啱啱見有朋友仔話自己隻NAS比hacker hijack同encrypted佐隻碟, 而其實呢件咁不幸既事係2019年10月份都發生過係我身上.咁橋係錯有錯著情況之下,我都分享一下我既方案比大家做reference. 就係用一隻好simple既pi 或 linux base既 appliance係做Firewall + reverse proxy去reduce個risk.
先講一下通常大家錯乜野先啦, 一舨情況大家都係錯在貪方便而且當隻NAS好叻好secure, 直接張隻NAS放出DMZ, 呢個根本就係最戇鳩既setup, 但我其實都戇鳩過
相對黎講其實咁樣會比較安全, 就係只放隻appliance (i.e. Pi)出DMZ而其他就方返入 intranet.
先同大家睇下我件玩具先啦, 我今次玩既Appliance係nano pi neo2 black, 個spec大致如下
CPU: Allwinner H5, Quad-core 64-bit high-performance Cortex A53 DDR3 RAM: 1024MB Connectivity: 10/100/1000M Ethernet, RTL8211E-VB-CG chip USB Host: USB Type A x 1 and USB pin header x 2 MicroSD Slot: MicroSD x 1 for system boot and storage LED: Power LED x 1, System LED(Blue) x 1 GPIO1: 2.54mm pitch 24 pin-header, compatible with Raspberry Pi's GPIO pin1 - pin 24. It includes UART, SPI, I2C, IO etc GPIO2: 2.54mm pitch 12 pin-header. It includes USB, IR receiver, I2S, IO etc Serial Debug Port: 2.54mm pitch 4pin-header Audio In/Out: 2.0mm pitch 4 pin-header PCB Dimension: 40 x 40mm MicroUSB: Power input(5V/2A) and OTG
既然係做教學, 我直接wipe佐本身用開既image, start from square one同大家玩.
Step 1 – Install OS
呢個step因為每個Linux都大至一樣,去 repository download個image再flash落張SD Card就完成. flash完個OS, 直接比電佢就會boot得起個OS, DHCP都會派IP比你
Step 2 – SSH 入 OS
因為我呢隻appliance無HDMI/VGA output, 所以最簡單既方法係插LAN再用ArgryIP掃IP
當你掃到啱既IP就直接ssh 入去就可以架啦(我用最premitive既putty)
Step 3 – Update同upgrade kernel及package
apt-get update -y apt-get upgrade -y
Step 4 – Install ufw
ufw係linux係waf, 我係下面再教大家玩, 而家先做installation
apt-get install ufw
Step 5 – install nginx
nginx係apache既alternative, 我係另一篇教學都已經出過場, 都係下面再教大家玩, 而家先做installation
apt-get install nginx
Step 6 – sync system clock
如果係部Appliance未有RTC, 你可以係/etc/crontab加入加面呢句, 咁就會幫你同步全球
## sync clock from google 45 * * * * root date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z" ## sync clock from google
而如果只想sync一次個clock就可以直接行呢句
date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"
當你做好晒上面呢幾樣野, 你個appliance其實已經叫做up and running架啦.