At the University I work for, we make sure to DBAN all of our machines before they are sold off for security reasons. We used to pull all the machines, put them in a pile, and go to each machine, plugging in a power cable, video cable, boot off a CD, then moving the CD and video cable to the next one. It took forever and was a pain. So I decided to make it easy to boot DBAN via PXE. All of our Windows machines reboot each night, and have PXE set as their first boot device. The night before we replace machines, I switch them to boot from the DBAN server, and by the time I get there in the morning, they are finished wiping.
This weekend, a buddy of mine needed to DBAN a huge pile of computers before donating them to needy people. After replicating the server I built at the university, we decided I should probably throw up a blog post about how to do it.
For this machine, I'm going to set up a local switch on a secondary Ethernet port so I can DBAN machines in my office. We'll need a DHCP server for the local network, and a TFTP server for both the local switch and the rest of the network.
To start, I installed Ubuntu 12.04 x64 on a machine. I did the default install, checking OpenSSH server at the end.
First, let's get the machine up to date, and install the software we need. We're going to use dnsmasq as our DHCP server (it has a very simple configuration) and tftpd-hpa for our TFTP server. dnsmasq has a builtin TFTP server, but as far as I could tell, you can't disable DHCP and not disable TFTP for an interface. While I'm pretty we have enough safeguards to prevent a rogue DHCP server from assigning addresses (and PXE files), I really don't want to be responsible for half our network getting DBANed.
First, we're going to set up dnsmasq. We're going to make a pool of addresses for the local network switch on eth1. We're going to set eth1 to a static address. I set my server name to dban-server, but you can adjust yours accordingly.
Now, we need to set up tftpd-hpa for both interfaces. I was having problems with the tftp server starting up on boot. The included upstart script seemed to start up before networking was ready, and then it would fail. So we'll fix that up, and the default config file (/etc/default/tftpd-hpa) will work just fine.
Finally, we need to install the bootable files into /var/lib/tftpboot, the default place tftpd-hpa looks for PXE files. We'll download DBAN, extract the files, and put the standard PXE files into the directory to make booting work.
There we go. Plug a machine or a switch into a eth1, boot it up, set it to boot from the network, and the drives will be erased shortly!