Setting Up A Linux Box As Fileserver... How To Keep It Safe?

[blackriver]

I wanted to turn an old computer into a fileserver (running Debian). I wanted to store all my data there, so that my regular PC will only have one HDD running the OS (Windows) and programs. So I created a samba share, and got it working neatly right away. But after installing some pentesting tools, it occured to me that storing all my sensitive, private and personal data and running shady hacking/pentesting tools on one single box might not be a good idea.

Now, my question is, how to keep my personal data as safe as possible on my little Linux fileserver? I have used a different user + usergroup for my samba shares, so my normal user account can't access the samba shares thanks to regular Linux file permissions.

Is there anything more I can do?

[Sparda]

There are lots of things you can do. You could, for example, get a second computer and physically separate them from each other by setting up multiple networks. This requires effort and money however.

Another (free) option would be to install any penetration testing software in a virtual machine. However, it will still be on the same network as the other computer, but at least any vulnerabilities introduced as a result will only effect the VM and not your main computer.

[blackriver]

That second solution is actually not so bad... I could keep the fileserver steady and stable, and do my crazy coding and pentesting from a virtual machine.

One other thing, would drive/partition/directory encryption do any good in this case?

[hexophrenic]

There are lots of things you can do. You could, for example, get a second computer and physically separate them from each other by setting up multiple networks. This requires effort and money however.

Another (free) option would be to install any penetration testing software in a virtual machine. However, it will still be on the same network as the other computer, but at least any vulnerabilities introduced as a result will only effect the VM and not your main computer.

If you must have the networks separated, you can install a second NIC in your system and bind your virtual NIC to the second NIC on the machine and use VLANS/firewalls/whatever to segment your network. I would be very hesitant to leave a lot of tools on a machine that is left alone like a file server. For me, I would not even have compilers installed on it, but that may be a little too paranoid for some.

[Infiltrator]

If you must have the networks separated, you can install a second NIC in your system and bind your virtual NIC to the second NIC on the machine and use VLANS/firewalls/whatever to segment your network. I would be very hesitant to leave a lot of tools on a machine that is left alone like a file server. For me, I would not even have compilers installed on it, but that may be a little too paranoid for some.

There is always the possibility of encrypting the drive, if paranoia is really a concern for you.

[hexophrenic]

There is always the possibility of encrypting the drive, if paranoia is really a concern for you.

The files themselves were not my concern, but rather having all of the tools available to compile software would be. Without headers, dev packages, and compilers, the box would be a little less useful to someone other than myself. File servers are great to tip because people tend to ignore them for the most part, they are great for launching...well, nevermind :).