Building a highly secure, cheap secondary backup from scratch

Sunday, November 30, 2014 07:55

In this article I’m going to build a NAS from Banana PI (which is a popular alternative to Raspberry PI). However, this NAS is not intended to be for general use but as a secondary backup. The primary goal of this project is to use cheap components and the result will be as secure as possible.

The parts

Okay. So the main goals have been set, I have to pick the appropiate components for the final product. I searched through E-Bay and DealExtreme mostly as these are the two shops where I can find the cheapest parts. Let’s see the list of components which are needed:

Part Specs Price Description
Banana PI $45 Definitely the most important part.
Power supply 5V, 3000 mAh $5.5 A 2000 mAh charger is sufficient, but I wanted to be sure that the performance is enough.
SATA cable $4 Required for connecting the Banana to the HDD.
Case Transparent $8 Obvious
Heatsinks 4 pieces set $5 This was a 5 set (20 pcs) set. I didn’t need 5 sets but I couldn’t find just one set.
SD card Kingston 16GB Class 10 $11.5 This part will be the main storage for the Banana. I’ll have to install the operating system here.
HDD SATA2/3 Laptop HDD $? I bought this part elsewhere (other than the two shops I mentioned earlier). Its cost highly depends on the capacity so I don’t write any price for it. However, I bought the following drive:

  • Western Digital Caviar Green 2.5″ SATA-III 2TB (around $140)
SUM $79 + HDD So this configuration should cost below $80 + HDD, which is pretty good. 🙂


Okay, I got all of the parts, now it’s time to get our hands dirty. First, take a look at the parts:

The parts

No assembly can be finished without problems. This was no exception. Fortunately, I noticed that my heatsinks won’t fit in the case because all of the chips are at the bottom of the board instead of the top. I didn’t want to leave my heatsinks out of the process so I rasped off a bit of the smallest heatsink. As it took 1 hour to do so, I switched strategy and cut out a few bars of the case which resulted in the following:

After the dirty work I could put the heatsinks on to the board:

This was followed by removing the protective layers from the case parts and assemblying them. This was easy (compared to the cutting, rasping part). The second problem was aligning the HDD on top of the case. I had to make a small gap between the four screws and the HDD in order to prevent any contact which can easily result in a short-circuit in the board of the HDD.

At this point my cut out parts came handy:

By aligning them as you can see in the picture I managed to put the HDD on top of the case. Here you can see the gap between them:

Aaaand it’s done!

You can find more images at the end of the article.

Flashing the OS

Installing the OS was a real challenge. First, it didn’t boot at all. I tried several OSes, but none of them started.

How can you know that something is wrong in your booting process?

– You plug in your Banana, both (red and green) lights are on and after a few secs both goes out and it does this over and over again

– You plug in your Banana, the red light is on but the green flashes 2 times

How can I fix it?

– Take a look at this list: It shows which cards are working and which are not with your Banana PI.

– Try to flash up a different OS on your SD card

So let’s see the solution which worked for me (I assume here that you use some kind of Linux distribution):

  1. Download Berryboot, which is a bootloader and installer for Banana PI (and Raspberry PI)
  2. Unzip it somewhere, you should get a *.img file
  3. You have to determine which drive letter your SD card has (before it, you have to plug it in your computer):
    df -h
    This should list all of the drives. You have to look for the drive which has capacity around 16 GB
  4. Write this image to the SD card with the following command:
    sudo dd if=Berryboot_For_BananaPi_v1_0.img of=/dev/sdX bs=1M && sync

This should do it. As soon as the writing finished, you can step to the next section.

Installing Raspbian

For this NAS we don’t need fancy UIs and other stuff so we are going to install a Raspbian.

Plug the memory card into the Banana, give it power and wait for the miracle. It boots up in a few seconds. After booting, it asks you for a few simple settings then you can choose the destination device which will be the flash memory (mmcblk0) in this case. In the list pick Debian Wheezy Raspbian (the latest) and install it. It’ll take a while but it’s worth it, believe me. 😉

If it is finished, restart it and boot Raspbian. It’ll show you a panel in which you should set the following options:

  • Change user password (it is not required as we will change this later again)
  • Internationalisation options (really optional)
  • Advanced Options/Hostname (change it to something meaningful, e.g. mine is BACKUP)
  • Advanced Options/SSH (set this to enabled, it is important!)

Accept the modifications and reboot the system. Now, we should be able to configure it remotely through SSH.

Setting up the system

You can now log in over SSH from your computer:

After logging in, it is recommended to install Vim, the ultimate text editor:

Setting up WiFi connection (optional)

If you want to use WiFi instead of ethernet, then you have to set it up.

Edit the /etc/network/interfaces file:

And add the following lines to it:

If you are using wpa_supplicant, then this file should look like this:

In this case you have to write your credentials in the /etc/wpa_supplicant/wpa_supplicant.conf file:

Cleaning up raspbian

As we want to make a minimal system, we don’t need packages like Wolfram engine so we’re going to remove them.

Updating the system

I haven’t forgot it of course! Just we had to stabilise the system and the network connection. Now, update the system using the following command:

Formatting and mounting Hard drive

In this step, we have to prepare our backup destination. I’ll format it to ext4 filesystem and mount it under /backup.

First, start fdisk:

In fdisk command line, remove all partitions you have, then format it using the following command sequence:

  • o (new partition table)
  • n (new partition)
  • p (primary)
  • 1 (first partition)
  • [enter] (first sector – default)
  • [enter] (last sector – default, means full disc)
  • w (write)

Okay, we’ve now created the one partition to rule them all… I mean all of our data. Now, we have to format it to ext4:

Adding it to fstab (/etc/fstab) for automounting:

Create an empty folder for this mount point:

Mount it:

And finally set the spin down time to 5 minutes to save a few watts. To do that install it:

Then edit the file /etc/hdparm.conf

Securing the system

This is the last and maybe most important step: we have to secure the system.

Fixing some issues

In the zeroth step, we have to fix a few issue in the filesystem. This can be done with the following commands:

The directories’ owners was set wrongly, but we changed it to root.

Installing UFW

Then, we need to set up a firewall which will ban every port, except 22. I don’t like iptables so I’ll use ufw, which is a lightweight iptables manager. Configure it using the following commands:

So sudo ufw status should look like this:

Installing fail2ban

Our next layer of protection will be fail2ban. This python daemon will monitor the log files and look for traces of guessing. If somebody tries to break into the system by bruteforcing or guessing the passwords, it’ll ban it for a certain time.

To do that, we have to install it first:

Then, we have to configure it:

Set the following configurations:

And make sure that everything is set to enabled = false other than SSH and finally, restart fail2ban.

Creating backup user and hiding sudoer

In this step we’ll create a user which can access to the /backup folder only and secure the sudoer user.

First, create a user and set its password:

Change the default sudoer username and password to something irregular. This is tricky because we have to make our new user as a sudoer, change the original user’s name, then revoke the sudoer rights:

Then finally, ban the sudoer user from SSH:

Change the following lines:

Here you can deny password also but instead I simply use 16 characters long random generated passwords. Don’t forget to restart SSH server:

Maximalising security: encrypting the backup partition

We want to finish what we have started, right? So, encrypt the whole HDD for maximalising the security. To do this, we’re going to remap /backup to /home as we cannot use full disk encryption because that would require root access every time we want to mount that partition which wouldn’t be too secure (loggin in every time as a sudoer user). So instead, we’ll remap the drive and encrypt the backup user’s home directory.

So remap /backup to /home by editing the /etc/fstab file:

And unmount, remount /dev/sda1:

Now, you should see that the new home is empty and big by executing df -h:

Important! Don’t forget to change the backup user’s home directory!

Note: you might need to temporarily enable SSH access for the sudoer user to log out the backup user.

Enable home encryption for BACKUPUSER:

Try out your new home as it is told by logging in as BACKUPUSER. If it works fine, then you can now delete the backup directory:

You’ve finished! Don’t forget to revoke SSH access from the sudoer user!


A gallery about the Banana:

Presentation: Building a highly secure, cheap secondary backup from scratch

Related articles:

No comments fo far.

Leave a Reply