Or rather, "a summary of the torture I've bestowed on my dockstar" I'm putting together a writeup of how to take a factory dockstar and get it set up to be a stable, faithful pint-sized server. I haven't gotten around to doing the necessary html formatting and filling in a few sections, but please weigh in if anything looks wrong or if there are better options than the ones I've provided. The majority of the information I put together came from various posters, too many to list. Thanks everyone!
What can I do with a dockstar?
Once you void your warranty, quite a bit actually. You can even run Java on it if you dig through Oracle's webpage maze of twisty passages all alike. What I've managed to do is documented here:
- Dockstar running Arch Linux ARM (Arch) Linux
- Apache with WebDav (web folders) support
- Samba windows share folders and networked cd-rom drive for driveless netbooks
- MiniDLNA media/music/picture streaming to XBox 360 and PS3
- Green/orange LED to indicate network activity and if OS is running
Why a dockstar?
There's a bit of a story to it, and the moral is that sometimes you have to wait for the right solution for the right price. Skip ahead if you have your own mind made up on why you're about to void your Dockstar's warranty. Read on if you're curious or if you're still on the fence.
Now that I have school-age kids, and more than two computers in active use in the house, we've been reeling from the lack of a centralized storage place for documents. Documents get lost among the different computers, and inevitably right before they're due. The kids also frequently ask me to look at photos that I've taken that sit on my computer. And it would be nice to let them view pictures or listen to MP3s on our various game consoles so we can free up computers needed for more important things.
I've tried setting up share folders from our always-on media center, but sometimes it just falls short. For one thing, it's loud and an energy drain. And we're mostly watching Netflix on demand and shutting down the media center when not in use. So much for always-on storage. So I needed a low-cost, low-energy platform. After the third time I had to reinstall windows because my kids, despite being instructed not to, used Internet Exploder and discovered a new trojan, I decided that the platform should also be linux-based -- if any other reason because I feel more comfortable securing a Linux box that a Windows box, being an Ubuntu user for over three years.
One day, a good friend picked up a Seagate Dockstar on W00t for dirt cheap. And I felt like quite envious for not moving fast enough when the deal was over. Time flies, and I finally get back to the growing pains previously described and thought about her dockstar. Another windows-reinstall later and I realize it's time to solve our in-house storage problem. And, thanks to the passage of time I was able to get the Dockstar for $36 and a 500gb drive for $80.
Pogo is, by default, a very nice setup for someone that likes what they got out of the box and doesn't aspire to squeeze out extra features. I'm not that type of user. I needed more, and I don't want third-parties having root-access to something inside my network.
In retrospect, I could have gone through this exercise with a pogoplug or sheeva with the same result. Since the dockstar only has 128mb ram, you might want to consider if that's going to be an issue for you before clicking the "Buy it now" button and compare specs to similar devices.
Step one: Buy insurance
Order a CA-42 data cable for $4 or less -- keep handy in case you goof up and have no way to connect to the box via network.
Step two: Get root shell access on dockstar
- Method 1: First boot, don't connect to internet
-If you have a wireless router with DHCP, disconnect router from internet
-Use router client list to get IP address
-If you only have a switch/hub, use nmap to scan for ip address (169.x.x.x) - Method 2: If not booting the first time and ssh is disabled
-Enable from pogo - Method 3: Use serial cable (CA-42)
Step three: Install Jeff Doozan's uBoot
Instructions for doing this can be found on Jeff Doozan's site here: http://jeff.doozan.com/debian/uboot/
Step four: Set up Arch Linux ARM linux
Method 1: From pogo, the Arch Linux ARM install instructions detail how to format your linux drive from the dockstar directly.
Method 2: From a linux desktop. You can perform the same instructions directly from a linux desktop if you have one handy, since you're basically just getting the OS filesystem image and copying the files over. The advantage here is you can drag over other files, etc to seed the filesystem -- e.g. do some pre-configuration of other things that you want to set up, replace the kernel image up-front, etc.
Boot up the device to test and for first login, change your root password.
Optional: Create a swap file
By default there is no swap. This isn't a big deal for most small apps, but if you want to do a lot of things you might be in trouble without swap space since the device only has 128mb ram. This will create a 500mb swap file in /var/swap
$this->bbcode_second_pass_code('', 'dd if=/dev/zero of=/var/swap count=1000000
mkswap /var/swap
swapon /var/swap
')
Add this to the end of /etc/fstab
$this->bbcode_second_pass_code('', '/var/swap swap swap defaults 0 0')
Optional: Fix USB Sound
If you want to support USB audio, it will be choppy unless you do the following. Create file /etc/asound.conf
with the following content:
$this->bbcode_second_pass_code('', 'pcm.!default {
type hw
card 0
}
ctl.!default {
type hw
card 0
}
')
Step five: Configure dockstar light
-Install dockstar kernel, replacement dockstar kernel can be found here:
http://myplugbox.com/new/kernel26-dockstar/kernel26-dockstar-2.6.35.4-1-arm.pkg.tar.xz
-Install iptables
$this->bbcode_second_pass_code('', 'pacman -S iptables')
To get the orange LED to blink on TCP/IP access, edit /etc/rc.local and add the following:
$this->bbcode_second_pass_code('', '
#Set up orange LED to blink on incoming TCP traffic
iptables -A INPUT -p tcp -j LED --led-trigger-id tcpin --led-delay 100
echo netfilter-tcpin > /sys/class/leds/dockstar\:orange\:misc/trigger
')
To get the orange LED to blink a heartbeat when the OS has halted, add the following to /etc/rc.local.shutdown:
$this->bbcode_second_pass_code('', '
echo heartbeat > /sys/class/leds/dockstar\:orange\:misc/trigger
')
Step six: Configure automount
This is handy if you want to have a removable storage device (usb stick, dvd-rom, etc) that can be mounted and unmounted automatically. Nothing sucks more than having to SSH to your box just to eject a disk -- and setting up automount can save you a lot of frustration.
$this->bbcode_second_pass_code('', 'pacman -S automount')
Edit file: /etc/autofs/auto.master
$this->bbcode_second_pass_code('', '/media /etc/autofs/auto.misc --timeout=5')
Edit file: /etc/autofs/auto.misc
$this->bbcode_second_pass_code('', 'cdrom -fstype=auto,ro,nodev,nosuid :/dev/sr0
usbstick -fstype=auto,async,nodev,nosuid,umask=000 :/dev/sdb1
')
Add automount to startup (add to daemons list) if you want it to run on boot
Add this to the end of /etc/fstab: (VALIDATE -- IS THIS STILL NECESSARY?)
$this->bbcode_second_pass_code('', '/media/cdrom /dev/sr0 auto ro 0 0')
Step seven: Configure samba
$this->bbcode_second_pass_code('', 'pacman -S samba')
Missing: Basic setup of smb.conf and setting up samba users/passwords -- this is a well-covered topic though so I don't plan to elaborate a whole lot...
Step eight: Configure minidlna
More info: http://Arch Linux ARM.com/index.php5?title=Application:MiniDLNA
$this->bbcode_second_pass_code('', 'pacman -Sy minidlna')
An example configuration: each user has a pictures, videos and music subdirectory set up. I've set up minidlna to show each of these as follows:
(/etc/minidlna.conf)
$this->bbcode_second_pass_code('', 'media_dir=A,/home/USER_A/music
media_dir=V,/home/USER_A/videos
media_dir=P,/home/USER_A/pictures
media_dir=A,/home/USER_B/music
media_dir=V,/home/USER_B/videos
media_dir=P,/home/USER_B/pictures
...
')
That way, these folders can be easily manipulated from Samba or Apache shared folders. If you set inotify to "yes" then you shouldn't have to restart minidlna in order to pick up new files.
Step nine: Configure apache with webdav enabled
Download apache httpd source, unpack it and build with:
$this->bbcode_second_pass_code('', './configure --prefix=/usr/apache --enable-dav-fs --enable-dav --enable-auth-digest --enable-deflate --enable-vhost-alias
make
make install
')
If you are using Windows XP
-You MUST use http and digest authentication, XP doesn't support https webdav correctly
-Usernames must have domain names (e.g. domain\user)
If you are using Windows Vista or Windows 7
-You can use https with basic authentication if you don't care to support XP
-If you need to support XP, use HTTP with digest authentication
-Install fix from microsoft (why? Because they ship it in a broken state in Vista and Windows 7 -- go figure!) http://www.microsoft.com/downloads/details.aspx?FamilyId=17C36612-632E-4C04-9382-987622ED1D64&displaylang=en
-Set up user names without domain name (and also with domain names if you are supporting XP as well)
Step ten: Set up port forwards, and secure that server!
WARNING: If you're not comfortable with setting up firewalls, monitoring your network for signs of intrusion, or reinstalling windows on compromised computers because you've failed to do one or both of the preceeding things mentioned, then you shouldn't bother with this step. Once you forward ports into your network, you're opening a hole, and it's up to you to ensure that doesn't lead to opening up Pandora's box in the process. Once your Arch Linux ARM install is compromised, it can function as a really handy place to run rootkits and so on. There are some things to consider:
CAVEAT EMPTOR: I don't know everything. I might have gotten some facts wrong. Do your own reading. Arm yourself with knowledge. Network security is not something you should walk into blindly, or rely on a single source of information. As with any computer hooked up to a network, keep on top of security bulletins for software used on it, such as Apache, Arch Linux, etc.
1) A lot of things can be updated by a simple "pacman -Su" once in a while. That's easy to do, only takes a couple of minutes and you should make it a habit. Hopefully as long as the Arch Linux ARM community remains active, the repositories will be kept up to date. (crosses fingers!)
2) You're running a recent distro with an up-to-date (as of the time of writing) kernel, and you've compiled a recent version of Apache from source. There is not much risk (for now) that your webserver will be compromised -- unless you've set it up to run daemons as root (why did you do that?), or unless you don't periodically check for updates and re-compile it once every few months just to stay on top of the latest security patches.
3) Some rootkits rely on x86 precompiled binaries. Your device is ARM5. Assuming script kiddies are uncreative (that's a pretty safe assumption), even someone rooting your box has to be smart enough to know how to do things in a platform-agnostic way or use the right kit. In the event someone breaks in and posesses actual talent, you might do well to set a few ground rules to make their lives more difficult:
- Uninstall anything you don't need. Not using PERL? Uninstall it. Not using Python or Ruby? Ditto. The less stuff is there, the less utilities someone will have at their disposal to do mean and nasty things. Consider putting the really power utilities on a thumbdrive, such as wget, gcc, make, ssh, telnet, pacman, etc -- such that the only way to do anything useful is if you plug in your "root-tastic" thumbdrive and mount it. Otherwise said attacker would have to find pre-compiled binaries for your system. If they couldn't figure out they're on an ARM5 box, then they'll probably give up sooner or later and find an easier target. (Note: This is only if you are in close proximity most of the time -- if you're away on vacation you might want to take the gamble that you'll need those things should you remotely log in to the box, otherwise you'll be stuck with an unsolvable problem until you get home)
- Consider walling off the rest of your network from the box and only accessing it from the "outside". See if it is feasible to set up DMZ with your router if possible. A compromized box in a DMZ is less of a threat than one sitting inside your network proper. DMZ might be found under "Applications and Gaming" or "Advanced", depending on your router.
- For the love of God, please change your router's root password to something besides "admin". DD-WRT is fun, and Tomatoes are delicious. But those are also very well known distributions and are easily rooted if you don't secure them properly. Don't need telnet? Turn it off. Probably best to leave SSH on in case you render your router's HTTP configuration unaccessable. But the moral here is don't leave the back door open and use easy-to-guess passwords. It's very trivial to compromise an entire network once a router is rooted.
Okay, enough of the paranoia diatribe. Let's pretend now that you've secured your server and network -- or you flat out don't care and are ready to ride the lightning. From your router, see if it supports DDNS. If so, set up a dyndns (or similar) account. After creating your domain, configure your router for dyndns.org and give it the domain name and login credentials.
Next go to the port forwarding configuration (In DD-WRT, it's the NAT/QOS tab). Set a forward from port 80 to your Arch Linux ARM install's IP address and apache's httpd port (probably also 80). If using ssh, also forward port 443. Select either "TCP" or "Both". Also don't forget to enable the port forward. If you want to SSH to your pogobox (think: cheap VPN solution), you can also forward port 22. If you want port 80 to only be available outside your network some of the time, consider only forwarding port 22 and using a SSH port tunnel when needed -- it's one less hole to deal with.
When you're done you should be able to use a browser from anywhere on the internet, go to http://yourdomain... and get to your webdav shares, webpages, or whatever no-good bidding Apache was set up to do for you. Likewise, SSH to your domain name if you've forwarded port 22.
SSH Port Tunneling (forwarding) info -- commandline: http://www.symantec.com/connect/articles/ssh-port-forwarding
PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty/
SSH Port Tunneling with PuTTY: http://www.ehow.com/how_2036605_create-ssh-putty.html
Sources:
- Plug apps: http://Arch Linux ARM.com
- Alexander Holler: http://ahsoftware.de/dockstar/
- Jeff Doozan: http://jeff.doozan.com/debian/uboot/
- firestorm_v1: http://www.yourwarrantyisvoid.com/2010/07/21/seagate-dockstar-add-an-accessible-serial-port/
- http://www.yourwarrantyisvoid.com/2010/09/08/dead-dockstar-resurrected-with-jtag/