Computer Engineer(ing student)
A few months ago I realized it is rather hard to tell if any devices on a home network are compromised. A typical wireless modem / router combo is simply too weak to do serious traffic analysis, and probably can’t be implemented anyway because then ISPs would have to do something about all the alerts from their provided modem-router-wireless access point combo devices.
Nextcloud is a very easy way to get something approximating your own Dropbox or Google Drive (and it even has a Linux client unlike Google Drive!)
With pfsense I can have full control over DHCP, DNS, and other aspects of the network. My TPLink wireless router has to be restarted for small changes (like a new static IP), and provides almost zero information on usage and throughput.
Zeroshell is a appliance Linux distribution for routing and firewalling, with a special focus on being extremely low footprint.
It occured to me that one of the devices in my network could be compromised and I would not know a thing.
After setting up my Proxmox VM server I had two HP Z400s idling essentially all the time, and plenty of free CPU/RAM capacity left on the VM host.
The full details are in my fork on Github, but there are some main themes to the changes. I ran Ansible on my control VM in Proxmox, but any Linux computer on your local network should work. The media server ran on a 2 vCPU / 4GB RAM VM. This seemed to be enough power for everything.
Proxmox asks for some IPs during install, which I totally misconfigured by bravely trying to get the server quickly working on wifi before bringing it downstairs to the server table.
Recently while checking ebay for a reasonable server in the $200-300 range with a Nehalem+ CPU and at least 24-32GB of RAM, I found something much better.
#!/bin/bash
So when I built my home server for learning, testing, and some light usage as a NAS and VM host, I threw in 5 old laptop drives ranging from 250GB to 500GB. Some of them report questionable reliability in SMART, and most have poor IO performance.
On the expansion board for the OrangePi Zero there is IR, a microphone, a TV-Out/3.5mm-out jack, and 2 USB ports.
This is the easiest way to get connected to a (potentially) headless computer like a Raspberry Pi, Orange Pi, server without a monitor, etc. It’s easy and quite reliable.
On the stock settings for both the 3.4 and 4.* Armbian distributions the H2+ SoC runs quite hot (60C+ normal) and tends to lockup after a few seconds on any intensive task. A large part of this is the 4 cores running as high as 1.2GHz without active cooling. The GPU also remains active even if no display is connected to the TV-out port.
Walking my dogs, waiting for the bus, and walking home in the icy wastes of Canada can be quite boring when there is only the wind to listen to. I usually find trying to set up my phone for music or audiobooks results in frozen fingers. Additionally, even if the cold is not too bad, snow or rain can make touchscreens unusable.
After adding a few servers to my home network organically it has grown a bit wonky. The main issues are
I’ve often been working on something, sometimes without an internet connection, and wished I could have the man pages available on my ereader. We have the technology, so why not?
Manually moving playlists between computes is pretty annoying. Luckily, Rhythmbox keeps all the playlist and library in XML files in your home directory. This means we can move the XML files to a cloud-synced directory and then symlink to it.
I used ISOs made from the box set of Age of Mythology Gold purchased sometime in 2007 and copied to ISO sometime in 2010. The ISOs:
I also have both the Age of Mythology and Titan’s Expansion original CD keys in a text file with the ISOs. Avoiding the CD key check would require questionable copy protection crackers.
Using PiVPN it’s only a few button pushes and config details to set up a VPN on a RPi or Debian/Ubuntu server. The main bother is that the port forwarding needs to be right (1194 or some other port on *UDP* from the outermost router right to the Pi), and that a DynDNS service is needed if the public IP address will be changing. In my case since it’s a home internet connection the IP can change at any time, so halfway through the install process I signed up for a no-IP address and set up DDNS on the outermost router.
Following the guide in the Notes section I added VPNed torrent capability to the Pi3 that already does the SSH forwarding and speedtests. The speeds through the VPN were good and the guide configures it to have minimal chance of IP leaks. However, there still needs to be a way to get the files off the RPi once downloaded.
The setup here is that my ISP provides a modem/router combination. It has poor wireless performance so it has wifi disabled and one of its LAN ports is plugged into the WAN port of a TPLink Archer C7. This means the ISP router’s 192.168.2.100+ IP space is empty except for the Archer C7. The Archer C7’s IP space of 192.168.0.100+ has all wireless devices. It also has devices connected to LAN ports; the home servers. As it stands we have the ISP router NATting to 192.168.2.100+ and then one IP in that range (the Archer C7) NATting to 192.168.0.100+, double NAT.
I was trying out ElementaryOS last week and discovered one of the apps in its appstore is a great Markdown-based notebook. For quick notes I usually find a plain text file to be too limiting, but the complexity and power of a full system like OneNote, KDE Basket, or Zim gets in the way of just writing something down in a structured format.
After setting up the RPi to be SSH accesible from the internet, I realized it’s only a small step further to SSH from the RPi to other computers on the network.
I often find the speed I get downloading from high-speed (ie, much better than my internet) sources is far below what my telecom promises they give me (ahem Bell Canada). As the RPi is on 24/7 I realized I could use it to make regular speed tests. I quickly found out that a tool called speedtest-cli allows a speedtest to be run from the command line. By running this (periodically) from a cronjob, you can easily run regular speed tests. I figured out a decent one liner for the task:
I’ve had a Raspberry Pi 1 running as a pihole (DNS server that has blocklists of ad domains) and doing fairly well deflecting ads from devices that don’t have built in adblock. Even without ad blocking, it gives very easy to use analytics of how many DNS lookups are being made and to where, which can catch compromised computers.
As I was reading through this collection of sysadmin horror stories and often lost my place it struck me it must be easy to make a simple command line viewer to show one story at a time.