Monthly Archives: January 2014

Greyhole as a Raid Alternative

Over the last several years, there have been some great discussions on how to set up a home media server with some form of drive pooling whether that be through software distributions like FreeNAS or through using tradition RAID. I am going to review two similar yet different types of drive pooling that can make the creation of your home media server easy while allowing you to scale at a reasonable rate. This functions much like WHS Drivepooling did using rsync and samba to keep track of your files.

Greyhole

After Microsoft decided to remove it’s form of drive pooling from Windows Home Server, users began looking for alternatives. Greyhole can be installed on most linux servers but for the purpose of this article, we will be demoing a setup of Greyhole on Ubuntu 12.04 64bit. (There are other ways to set this up – Greyhole)

The first thing that needs to be done is have your install of Ubuntu complete. I recommend any LTS release that is still under current support.

You should see something like the following on your default install.

As you can see from the above picture, only one disk (sda) is mounted and has partitions. Create partitions using fdisk.

Also be sure to create filesystems on each new partition using

sudo mkfs.ext3 /dev/sdX#

Get the UUID of each partition.

Add each of these to your fstab entries and mount the disks.

On Ubuntu, Debian and any other distribution using APT, you can use the Greyhole APT repository to install and keep Greyhole up to date.
Add the Greyhole APT repository to your APT config, import the GPG public key, then use apt-get to install or update Greyhole (the same apt-get command, install, will install and update Greyhole later):

sudo sh -c 'echo "deb http://www.greyhole.net/releases/deb stable main" > /etc/apt/sources.list.d/greyhole.list'
curl -s http://www.greyhole.net/releases/deb/greyhole-debsig.asc | sudo apt-key add -
sudo apt-get update
sudo apt-get install greyhole

After greyhole has finished installing, we have to set up samba. Greyhole works be watchings the samba logs for activity and performs things based on the config file. For more information on how Greyhole works, click here.

Direct from the Usage file

Edit /etc/samba/smb.conf
Change or add the following values in the [global] section:

    unix extensions = no
    wide links = yes

Configure your shares. Example share definition (taken from the USAGE file):

    [share_name]
        path = /path/to/share
        create mask = 0770
        directory mask = 0770
        read only = no
        available = yes
        browseable = yes
        writable = yes
        guest ok = no
        printable = no
        dfree command = /usr/bin/greyhole-dfree
        vfs objects = greyhole

Restart the samba service.

# Make sure your MySQL server service (mysqld) is running, and runs on boot.
Fedora: service mysqld start; chkconfig mysqld on
Ubuntu (< 10): /etc/init.d/mysqld start; update-rc.d mysqld defaults
Ubuntu (10+): start mysql
Debian: service mysql start

# Remove the -p parameter if your MySQL root user doesn't require a password for local connections.
mysql -u root -p -e "create database greyhole; grant all on greyhole.* to greyhole_user@localhost identified by '89y63jdwe';"
mysql -u greyhole_user -p89y63jdwe greyhole < /usr/share/greyhole/schema-mysql.sql

Customize the Greyhole configuration file, /etc/greyhole.conf, as needed.
Important: you need to either use the date.timezone setting in your php.ini, or specify your timezone in greyhole.conf, using the timezone config option.

You will need to specify the storage_pool_drives with minimal free space:

#       storage_pool_drive = /mnt/hdd0/gh, min_free: 10gb
#       storage_pool_drive = /mnt/hdd1/gh, min_free: 10gb
#       storage_pool_drive = /mnt/hdd2/gh, min_free: 10gb
#       storage_pool_drive = /mnt/hdd3/gh, min_free: 10gb

Start the Greyhole service. Errors will appear in the greyhole log. You can also check this by

greyhole --logs

If everything was configured correctly, you should be able to run “greyhole -s” and have something like this appear.

In order to test the samba log functionality, mount the samba shares locally.

If Samba is configured correctly, you should have a something like this when doing a “df -h”.

The Practice of Network Security Monitoring

I have been finally working through The Practice of Network Security Monitoring by Richard Bejtlich and will review some of the things I have learned thus far. This NSM book was just want I needed to get a grasp on the basic (and some more intermediate) steps in implementation of NSM in an organization. One benefit to me was the fact I had a network without NSM to play with and I would strongly recommend that (non-business critical to start with!).

1 ) Understanding how your network is set up will really help your understanding of the data aggregated during the assessments. Furthermore, network diagrams is something you should already have for your organization and if not is something that should be worked on and updated at a regular basis. This holds true for IP address assignments as well. You should know what are your DHCP scopes and what are static addresses. This may seem normal to some of you, but in several organizations I have been involved with, getting this standardized is a pain.

The test network I used was a not a business critical network at my employer (after obtaining permissions from management) and at the start I was unaware of the network and traffic flows associated with this specific section. Beware, if you do not have network diagrams and show them to your manager, he may ask you to start working on diagrams for all of them.

2 ) Security Onion is an awesome and easy starting point. I chose to install security onion on my development lab on VMware ESXi (which has access to the network I chose to start monitoring). The setup was very easy. That being said, I did choose a standalone system for the sake of learning that only monitored the one subnet. Security Onion does offer a distributed deployment option which I have not had an experience with thus far.

3 ) If you have experience with wireshark and winpcap, tcpdump is easy to pick up. If you have an understanding of how networking packets are assembled, you should be all set. There are several other tools explained in the book that are all basic components of a network administrators toolsbox (or should be).

Conclusion

I am only about halfway through the book as of now but would recommend it for anyone looking to get a grasp of NSM. Understand that this is an introduction to the field and more work will be required.

Python Refresher

When you have the opportunity to take a break from being in the office, it is almost necessary to stay up to date (if not catch up) on events that have have been occurring in the information technology / security fields.

I have had the opportunity to take a holiday and have been working through my backed up books, RSS feeds and forums. One of these projects or to-do items is to finish a course on www.codeschool.com . When I was an undergraduate, python was taught as a replacement for the intro level Java course, which I think was a great option. CodeSchool offers a great refresher on the subject as I am currently working through the python track.

I would strongly recommend codeschool to those that need a quick interactive refresher or to those looking to pick up a new language.