You are not logged in.
- Topics: Active | Unanswered
#1 2015-02-23 19:15:39
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
New Installation Questions
Hi all,
Newbie here after a bit of advice. I've recently been running a Plex server from Manjaro Linux and I've decided that I want to start again using Arch because I want my server to do other things and the current set up isn't secure enough IMO.
I'm a Windows native so please excuse me if some of my terminology is a bit "Windowsy" and feel free to correct me on what I'm saying because I'm really trying to find out if what I want is possible and what it's named in Linux, more specifically Arch.
Ok, with that out of the way, this is what I want to achieve.
SDA1 holds /home for my administration user account which can only be used locally or via an SSH connection from a specific device. SDA1 is going to hold Snort, and the OS only. I only want this one account to be able to do anything on this partition, however it can access the other partitions at the start (just to install software etc.) then I'll remove it's capability for this. SDA2 is going to be a Plex media server with a different account, this account can only access this partition and work on the Plex side of things. SDA3 is going to be a LAMP/FTP server. The FTP server will be set up to allow download only. SDA4 is an Encrypted upload partition, again, with a separate account. The upload partition will be an FTP/SSH server that allows remote users to upload data. Upon connection, an instance of Cuckoo Sandbox or similar sandbox is launched, and the uploaded item placed. This will allow me to investigate uploaded content - especially from unknown device addresses. I want this drive to be compromised really which is why I want it encrypted (my knowledge is that an encrypted partition should help to contain malware - kind of similar to how reverse tunneling works) - please tell me if this is incorrect. SDA5 is going to be the data partition where all my films, music, etc. are stored. This will need be accessed by the SDA1, SDA2, and SDA3 user accounts. SDA 2+3 will be read and execute only, SDA1 will be used to move items from SDA4 to SDA5 once assessed.
Snort will be used to monitor traffic and block attempted upload traffic to anything but SDA 4 (other than to connect to the device - will have to figure out signatures for this, perhaps based on data volume from a specific connection). It will be configured to push alerts to a log management server which will also be collecting logs from the device in question (and correlating them using an SIEM).
I have a drawing which I would like to upload and will provide a better idea of what I want (picture paints a thousand words), but no idea how to? Will I need to use something like Fickr?
Do you think that this is possible? If so, do you think that this is the best way of doing what I want to achieve? Would the use of VM's be a better solution?
Kind Regards,
Skat
Offline
#2 2015-02-23 22:22:11
- teateawhy
- Member
- From: GER
- Registered: 2012-03-05
- Posts: 1,138
- Website
Re: New Installation Questions
Whatever complex setup you want to build, make a simple arch installation without any extras first. When you have familiarized yourself with arch you can add more complex features incrementally. Debugging is much easier when adding only one feature at a time, instead of everything at once.
Offline
#3 2015-02-24 09:27:06
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
I will do it that way, however I need to know right from the start if what I want is possible. I wont go and install everything, but my experience in Linux is that you cannot shrink partitions once they have already been installed. For this reason, amongst others, it is absolutely vital that I plan it correctly now.
Offline
#4 2015-02-24 19:49:39
- Head_on_a_Stick
- Member
- From: London
- Registered: 2014-02-20
- Posts: 7,749
- Website
Re: New Installation Questions
my experience in Linux is that you cannot shrink partitions once they have already been installed.
I've done that a few times -- it takes ages (and the partition must be un-mounted) but it can be done.
Offline
#5 2015-02-24 20:54:47
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
Skatman88 wrote:my experience in Linux is that you cannot shrink partitions once they have already been installed.
I've done that a few times -- it takes ages (and the partition must be un-mounted) but it can be done.
No idea how you would achieve this. In any case, surely it's better to plan from the start what sizes you want your partitions?
Offline
#6 2015-02-24 20:57:28
- Head_on_a_Stick
- Member
- From: London
- Registered: 2014-02-20
- Posts: 7,749
- Website
Re: New Installation Questions
No idea how you would achieve this. In any case, surely it's better to plan from the start what sizes you want your partitions?
I "cheated" and used gparted -- it was to clear space for my new Debian system.
Offline
#7 2015-02-25 00:11:48
- Buddlespit
- Member
- From: Chesapeake, Va.
- Registered: 2014-02-07
- Posts: 501
Re: New Installation Questions
Everything you want to do is doable. I suggest reading up on it. Study time! My server does all you want to do (and some), but with only 3 disks. And I'm using the third disk because it's a 2TB disk that holds all of my media
Offline
#8 2015-02-25 01:19:14
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
Everything you want to do is doable. I suggest reading up on it. Study time! My server does all you want to do (and some), but with only 3 disks. And I'm using the third disk because it's a 2TB disk that holds all of my media
Awesome! Cheers, that's just what I wanted to hear. Do you have any advice? The area I'm most concerned about is stopping intrusion from actually damaging my media. I know I said I wanted it to be compromised, but mainly just the upload partition. Will encrypting the partition make a difference? Would you recommend virtualising the drive for extra isolation?
I'm also struggling to install /boot at the moment. It keeps saying that /boot does not appear to be a .efi file, which it's not according to "parted /dev/sda print". Apparently it's in MSDOS, but I've recently had Manjaro installed and specified that it should be vfat for the boot and when using the prior command it says ext4? Not sure what's going on with it.
Offline
#9 2015-02-25 07:41:24
- Head_on_a_Stick
- Member
- From: London
- Registered: 2014-02-20
- Posts: 7,749
- Website
Re: New Installation Questions
I'm also struggling to install /boot at the moment. It keeps saying that /boot does not appear to be a .efi file, which it's not according to "parted /dev/sda print". Apparently it's in MSDOS, but I've recently had Manjaro installed and specified that it should be vfat for the boot and when using the prior command it says ext4? Not sure what's going on with it.
Please post the exact error messages rather than your interpretation of them.
What are the exact commands you have used -- "install /boot" is meaningless.
Post the output of:
# parted -l
lsblk -fOffline
#10 2015-02-25 10:05:35
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
Ok. When I type:
# grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=grub_uefi --recheckI get this error:
Installing for x86_643-efi platform
grub-install: error: /boot doesn't look like and EFI partition.parted -l gives this output:
Model: ATA WDC WD500BPKT-8 (scsi)
Disk /dev/sda: 750GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:
Number Start End Size Type File System Flags
1 1049kB 268MB 267MB primary fat32 boot
2 268MB 50.3GB 50.0GB primary ext4
3 50.3GB 750GB 700GB primary ext 4lsblk -f gives this output:
Name FSType Label UUID Mountpoint
sda
|-SDA1 vfat 0c67-A22d
|-SDA2 ext4 2be91b61-a90b-4047-887d-f8d710ec6d79
|-SDA3 ext4 336df331-ef47-4905-818a-d5b3931301dbLast edited by Skatman88 (2015-02-25 12:30:11)
Offline
#11 2015-02-25 12:00:35
- teateawhy
- Member
- From: GER
- Registered: 2012-03-05
- Posts: 1,138
- Website
Re: New Installation Questions
It is recommended to use GPT instead of msdos partition tables for UEFI. Your disk is currently in msdos format.
In the first command $esp is a variable. Have you set the variable to something meaningful?
Offline
#12 2015-02-25 12:31:25
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
It is recommended to use GPT instead of msdos partition tables for UEFI. Your disk is currently in msdos format.
In the first command $esp is a variable. Have you set the variable to something meaningful?
Apologies, I've amended it now. It's set to /boot. How do I change it to GPT?
Offline
#13 2015-02-25 16:41:40
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
Well, after playing with it for most of today, I'm still no further. However, I have managed to repartition the HDD using gdisk and now "parted -l" presents the following information:
Number Start End Size File System Name Flags
1 1049kB 2097kB 1049kB fat32 /boot boot, esp
2 2097kB 1076MB 1074MB OSWhen doing lsblk -f
it shoes :
Name FSTYPE LABEL UUID MOUNTPOINT
SDA
SDA1 vfat 0C67-A22D
SDA2
SDA3
SDA4
SDA5
SDA6Do you think it could be that it's not been mounted?
Offline
#14 2015-02-25 21:10:20
- Head_on_a_Stick
- Member
- From: London
- Registered: 2014-02-20
- Posts: 7,749
- Website
Re: New Installation Questions
Do you think it could be that it's not been mounted?
Yup.
Offline
#15 2015-02-26 22:27:31
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
Ok, well. I'm now in a far better position than I was so I'm pretty happy at the moment. Before I go any further though I was hoping for some advice. I want all of my data to be stored on a separate partition: /data. No problem with that part. The Part I'm having trouble with is that I want my Plex Media Server, Web Server, and Honeypot running on separate partitions. I've formatted them how I want:
SDA7 is my MediaCentre, formatted in XFS, I'd like this mounted as a separate partition and I'd like this to be the location of the Plex Media Server.
SDA8 is my WebServer, formatted in ext4. I'd also like this mounted as a separate partition and be the location of my Web Server (Probs use LAMP and an FTP Download Client).
SDA9 is my Honeypot server, formatted in XFS. Again, I'd like this to be mounted on a separate partition and will be where my Honeypot Server lives.
I'd also like all three servers to be running on VM's to help isolate them.
How do I go about accomplishing this? As stated, I'm a Windows native. In Windows I'd have partitioned everything, Created the virtual machines, moved them to their respective partitions, then installed all of the applications.
First things first, how/what do I mount these drives as? Can I just mount them as /mnt/mediaserver and /mnt/webserver etc? Will these mount points then be recognised?
Offline
#16 2015-02-26 22:43:00
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,203
Re: New Installation Questions
If you want to run virtual machines, then you could manage them e.g. with qemu-kvm or libvirt. It should be easy to use a physical partition as storage with something like "qemu-system-x86_64 -enable-kvm -hda /dev/sda7". In this case, please do not mount sda7 in your host system.
If you want to run without VMs, then simply mount everything in your arch system and use user/group permissions to separate file access for the different servers.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#17 2015-02-26 22:49:57
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
I think I understand what you mean. Are you saying mount the VM to the partition instead of mounting the partition to the host? I think that would solve a lot of my problems. The reason why I'm looking at using VM's is because the Honeypot is also going to be an "upload" partition. I'm going to use it for friends to upload films/tv series which I can then move across to my data partition. However another purpose is that I want malicious users to try and exploit it by uploading malware. So the main use of the VM was to aid containment of the Honeypot.
Offline
#18 2015-02-26 23:56:16
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,203
Re: New Installation Questions
I think I understand what you mean. Are you saying mount the VM to the partition instead of mounting the partition to the host? I think that would solve a lot of my problems.
Exactly. Let the VM read/write to the raw partition and only mount it inside of the VM. I'm not totally sure how the specific virtualizers manage such a setup. Some might use the partition and add the partition as part in a virtual disk, others might simply treat the partition as the disk and create another partition table on it. Here are some other ways to use a real partition with qemu.
https://wiki.archlinux.org/index.php/QE … disk_image
Last edited by progandy (2015-02-26 23:57:30)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#19 2015-02-28 16:22:52
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
Awesome. Cheers for that. Would you say that is a more "secure" way of setting it up, or would you say mounting the partition to the base OS, then installing the VM on top of it is more secure?
Also, struggling with another stage of my installation. All my partitions are now mounted, formatted and I'm happy with them (except for the ones spoken about above which will be mounted at a later date).
I'm at the "install the base packages" of this guide. When entering the pacstrap /mnt base command I receive this error message:
error: config parsing exceeded max recursion depth of 10.
==> ERROR: Failed to install packages to new root.Google hasn't really helped me out with this one. Any ideas?
Offline
#20 2015-03-03 20:20:09
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
Any ideas guys? Still struggling with this.
Offline
#21 2015-03-03 20:32:27
- nullified
- Member
- From: Massachusetts, USA
- Registered: 2013-12-09
- Posts: 468
Re: New Installation Questions
You've done quite a bit since this thread began, so start with the basics again. What's the output of
lsblkbefore you try to run pacstrap?
"We may say most aptly, that the Analytical Engine weaves algebraical patterns just as the Jacquard-loom weaves flowers and leaves." - Ada Lovelace
Offline
#22 2015-03-05 12:11:57
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
lsblk -f returns:
Please note that the * are actually filled in with UUID, I'm just being lazy and can't be bothered to type them out.
Name FSTYPE UUID MOUNTPOINT
sda
sda1
sda2 ext4 * /mnt/boot
sda3 ext4 * /mnt
sda4 ext4 * /mnt/var
sda5 swap *
sda6 ext4 * /mnt/home
sda7 xfs *
sda8 ext4 *
sda9 xfs *
sda10 xfs * /mnt/datalsblk returns:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 698.7G 0 disk
sda1 8:1 0 1M 0 part
sda2 8:2 0 300M 0 part /mnt/boot
sda3 8:3 0 50G 0 part /mnt
sda4 8:4 0 15G 0 part /mnt/var
sda5 8:5 0 5G 0 part
sda6 8:6 0 130G 0 part /mnt/home
sda7 8:7 0 50G 0 part
sda8 8:8 0 50G 0 part
sda9 8:9 0 100G 0 part
sda10 8:10 0 298.4G 0 part /mnt/dataOffline
#23 2015-03-05 20:42:42
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
Any help?
Offline
#24 2015-03-05 20:47:17
- Head_on_a_Stick
- Member
- From: London
- Registered: 2014-02-20
- Posts: 7,749
- Website
Re: New Installation Questions
Why has your /boot changed from sda1 and FAT-formatted (post #10) to sda2 and ext4 formatted?
I think you should follow the Beginner's Guide instead and go through it slowly and carefully from the start.
https://wiki.archlinux.org/index.php/Beginners%27_guide
Offline
#25 2015-03-05 20:53:21
- Skatman88
- Member
- Registered: 2015-02-23
- Posts: 24
Re: New Installation Questions
Why has your /boot changed from sda1 and FAT-formatted (post #10) to sda2 and ext4 formatted?
I think you should follow the Beginner's Guide instead and go through it slowly and carefully from the start.
https://wiki.archlinux.org/index.php/Beginners%27_guide
Because I re-started and reformatted the drive but following the beginners guide. I have been following the beginner guide, but I'm stuck on this part here. The problem I was having earlier was that for some reason GRUB wouldn't install onto the drive specified, which I think was to do with me having a BIOS as opposed to UEFI. Now I've sorted that part and here I am.
Offline