security

RAID5 + dm-crypt + LVM + ext3 Debian install and benchmarks

OK, so I've setup a RAID5 at home because I'm getting tired of failed disk drives and data losses.

Some notes:

  • The system consists of 3 x 300 GB IDE drives in software RAID5 (standard Linux kernel and mdadm), thus ca. 600 GB usable storage space.
  • I've used the stock Debian installer to set up all of this, no custom hacks or anything needed.
  • Each drive is on an extra IDE bus/controller (1x onboard/internal, 2x on an PCI IDE controller card), as broken IDE disks (lacking hot-swap capabilities) often take down the whole IDE bus with them; it's not a good idea to put two disks on one IDE bus.
  • The software stack is: RAID5 at the botton, dm-crypt on top of that to encrypt the whole RAID, LVM on top of that to partition the system into /, /usr, /var, /tmp, /home, and swap.
  • /boot is on an extra 1 GB partition (replicated on each drive) as GRUB doesn't work on RAIDed disks and I want to use GRUB, not LILO. GRUB is also installed on the MBR of each drive, so if one of them fails, the other two can still come up.
  • I installed and configured smartmontools to check the status of the drives, and hddtemp to check their temperature.
  • Stability tests so far: While the system is running, pull out one of the IDE drives (yes, they're not hot-swappable and that may not be such a good idea, usually). The system survived without data loss. Time for rebuilding the array: ca. 1 hour. Second test: while the system is running, pull the plug. The system survived that, too.

Some stats from bonnie++ if anybody cares:

Version  1.03       ------Sequential Output------ --Sequential Input- --Random-
                    -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
bonsai           2G 26727  72 39426  19 16690   7 28725  65 34164   7 215.3   0
                    ------Sequential Create------ --------Random Create--------
                    -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
              files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
                 16 +++++ +++ +++++ +++ +++++ +++ +++++ +++ +++++ +++ +++++ +++
bonsai,2G,26727,72,39426,19,16690,7,28725,65,34164,7,215.3,0,16,+++++,+++,+++++,+++,+++++,+++,+++++,+++,+++++,+++,+++++,+++

(Now, if I only knew what all those figures mean ;-)

No, neither the software RAID5, nor the dm-crypt layer nor LVM cause any measurable performance degradation whatsoever (from my subjective feeling). I don't care enough to measure anything. The CPU is idling all the time.

Power consumption is rather high (partly due to the mainboard and CPU, but also because of the disks + fans) and the system is pretty loud, which both sucks on the long run. I plan an ultra-silent, ultra-low-power RAID5 with 2.5" disks attached via USB to a (silent, low-power) NSLU2 for later.

LinuxBIOS talk video recording from FOSDEM 2007

LinuxBIOS logo

Highly recommended for anybody who might be even remotely interested in LinuxBIOS:

There's a video recording (OGG, 234 MB) of the LinuxBIOS talk at FOSDEM 2007 by LinuxBIOS-founder Ron Minnich.

The talk is about LinuxBIOS, its history, how it works, what the main challenges are, where it's used today and what the future will likely hold. Watch it, you won't regret it.

And if you want to know more, or maybe even consider contributing, head over to linuxbios.org or contact the mailing list.

OpenOffice / OpenDocument and MS Office 2007 / Open XML security

Interesting paper from the PacSec 2006 security conference: OpenOffice / OpenDocument and MS Office 2007 / Open XML security (PDF)

Not too surprising when you come to think of it, there are tons of possibilities to embed various kinds of malware in the new office document formats. Also, you always have the risk of leaving sensitive metadata in there... If you publish stuff, you better convert to PDF before. But even that might leave sensitive data in the PDF, mind you!

Oh, and one nice detail you might enjoy:

  • OpenDocument specification: 700 pages
  • Microsoft's Open XML specification (final draft): 6036 pages!

And that doesn't even describe all of the format (e.g. VBA macros are missing)! No further comment required...

Serious remotely exploitable hole in GnuPG

Just in case you haven't heard of this yet: GnuPG <= 1.4.5 contains a remotely exploitable security issue which has been fixed in 1.4.6.

You should really upgrade ASAP, as this problem can (theoretically) occur when GnuPG decrypts/checks encrypted email messages/signatures (for example).

If you're running Debian unstable: apt-get install gnupg

Famous Unsolved Codes and Ciphers

Here's a nice list of Famous Unsolved Codes and Ciphers.

Makes an interesting read for a rainy day... Or if you want to give one of the codes a try and solve it, go ahead, and let us know the results :-)

(via joatBlog)

Syndicate content