Implementing Defense-in-Depth Framework on Orange Pi NAS Using Host-Based Security and ZFS

Muhammad Fatih Hady; Hafiyyan Putra Pratama

doi:10.30871/jaic.v10i1.11801

Authors

Muhammad Fatih Hady Universitas Pendidikan Indonesia
Hafiyyan Putra Pratama Universitas Pendidikan Indonesia

DOI:

https://doi.org/10.30871/jaic.v10i1.11801

Keywords:

Defense-in-Depth, NAS, Orange Pi, Debian

Abstract

Network-Attached Storage (NAS) based on low cost Single Board Computers (SBC) offers an affordable alternative to commercial storage systems, yet its exposure to network-based threats requires a robust and layered security approach. This research implements the Defense-in-Depth (DiD) framework on an Orange Pi based NAS running Debian 12, integrating host-based security mechanisms and the ZFS file system to enhance data integrity, availability, and system resilience. The security layers include firewall restrictions, intrusion prevention with Fail2Ban, integrity monitoring using AIDE and rkhunter, system auditing with Lynis, and log analysis with Logwatch. Additionally, ZFS snapshots and the Sanoid retention policy are applied to provide rapid data recovery with minimal storage overhead. Experimental results show that all defense layers function effectively under testing scenarios such as brute-force attempts, unauthorized port access, file modification, and data deletion. ZFS snapshots successfully restore deleted or altered files, ensuring minimal Recovery Point Objective (RPO) of one hour. System performance remained stable, with CPU usage averaging only 7.9% and memory usage at 33%, indicating that the DiD model is feasible even on low-resource SBC hardware. These findings demonstrate that a cost-efficient SBC-based NAS can achieve strong resilience against common cyber threats through layered security design and modern file system capabilities.

Downloads

Download data is not yet available.

References

[1] M. Adila, A. S. Y. Santoso, and A. P. Sari, ‘Penerapan Sistem Operasi Network Attached Storage “FreeNAS” sebagai Solusi Kegiatan Berbagi File. (Studi kasus : Fakultas Ilmu Komputer, UPN Jatim)’, Jurnal Ilmiah Teknologi Informasi dan Robotika, vol. 5, no. 2, pp. 53–59, Dec. 2023, doi: 10.33005/jifti.v5i2.180.

[2] R. A. Firmansyah and W. Adhiwibowo, ‘Performance Analysis of Low Cost Orange Pi Based NAS Server for SMEs’, Jurnal Informatika Teknologi dan Sains, vol. 7, no. 3, 2025.

[3] H. Gunawan, A. Handijono, A. Putra, and A. Zein, ‘Sistem Monitoring Serangan DOS dengan Metode Intrusion Detection System (IDS) Snort menggunakan Aplikasi Berbasis Python pada Sistem Operasi Linux’, Spectrum: Multidisciplinary Journal, vol. 2, no. 3.

[4] D. Riyanto, K. Khairil, and E. P. Rohmawan, ‘An Analysis and Design of Network Security Using Firewall at the Library and Archives Services of Bengkulu province’, Jurnal Komputer, Informasi dan Teknologi, vol. 1, no. 2, Dec. 2021, doi: 10.53697/jkomitek.v1i2.280.

[5] S. D. Hitefield, ‘A Defense-In-Depth Security Architecture for Software Defined Radio Systems’, Ph.D. Dissertation, Virginia Polytechnic Institute and State University, Blacksburg, Virginia, 2019.

[6] B. Gajbhiye, S. Jain, and O. Goel, ‘Defense in Depth Strategies for Zero Trust Security Models’, International Journal for Research Publication and Seminar, vol. 15, no. 3, 2024.

[7] V. Babanov, ‘Internals of Defense-In-Depth Strategy in Cybersecurity’, Scientific journal, no. 2, Dec. 2024, doi: 10.70265/PNEZ3158.

[8] Farhannullah and M. Hardjianto, ‘Sistem Monitoring Serangan SSH dengan Metode Intrusion Prevention System (IPS) Fail2ban Menggunakan Python Pada Sistem Operasi Linux’, Technology of Information and Communication, vol. 11, no. 1, pp. 33–38, Sep. 2022, doi: 10.70309/ticom.v11i1.68.

[9] April Rustianto, Arif Fadillah, and Jemiro Kasih, ‘Pencegahan Dan Visualisasi Serangan Brute Force Menggunakan Fail2ban, Prometheus, dan Grafana Studi Kasus Di Sekolah Tinggi Teknologi Terpadu Nurul Fikri’, Jurnal Publikasi Teknik Informatika, vol. 4, no. 2, pp. 195–209, May 2025, doi: 10.55606/jupti.v4i2.5144.

[10] M. Ridho, A. Hafizh, I. Dani, and T. Ariyadi, ‘Peningkatan Keamanan SSH Server Berbasis Linux melalui Implementasi Fail2Ban dan Uji Serangan Brute Force’, Jurnal Penelitian Multidisiplin Bangsa, vol. 1, 2025.

[11] J. Sani, ‘Improved Log Monitoring UsingHost-based Intrusion Detection System’, Advanced International Journal of Multidisciplinary Research, vol. 1, no. 1, 2023.

[12] B. Havano and A. Dobush, ‘Enhancing host intrusion detection systems for Linux based network operating systems’, Advances in Cyber-Physical Systems, vol. 10, no. 1, pp. 54–58, May 2025, doi: 10.23939/acps2025.01.054.

[13] A. C. Jaya, ‘Single-Board Computer For Affordable Personal Data Storage Server’, Jurnal Mantik, vol. 4, no. 36, 2020.

[14] Z. Chen, M. Simsek, B. Kantarci, M. Bagheri, and P. Djukic, ‘Host-Based Network Intrusion Detection via Feature Flattening and Two-stage Collaborative Classifier’, arXiv, vol. 1, no. 1, 2023, doi: 10.48550/arXiv.2306.09451.

[15] Y. Mawaru, M. Yahya, and A. M. Mappalotteng, ‘Analisis Efektivitas IPTABLES Dalam Melindungi Jaringan Dari Serangan DDoS’, Pinisi Journal of Science & Technology, vol. 1, no. 5, 2024.

[16] K. A. Prasetyo, M. Idhom, and H. E. Wahanani, ‘Sistem Pencegahan Serangan Bruteforce pada Multiple Server dengan Menggunakan Fail2ban’, Jurnal Informatika dan Sistem Informasi (JIFoSI), vol. 1, no. 3, 2020.

[17] M. Á. Enríquez, J. P. Marcial, T. R. Linares, and A. C. Z. Vázquez, ‘Análisis de servicios y aplicaciones en sistemas Linux con monitoreo de logs’, Abstraction & Application, pp. 23–32, 2024.

[18] J. Stühn, J.-N. Hilgert, and M. Lambertz, ‘The Hidden Threat: Analysis of Linux Rootkit Techniques and Limitations of Current Detection Tools’, Digital Threats: Research and Practice, vol. 5, no. 3, 2024, doi: 10.1145/3688808.

[19] E. D. Ansong, E. A. Affum, and E. Donkor, ‘Framework for Security Auditing in Linux: Detecting and Mitigating Privilege Escalation Vulnerabilities Using PriviLynis’, Physical Communication, 2025.

[20] T. Fernando and D. Jayawardena, ‘Leveraging ZFS Snapshots for Incremental Recovery in Hybrid Unix Networks’, International Journal of Science, Engineering and Technology, vol. 11, no. 6, 2023.

[21] V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, and B. Sikdar, ‘A Survey on IoT Security: Application Areas, Security Threats, and Solution Architectures’, IEEE Access, vol. 7, pp. 82721–82743, 2019, doi: 10.1109/ACCESS.2019.2924045.

[22] W. Stallings, Effective cybersecurity: understanding and using standards and best practices. Upper Saddle River, NJ: Addison-Wesley, 2019.

[23] M. M. I. Jabed, M. S. Hossain, S. Ferdous, R. B. Ankhi, and A. B. Gupta, ‘AI-Driven Intrusion Detection Systems: A Business Analyst’s Framework for Enhancing Enterprise Security and Intelligence’, International Journal of Research Publications in Engineering, Technology and Management, vol. 08, no. 05, Sep. 2025, doi: 10.15662/IJRPETM.2025.0805004.

[24] N. L. Beebe, S. D. Stacy, and D. Stuckey, ‘Digital forensic implications of ZFS’, Digital Investigation, vol. 6, 2009, doi: 10.1016/j.diin.2009.06.006.

[25] Z. Li, G. Liu, Y. Dang, Z. Shang, and N. Lin, ‘Research on New Virtualization Security Protection Management System Based on Cloud Platform’, Journal of Applied Data Sciences, vol. 4, no. 2, 2023.

[26] O. Rodeh, J. Bacik, and C. Mason, ‘BTRFS: The Linux B-Tree Filesystem’, ACM Transactions on Storage, vol. 9, no. 3, 2013, doi: 10.1145/2501620.2501623.

Implementing Defense-in-Depth Framework on Orange Pi NAS Using Host-Based Security and ZFS

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

How to Cite

Issue

Section

License

Similar Articles

submit

tools

issn