Installing Debian on the PogoPlug

Contents


Introduction

This guide describes the steps I took to install and configure Debian on my PogoPlug. I never made a Pogoplug account, nor do I plan to ever use the service, so your steps might be different (e.g. you may need to explicitly enable SSH through my.pogoplug.com). Several of these steps are largely straight from other guides such as Jeff Doozan's, but this is meant to go further into detail and provide some direction after installation is complete.

Step 0: Backup your PogoPlug

Before you prepare the USB drive you're going to use, we're going to back up the NAND to it using Mr. Doozan's tool. Hook up your Pogoplug with power, network, and plug in the USB drive. Open up a terminal on your main computer and figure out the IP address that your DHCP server gave it. You can probably do this most easily from your router's web interface. In DD-WRT, right on the main page there is a list of DHCP clients. Mine was 192.168.1.122, but yours will most likely be different. So we SSH in and turn off the PogoPlug service just to be safe:

ssh root@192.168.1.122 (password: ceadmin)
killall hbwd

If you explore a bit, you'll find that most of the filesystem is read-only, but /tmp is not. So let's use that to do what we need to do: mount our USB drive and make our backups.

cd /tmp 
mkdir usb
mount /dev/sda1 /tmp/usb 
wget http://mehl.co/files/nanddump 
chmod +x nanddump 
./nanddump -nf usb/mtd0.oob /dev/mtd0 
./nanddump -nf usb/mtd1.oob /dev/mtd1 
./nanddump -nf usb/mtd2.oob /dev/mtd2 
./nanddump -nof usb/mtd0 /dev/mtd0 
./nanddump -nof usb/mtd1 /dev/mtd1 
./nanddump -nof usb/mtd2 /dev/mtd2 
umount /dev/sda1

Oddly, the PogoPlug has a ton of entries for /dev/sda, sdb, sdc, and so on. But as long as your USB drive is the only thing attached and it has one partition, it is almost certainly /dev/sda1. If it has more partitions, I assume you know enough that you don't need additional direction here. It's possible to restore these in some situations where things go wrong, so it's best to have them around.

Step 1: Prepare your USB drive

Plug the USB drive in your main computer and put the copies somewhere safe. While you're at it, copy any other files you care about off the drive now, because they are going to be erased. We can do this entire preparation step in fdisk, because all that matters is that the partitions are set. Our installer script is going to do the actual formatting. Or if it makes you more comfortable, use something like gparted.

Make sure you know which disk you need to erase! Fdisk is smart enough not to ruin disks that are already mounted, but you have to be careful. Also, fdisk doesn't actually commit the changes you make until the end, so don't worry about typos. If you mess up, just hit q and start over.

umount /dev/sdc1
fdisk /dev/sdc

At the fdisk prompt, type:

  • p to show your current partitions
  • d 1 to delete your first partition, and if necessary d 2, d 3, and so on
  • p again to make sure there are no partitions left
  • n for new partition, p for primary, 1 for partition 1, enter to accept the default starting point, and then +(size)M to size it. I used a 2 GB drive, so I put +1536M for 1.5 GB
  • n, p, 2, enter, enter to create a swap partition out of the rest. Ideally you won't need a swap partition at all (we're going to try to avoid it), but better safe than sorry.
  • t to change filesystem types, 2 for the second partition, and 82 for swap.
  • p one last time to make sure everything looks okay. Once again, fdisk hasn't done anything to the drive yet, so if you see a mistake, you can either start over or fix it if you know what needs to be done.
  • And finally, w to write the partition table to disk and exit.

Step 2: Install Debian!

Plug your newly formatted USB drive into your PogoPlug, then download and run the script that will install a different bootloader (Uboot) and a minimal Debian system. This is a slightly modified version of Jeff Doozan's script which only references the Seagate FreeAgent Dockstar, but in fact runs fine on PogoPlugs. At his suggestion it pulls the Uboot stuff from his site:

cd /tmp 
wget http://mehl.co/files/pogoplug-debian.sh 
chmod +x pogoplug-debian.sh 
export PATH=$PATH:/usr/sbin:/sbin 
./pogoplug-debian.sh

This will verify with you that you want to overwrite the bootloader, which of course is a dangerous operation. If your PogoPlug loses power for whatever reason while the bootloader is being replaced, you might end up with a brick. As long as you don't expect that to happen anytime soon, you'll be fine. After the script is finished, it will ask you if you want to reboot, so give it the go ahead. When it comes back up, it may have a different IP address, so check your router's list of DHCP clients again.

Note: if your PogoPlug reboots back into the default PogoPlug OS, then I'd recommend starting over: SSH in using the same root password, stop the hbwd process if it's running, download the script (I believe /tmp is mounted on a tmpfs, in which case it won't be there anymore), and run it again.

Step 3: Configure Debian

If it reboots into Debian, you should see a device named "debian" on your list of DHCP clients, and you can SSH in with user root, password root. Congratulations, you now have a fully-functional Debian-powered PogoPlug! Well, not quite fully-functional -- not if you want to actually use it for something other than a tiny, generic Linux machine. So let's make some modifications.

a.) Change the root password. Chances are you want to open this thing up to the Internet, and you aren't going to want "root" as your root password. So change it, simply using the command:

passwd

Now don't forget it! You might want to write it down just in case. If you forget it, I think you can just reboot the PogoPlug without the USB drive and it will go back to the PogoPlug OS. Obviously it is best if you don't forget.

b.) Change your hostname. This is actually easier in Debian than in other distributions in which I've done this. Execute the following commands:

echo "cool_hostname" > /etc/hostname
/etc/init.d/hostname.sh start

If you go around to other forums, you'll inevitably see somebody say that you need to change /etc/hosts as well. However, by default that does not contain your hostname directly. To be safe you can peek in there and make sure I'm telling the truth.

c.) Change your Debian mirror. Chances are you don't have the fastest one available for your location. You can either manually edit /etc/apt/sources.list, or you can let apt do all the work for you. Install and run netselect-apt, and it will find the fastest mirror and generate and install a sources.list for you.

apt-get install netselect-apt
netselect-apt

This works reasonably well, but at some point I had some issues with the selected mirror. I ended up using Debian's own server.

d.) Okay, at this point you'll want to get yourself a comfortable text editor. Plain vi can be really annoying, even for a relatively seasoned user of vim like myself. Fortunately for me, vim.tiny is already there! I didn't do anything for this step except make vim an alias to vim.tiny, but you may want to install nano, joe, a more featureful vim, or some other editor. While we're at it, let's add some other utilities to make our lives easier:

apt-get install vim-nox less man

When you're reading log files or the output of commands you'll want to pipe it through less, which is far more intuitive and comfortable than more. And of course you'll want to be able to check manpages, when a simple -h or --help won't cut it.

e.) Take a moment to configure bash, vim, etc. a little. Just because you're stuck on the command line doesn't mean you have to make it hard on yourself. Open up /root/.bashrc and uncomment some of the aliases as desired, or add new ones. At the very least you'll almost certainly want to uncomment the line that adds color to the output of ls, which is enormously helpful when you are exploring.

Don't have too much fun with this step, though, because ideally you won't be using root all too much. We'll hang out as root for a while longer since we're still closed to the world and we have work to do.

f.) Now that you can dig into some config files without tearing your hair out, give yourself a static IP address. Open up /etc/network/interfaces and simply comment out or delete this:

iface eth0 inet dhcp

then add something like this:

iface eth0 inet static 
address 192.168.0.20 
netmask 255.255.255.0 
broadcast 192.168.0.255 
gateway 192.168.0.1

You'll need a little information from your router for this one. Personally my network is 192.168.1.* (so I would change the third numbers that are zeros to ones), but my previous router was 192.168.2.*, and some routers are 192.168.0.*, as I showed above. The last number in address is pretty much up to you. Once again, I'm using DD-WRT on my router, and I have the DHCP server configured to give out addresses starting 192.168.1.100, so when I want to give static IP addresses, I choose something between 2-99.

An alternative method is to define this in your router configuration itself, if supported. DD-WRT allows you to set up your DHCP server such that it always gives the same IP address to a particular MAC address. In general it's better to configure this on the client side, because waiting for the DHCP server to assign an IP address wastes time on startup. Obviously this won't matter so much because your PogoPlug is going to be on all the time, so it's up to you.

g.) Take it easy on your USB drive! Decrease swappiness to avoid most swapping, and move logs to a small tmpfs. You don't have a lot of memory to work with, but you can spare a few MB to avoid a great deal of writes to your flash drive. To decrease swappiness:

sysctl vm.swappiness=10

The default is 60, and you can apparently go as low as 0 and it'll avoid swapping until it absolutely has to. I haven't seen memory drop low enough that it needs to swap, so I'm happy with this setting for now.

h.) Okay, we're almost done for the day. So now let's add a user. The whole "security through obscurity" paradigm gets a lot of flak, but there's a reason the idea exists...it works most of the time. Once you've got a webserver up and running and open to attack, you'll almost certainly get probed by some bots that try to SSH in as root through port 22, because that's the default configuration. But if your SSH server doesn't allow root login, then would-be attackers would have to know or guess your username. On top of that, my router doesn't forward SSH traffic to my PogoPlug on the default port 22, so the would-be attacker would have to figure out on which port my router is sending SSH traffic to the PogoPlug. On top of that, you can configure your SSH server to only accept key-based authentication, so the hacker would have to either fake that somehow or gain access to one of your accounts that have SSH access.

adduser foobar

It will ask you to set a password and several other optional questions. Now exit out of your SSH session and try logging in as the non-root user. From now on you should use this user as your entry point, only switching to root when necessary. If you'd like to take this step even further, you can install sudo and set it up to give your user the ability to enter his own password to gain root privileges.

su root
apt-get install sudo
visudo

The visudo command is the only correct way to configure sudo. Add a line for your new user that is similar to the line for root:

foobar    ALL=(ALL)

At this point, for extra security you can completely disable the root account. Even if you've done the above, this is optional. If you decided to go ahead with it, make sure you've set up sudo correctly! Give yourself a root shell like this:

sudo -s
It will ask you for the user password, after which you should have what looks like a root shell. The only difference is that you'll retain (most of) your user's environment. If that works, you can safely disable the root account thusly:
sudo passwd -l root

Well, that's it for now. We're not done configuring yet and we still have yet to make the PogoPlug do anything useful. In the next installment we'll configure SSH to improve security. In later installments we'll install and configure nginx and Nanoblogger, and hopefully other cool things beyond that.

blog comments powered by Disqus