Please help me configure and secure my Ubuntu-based combined home file server/public web server/VNC server!
October 7, 2011 3:20 PM   Subscribe

Please help me configure and secure my Ubuntu-based combined home file server/public web server/VNC server! I am building a low-ish power home file server, which will likely run Ubuntu 11.04 or 11.10 (possibly server edition), and I should be able to set up a basic samba share easily enough. But I would also like to use the same computer to serve a few basic webpages, and I would like to provide ssh and ideally VNC or RDP-like access from outside the LAN. I can probably get the basic software set up, but I'm a n00b when it comes to NAT stuff, firewalls, and security issues generally. I would also appreciate help with setting up dynamic DNS.

My primary goals are, in order of priority: (1) to have my personal files stored centrally on a machine I physically and logically control at home; (2) to have those files accessible by me (and only me) from anywhere (and accessible without authentication by anyone on my home LAN); (3) to host low-traffic, personal, non-commercial, publicly accessible websites on my own server; and (4) to be able to remote into the server via VNC, RDP, or some similar method/protocol - all to the extent I can do so without opening myself to significant data security risks. I'd also love to host my own mail/SMTP server at some point, but I don't plan on tackling that anytime soon.

To achieve goal (1), I was planning on setting up a dedicated HDD (possibly a RAID array, but I'm leaning toward just rsync-ing the primary HDD nightly to another disk) as a samba share with no authentication. That should be accessible by the five Windows computers in our household and any other computer on our LAN. This setup should be fairly straightforward (though I welcome comments on any common pitfalls).

To complete goal (2), I plan to configure ssh to allow limited users access from outside the LAN, which would allow sftp or scp. I currently have ssh access to a NAS box at home, which I accomplished by forwarding port 22 to the NAS. I initially plan to replace the NAS with this new server, and simply continue to have port 22 forwarded, but am not well educated on the security risks of doing so (though I haven't experienced any problems so far - that I know of). The challenge is with DNS: I don't have a static IP address WAN-side, so I need to find a way to do dynamic DNS. See also Goal 3:

Goal (3) is where I start having real trouble. Given a static IP address, I can configure apache and just fine, and I've been using the free ZoneEdit for DNS for websites hosted on a server with a static IP address. But I'd like to get rid of that server account and move everything to a home server, and (a) I don't have a static IP address WAN-side, (b) I don't know anything about setting up dynamic DNS updating on the server, (c) I don't know how a dynamic IP address will affect the apache config (is listening on ports 80 and 443 enough? do I have to mess with the hosts file?), and (d) I have no idea what security risks I will face running apache on a home webserver with ports 80/443 forwarded to it. Any good suggestions or links for dynamic DNS (preferably free), and how to get it to work locally? I am happy to use DNS services like ZoneEdit, and do not need to run my own DNS (or do I??). Do I have to do anything with BIND? Because I don't understand BIND at all. Or DNS generally, really. Websites are very low-traffic and non-commercial. I currently have four domain names I use.

Goal (4): I assume I can install OpenVPN and use TightVNC, xrdp, ThinLinc, or something similar that does not go through a fixed third-party server or require subscription. Ideal solution would be something with a portable client that I could run from my work computer, on which I have very limited privileges (but I can run PortableApps apps, for example). I've never set up anything like these programs, but I can probably get through it. But to the extent I need to tunnel them through ssh, I don't know how to do that at all. Is that set up in the VNC/rdp config file (e.g., by just setting an option flag to use ssh)? Or is it more complicated than that? And will I run into NAT issues? I would rather not use something like Hamachi that requires an account on a proprietary server elsewhere. Any good suggestions for what to use? Know of any good tutorials? The more functionality the better: I'd love to be able to transfer files, remote audio playback, mouse/keyboard integration, etc.

Security concerns: the server will be directly connected to a D-Link DIR-655 router, which currently has near-default security settings (it is password protected, with web admin disabled, but that's about it). I have no other firewall or security hardware. Do I need to set up a firewall on the Ubuntu server? Suggestions on which one to use, and how to set it up? For what it's worth, I've not been able to make sense of any iptables documentation, so I'll need a dummy's guide to anything like that. Other security measures I need to take, e.g., beefing up the /etc/hosts file or running other protective software?

The hardware I have for the server should be adequate for my needs: I got an AMD E-350 APU (mobo) with 8 Gb DDR3 RAM, which should be plenty of CPU and more than enough memory. If I run linux, I'll probably set up a large, dedicated swap partition. I'll be running the OS on a separate HDD from the shared drives to minimize wear to the shared drives. The server will be connected to the LAN through a gigabit connection to the router.

As far as software is concerned, I am much more comfortable with linux than Windows for server-related functions (and Ubuntu more than other distros), and Ubuntu is free, so I am inclined to run some version of Ubuntu, but I am open to other suggestions, e.g., if running WHS with a virtualized linux webserver, say, is a vastly superior option for some reason.

A couple of limitations: I cannot have a separate, dedicated web server (whether in a DMZ or otherwise) - Comcast's terms of service for our home internet service prohibit running a dedicated web server, but I believe they do not forbid serving non-commercial web pages from a machine not solely dedicated to that purpose. Additionally, I would rather not incur the expense of building an additional server. So if possible, I would like to keep the web server on the same machine as the file server. Finally, I am a lawyer with no formal CS training or education, and have no real understanding of routing, TCP/IP, DNS, or the general operation of the intarwebs. As far as I know, "packets" are what ketchup (or catsup) come in. So while I can navigate the linux command line, I'm a dummy when it comes to the important stuff.

Do you have any security tips for me or good links that a n00b like me can make sense of? Suggestions for remote access packages, or for how to configure them for security and ease of use? Any pointers or pitfalls to watch for in setting up a webserver on a machine that also holds all my important personal data? Am I crazy to even try? And, of course, much of this may depend on me getting a dynamic DNS system set up, so I would greatly appreciate tips or suggestions in that arena.

Thanks in advance for your help!
posted by dilettanti to Computers & Internet (6 answers total) 6 users marked this as a favorite
 
Best answer: 1. Yes, Samba will do just that. It's not hard to set up.
2. Yes, you can just forward SSH to your new box as you did your NAS. The usual security pitfalls apply here (as they do for anything public-facing): security updates, proper permissions, strong passwords, don't leak usernames, etc. I recommend installing the fail2ban package which will detect brute-forcing attacks (by watching the openssh log) and temporarily block that IP. It works very well. Dynamic DNS is easy through various free services like dyndns. All you do is run the client on your server (or, preferrably, router) and it'll post your new IP to the dynamic dns server. Many routers can do this right out of the box. The end result is that you'll be able to hit "myservername.dyndns.org" and it'll always resolve to your current IP.
3. Forward port 80 to your server and plug your "myservername.dyndns.org" name into the apache config. It'll just work. Getting SSL to work will be impossible this way unless you want to self-sign your certificate (fine for home use, but don't expect your average user to understand the warnings their browser will throw at them). (This is call because the certificate signatures are based on your domain name and no one will sign a "dyndns.org" subdomain for you because you can't prove you own the "dyndns.org" root.)
4. You can use OpenVPN, but it's a bit of a metric pain in the ass to set up if you've never done it before. The simplest solution is honestly using SSH tunneling and then an insecure protocol like RDP. (That is, you SSH to your home server, tell SSH to forward RDP traffic from your machine to the remote server, then launch RDP and connect to localhost.)

Re your current skill set, you're just going to have to wade through it. Start with something that works turn-key: install the package "openssh-server" and try to ssh to your computer from another one within the same network. Then port forward and try it from outside. Then try getting the Apache default home page working on the local network. The port forward... oh, you get the idea.

Security-wise, don't put anything important on the server or on your network until you really understand the potential problems. Just SSH server is pretty darned safe (again, good passwords or certificate-only logins, don't allow root to ssh in, etc.). Plain Apache is pretty safe. But as soon as you start dropping in web pages that allow people to upload things, browse files, etc., you're potentially opening up your entire network if you do something wrong.

If you have specific questions, I'll try to answer what I can. Post here or memail me.
posted by introp at 3:33 PM on October 7, 2011 [1 favorite]


When I saw your question with only one answer, I thought "awww, I should add my crappy two cents". After seeing introp answer I knew metafilter never fails!

Id add check out noip or freedns.

These things are a pain in the ass, and the only way to really learn is by doing them, that is part of the fun!

/in the mist of getting my home AWESOME server rocking....if only freenas would cooperate with everything
posted by handbanana at 9:27 PM on October 7, 2011


Response by poster: Thanks to both of you - just what I was hoping for. I will definitely check out fail2ban, and will try ssh tunneling before going the VPN route. I have my own domain names, so it looks like I may have to pay for dynamic DNS, but introp's mention of router updating, I checked, and my router can do dynamic DNS updates as long as it's a sign-on update (rather than a URL update) system. So that should limit my DNS options - which makes decisions easier, I suppose. And I will look at noip and freedns along with DynDNS. Thanks very much!

I'd say I'd post back when I get a few things tested, but it looks like I'll be slammed at work for awhile, and I seem to have a problem with my OS drive - my initial build won't boot from the drive after an Ubuntu install, even though the mobo posts and will boot from the live USB drive. So I have some troubleshooting to do before I get to worry about DNS, setting up samba shares, etc.
posted by dilettanti at 10:20 AM on October 8, 2011


As a side tip: consider installing a free virtualization system (VMware server, VirtualBox, etc.) and install a guest Linux OS within it. Monkey inside there. Once it all works, go deploy the same config files on a real server. I find that being able to roll back changes at the click of a button, etc., is really handy when monkeying with new things. YMMV
posted by introp at 10:41 PM on October 8, 2011


Response by poster: Interim update - I have managed to get things working up through goal (3) above. A few notes:

For some reason, Ubuntu didn't install grub correctly (may be related to the motherboard/CPU), so I had to reinstall grub by chrooting in from a live cd. Once I got that fixed, the server would actually boot. The samba share was easy enough to set up - the key was to set 'security = user' in the smb.conf file, but also to set 'guest = ok' for the share and to 'chown nobody.nogroup' the whole share (most of the how-to websites I saw left out that last step). Now anyone on the LAN can read/write files to the share, any any files written will be owned by the same user (so no permissions problems), but nobody logged into the server through ssh can change the files without root privileges.

DNS problems were solved by registering an account at DNS-O-Matic. My router won't update ZoneEdit directly, but it will update the DNS-O-Matic information, which in turn updates ZoneEdit (selectively - I only have one domain name pointing to my home router right now for testing purposes). I can now access the server via ssh to my domain name. So DNS-O-Matic is my new favorite website of the week.

Because I got the DNS sorted out, all I have left to do is find an easy RDP/VNC/etc solution for remote desktop access. I'm hoping I can find something with a portable client I can run at work off of a USB drive. Now that the server is set up, I can start to test server/client pairs.

AND, I took introp's advice and have not put anything important on the server yet (the samba share is empty), so if I leave some security hole gaping wide open, I don't stand to lose much. Yay!
posted by dilettanti at 10:14 PM on October 9, 2011


Response by poster: I guess I'll mark this as "mostly" resolved. I got everything working but a good remote desktop option. For some reason, I couldn't get ThinLinc installed at all, freenx evidently doesn't work with more recent versions of Ubuntu, TightVNC and other free VNC options don't do remote audio as far as I can tell, and neither does RDP as implemented in Ubuntu. I did get x2go working, though it's a bit spotty (and the client isn't fully portable), and x11vnc works very well - except that you have to select the resolution of the remote desktop in the script that runs on the server, and high-resolution instances are very laggy and slow. Still, I can tunnel a VNC connection through ssh, so I've got it working reasonably well. I'm not sure I'll be able to make remote access easy enough for other users to use it regularly, but it's close enough. Thanks again for the fail2ban rec - exactly what I needed.
posted by dilettanti at 4:36 PM on November 7, 2011


« Older Decorating a tiny, square studio   |   Voice & instrument Newer »
This thread is closed to new comments.