported that they detected major vulnerabilities in the Wink and Insteon Smart Hub systems.

This is of particular concern to me as a Wink hub user. The Wink Android app was storing sensitive information insecurely, which has now been patched.

The other vulnerability is apparently being fixed. The Wink API does not revoke authentication tokens when you log out, and new tokens do not invalidate the use of old tokens.

I’ve long been concerned about the long term health of Wink. It’s been with two different owners and it is hard to understand where it might go. And hubs in general might go away in favor of wifi or bluetooth as a standard over things like zigbee and z-wave.

But the fact they fixed these issues at least suggests that they plan to move forward.

Let’s Build a Server: Part 2 – Monitoring

by

Monit

Last time, in Part 1, we discussed setting up a firewall and an email relay so notifications from the firewall could get to us.

Now, in Part 2, we’re going to talk about more signal. Server monitoring and alerting. Our primary software for monitoring is Monit.

Monit has a single configuration file, but many distributions, including mine, set up a /etc/monit.d folder so you can divide your monit configuration into different files.

Once it is running, you can monitor its status by running
monit status
It will show the status of whatever is monitoring. There is also an optional web component, if you want to check status in a web browser.

What can you monitor?

Monit can monitor any program and restart it if it crashes.
check process nginx with pidfile /var/run/nginx.pid
start program = "/bin/systemctl start nginx.service"
stop program = "/bin/systemctl stop nginx.service"
if failed host 127.0.0.1 port 80
protocol http then restart
if 5 restarts within 5 cycles then timeout

As you can see, the simple scripting language allows you to not only restart, execute programs, but alert the user.

Not only can it make sure something is running, but it can monitor its resource usage, as well as system resource usage. It can monitor processes, network connections, programs and scripts, files, directories, etc.

An Alternative to Email Alerts

The default for an alert is to send an alert email, but for bigger emergencies, a phone push notification is also useful.

Monit provides a simple instruction on how to set it up for Pushover. There is also the alternative of PushBullet.

Pushover costs $5 per platform(Android, iOS, Desktop) to use on as many devices as you want. There is a per application limit of 7,500 messages per month. Pushbullet is, by comparison, free. The basic difference as I see it is that Pushbullet is more geared toward the consumer, and Pushover is more geared toward developers in how it was initially set up. They do have similar feature sets though.

Here is Monit’s suggested Pushover script, which can be run instead of an email alert.

/usr/bin/curl -s
-F "token=your_mmonit_or_monit_app_token"
-F "user=your_pushover_net_user_token"
-F "message=[$MONIT_HOST] $MONIT_SERVICE - $MONIT_DESCRIPTION"
https://api.pushover.net/1/messages.json

Here is an alternative version for Pushbullet

curl -u <your_access_token_here>: -X POST https://api.pushbullet.com/v2/pushes --header 'Content-Type: application/json' --data-binary '{"type": "note", "title": "$MONIT_HOST", "body": "$MONIT_SERVICE - $MONIT_DESCRIPTION"}'

Conclusion

In all cases, monit allows you to monitor your system and take action based on a change in performance. The complexity of your rules is entirely up to you. But, if you give thought to their setup, you can not only be told when there is a server emergency, but the system can take action to fix it.

Let’s Build a Server: Part 1 – The Firewall

by

Tux, the Linux penguin

Necessity is the mother of invention. It is once again time to upgrade the Gadget Wisdom servers. And, as I have committed to writing more here, I will be writing some articles on server construction.

Now, this will all be done using a Virtual Private Server, so the hardware is outside of the scope of this series.

The first piece of software I usually install on network accessible servers is the ConfigServer Security & Firewall(CSF). This is a firewall with login/intrusion detection, and security. Most distributions of Linux come with some sort of firewall, but this set of scripts works with iptables to be much more secure.

CSF provides scripting for a firewall, and handles login failure handling for a variety of stock services, as well as unsupported services using regular expressions.

There are a lot of options in the CSF configuration file…read through the description of each…decide which ports you want open, and deploy. CSF will automatically update itself when there is a new version.

In order to ensure notifications from the firewall and other administrative notifications are read, you will likely wish to arrange for the ability to send mail. However, you may not need or wish the trouble of setting up a mail server. The simpler solution is to set up an SMTP relay.

The example below configures Postfix, available with many Linux distributions, for use with a gmail account. Add the following lines to the bottom of your /etc/postfix/main.cf

smtp_use_tls=yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

Create a file with your gmail credentials.

smtp.gmail.com user@gmail.com:PASSWORD

Then secure the file.

chmod 640 /etc/postfix/sasl_passwd*
postmap /etc/postfix/sasl_passwd

Now, any external email will route through your gmail account. We have now protected our server from a variety of attacks, and ensured, if there is a problem, we’ll be notified of it.

There are alternatives to Gmail. For example, Mandrill offers 12,000 emails per month for free, and 20 cents per thousand after that, and Sendgrid offers 200 emails, and 10 cents per thousand.

You can use Mandrill or Sendgrid instead of Gmail by using the below credentials.

[smtp.mandrillapp.com]:587 USERNAME:API_KEY
[smtp.sendgrid.net]:587 USERNAME:PASSWORD

 

 

Related articles

Let’s Encrypt – A New Certificate Authority

by

Diagram of a public key infrastructure

 

Security Expert Bruce Schneier recently pointed to a joint project to create a new certificate authority that lets everyone get basic certificates for their domain through a simple process.

 

The idea would include not only free, but automatic, secure, transparent, open, and cooperative.

The service, called Let’s Encrypt, is set to launch in the summer of 2015.

The reason for the delay is that the service wants to leverage new standards. The most notable is ACME(Automated Certificate Management Environment). The idea is that the Certificate Authority communicates with the web server and the two work together to prove ownership and download the certificate, as well as handle configuration and renewal.

Now, considering how much of a chore certificates are right now, the standard, even outside of Lets Encrypt, would save a lot of anguish. Once the server has proven that it is the server of record for that domain, it can handle everything.

There’s more to it then that, and certainly, there are still risks, but we’ll see what these people come up with by the time the ACME standard is finalized.

 

KeyCDN: A Review

by

KeyCDN LogoIn a continuing effort to get the best combination of services and pricing, I often review my choice of provider. While it is a pain to migrate services, things do change over time.

As a small site, I want the benefits of a CDN, but the monthly cost of one is not within my budget. Which is why I explore pay-per-use CDNs. Metering means that I can prepay for a few GBs of traffic and it can last me a while. I wrote about this back in 2013, when I was talking about how new providers intrigued me.

After some problems with other incumbents, I was once again looking for new options, and came upon KeyCDN, which is a Swiss CDN that is well regarded so far. I’ve been using them for about six months now. They offer $0.04 per GB for the first 10TB. And in the last six months, they’ve continued to add features.

Here are a few of their features:

  • Pay Per Use Pricing – So no minimum monthly costs
  • A Free Trial(although most of these services have that)
  • Unlimited Zones that can be aliased as subdomains on your site.
  • SSL – Shared or Custom SSL. Shared SSL is them using their certificate. If you want to alias the CDN zone as a subdomain on your site, you need to buy a certificate from them or supply your own.
  • SPDY Support
  • Push Zones(if you want them to store the content, not just pull and cache it from your site)
    • Cost is $0.90/GB per month.
    • They added rsync support after I signed up, in addition to FTP, allowing you to sync your static site to them if you want.
  • Export log files to your own syslog server
  • An API if you want to control your zones

They keep adding more features….or I keep noticing them. Until I started writing this, I didn’t know they had added syslog support. Which brings me to my only real criticism of KeyCDN. The last time I looked intently, I don’t think I saw the feature. So they certainly could be better at conveying new features to me.

Whenever I’ve needed help, they have been prompt in their response and have worked with me.

But there is so much here I don’t take advantage of that I wish to. This is a basic review, but I may go into more detail in future. I’d like to try to play with their API, as they have a PHP library on Github and I’ve been working on my PHP skills as part of maintaining this site, which runs WordPress(written in PHP).

So, give them a try…if you do, try my links…I wouldn’t mind the extra few credits in my account. If you have any questions, please send a message or leave a comment.

Responsible Disclosure: I am a customer of KeyCDN, and I am using my affiliate link, which provides me with extra CDN credit. However, my decision to finally get around to reviewing them is due to the responsiveness of their support and their feature set.

 

Related articles