[SOLVED] How to ensure content access on LAN is absolutely only permitted on a certain device ?

[deNameMo]

I've built up an archive of documents, books, guides and templates from various archive and open directory sources and now want to tinker around with network storage further.

I've already setup a samba share with the help of a pi and a really neat guide.
Now I want to expand that share (or create simething different) to allow my archived content be accessed on my network.

Given that I scrapped lots of archives and open dirs, I wouldn't be suprised that it may be possible there's some pirated book or document, although I don't know for certain.
Which is why I want to restrict access properly to only one (or two) specific devices.

What would be the proper way? Again I want to make sure only I have access since I don't know whether my archive may contain anything copyrighted and I'm not yet ready to go through hundreds and thousands of files every day to find out eventually or be unknowingly hosting/beaconing it publically.

 

[bill001g]

Do you really mean LAN. You do not plan any access from the internet.

Next this would imply you have people you do not trust in your house?

LAN is not really designed to be secure. People can in theory physically get to anything so most security can be bypassed.

You should be able to protect the shares with various forms of userid/password. I do not know what the PI supports but samba itself supports very advanced security systems like active directory.

There is no easy way to lock it to a hardware device that has access. Things like mac addresses can easily be changed. You would need some form of certificate, I know active directory supports this. I suspect there is some method to do this under unix without using a microsoft server. Best to just use userid and password if someone was going to attempt to bypass that they would just go over and take the physical drive and clone it and have everything.

 

[deNameMo]

Do you really mean LAN. You do not plan any access from the internet.

Next this would imply you have people you do not trust in your house?

LAN is not really designed to be secure. People can in theory physically get to anything so most security can be bypassed.

You should be able to protect the shares with various forms of userid/password. I do not know what the PI supports but samba itself supports very advanced security systems like active directory.

There is no easy way to lock it to a hardware device that has access. Things like mac addresses can easily be changed. You would need some form of certificate, I know active directory supports this. I suspect there is some method to do this under unix without using a microsoft server. Best to just use userid and password if someone was going to attempt to bypass that they would just go over and take the physical drive and clone it and have everything.

Thanks, no the device should not be accessible from the internet (the pi is also running pihole and the samba share is configured locally as well).

No people don't have physical access to the device or my room, I am just concerned over black-hat activites from around my room and perhaps accidental network intrusion via malware infestation from a different device, which is connected to the internet (like my pc) on the network. I take care of security on each device but you never know nowadays, bitdefender and common sense will only get you so far.

 

[bill001g]

A userid and password should be good enough for the file shares. This does not protect your machines if someone would load virus or malware on their machines that then attempt to hack yours.
This would be a very bad place to live because you could get your internet cancelled because of other peoples actions. The best option is to buy your own internet connection then you only have to worry about your own stuff. Nobody on the internet can hack you unless you do something like port forwarding.

Now you could also just place a router between your room and the rest of the house. Then you would be treating all those other people machines like any other hacker on the internet. It does not protect you against getting the internet canceled though.