Please help me configure and secure my Ubuntu-based combined home file server/public web server/VNC server! I am building a low-ish power home file server, which will likely run Ubuntu 11.04 or 11.10 (possibly server edition), and I should be able to set up a basic samba share easily enough. But I would also like to use the same computer to serve a few basic webpages, and I would like to provide ssh and ideally VNC or RDP-like access from outside the LAN. I can probably get the basic software set up, but I'm a n00b when it comes to NAT stuff, firewalls, and security issues generally. I would also appreciate help with setting up dynamic DNS.
My primary goals are, in order of priority: (1) to have my personal files stored centrally on a machine I physically and logically control at home; (2) to have those files accessible by me (and only me) from anywhere (and accessible without authentication by anyone on my home LAN); (3) to host low-traffic, personal, non-commercial, publicly accessible websites on my own server; and (4) to be able to remote into the server via VNC, RDP, or some similar method/protocol - all to the extent I can do so without opening myself to significant data security risks. I'd also love to host my own mail/SMTP server at some point, but I don't plan on tackling that anytime soon.
To achieve
goal (1), I was planning on setting up a dedicated HDD (possibly a RAID array, but I'm leaning toward just rsync-ing the primary HDD nightly to another disk) as a samba share with no authentication. That should be accessible by the five Windows computers in our household and any other computer on our LAN. This setup should be fairly straightforward (though I welcome comments on any common pitfalls).
To complete
goal (2), I plan to configure ssh to allow limited users access from outside the LAN, which would allow sftp or scp. I currently have ssh access to a NAS box at home, which I accomplished by forwarding port 22 to the NAS. I initially plan to replace the NAS with this new server, and simply continue to have port 22 forwarded, but am not well educated on the security risks of doing so (though I haven't experienced any problems so far - that I know of). The challenge is with DNS: I don't have a static IP address WAN-side, so I need to find a way to do dynamic DNS. See also Goal 3:
Goal (3) is where I start having real trouble. Given a static IP address, I can configure apache and just fine, and I've been using the free
ZoneEdit for DNS for websites hosted on a server with a static IP address. But I'd like to get rid of that server account and move everything to a home server, and (a) I don't have a static IP address WAN-side, (b) I don't know anything about setting up dynamic DNS updating on the server, (c) I don't know how a dynamic IP address will affect the apache config (is listening on ports 80 and 443 enough? do I have to mess with the hosts file?), and (d) I have no idea what security risks I will face running apache on a home webserver with ports 80/443 forwarded to it. Any good suggestions or links for dynamic DNS (preferably free), and how to get it to work locally? I am happy to use DNS services like ZoneEdit, and do not need to run my own DNS (or do I??). Do I have to do anything with BIND? Because I don't understand BIND at all. Or DNS generally, really. Websites are very low-traffic and non-commercial. I currently have four domain names I use.
Goal (4): I assume I can install
OpenVPN and use
TightVNC,
xrdp,
ThinLinc, or something similar that does not go through a fixed third-party server or require subscription. Ideal solution would be something with a portable client that I could run from my work computer, on which I have very limited privileges (but I can run PortableApps apps, for example). I've never set up anything like these programs, but I can probably get through it. But to the extent I need to tunnel them through ssh, I don't know how to do that at all. Is that set up in the VNC/rdp config file (e.g., by just setting an option flag to use ssh)? Or is it more complicated than that? And will I run into NAT issues? I would rather not use something like Hamachi that requires an account on a proprietary server elsewhere. Any good suggestions for what to use? Know of any good tutorials? The more functionality the better: I'd love to be able to transfer files, remote audio playback, mouse/keyboard integration, etc.
Security concerns: the server will be directly connected to a D-Link DIR-655 router, which currently has near-default security settings (it is password protected, with web admin disabled, but that's about it). I have no other firewall or security hardware. Do I need to set up a firewall on the Ubuntu server? Suggestions on which one to use, and how to set it up? For what it's worth, I've not been able to make sense of any iptables documentation, so I'll need a dummy's guide to anything like that. Other security measures I need to take, e.g., beefing up the /etc/hosts file or running other protective software?
The hardware I have for the server
should be adequate for my needs: I got an AMD E-350 APU (
mobo) with 8 Gb DDR3 RAM, which should be plenty of CPU and more than enough memory. If I run linux, I'll probably set up a large, dedicated swap partition. I'll be running the OS on a separate HDD from the shared drives to minimize wear to the shared drives. The server will be connected to the LAN through a gigabit connection to the router.
As far as software is concerned, I am much more comfortable with linux than Windows for server-related functions (and Ubuntu more than other distros), and Ubuntu is free, so I am inclined to run some version of Ubuntu, but I am open to other suggestions, e.g., if running WHS with a virtualized linux webserver, say, is a vastly superior option for some reason.
A couple of limitations: I cannot have a separate, dedicated web server (whether in a DMZ or otherwise) - Comcast's terms of service for our home internet service prohibit running a dedicated web server, but I believe they do not forbid serving non-commercial web pages from a machine not solely dedicated to that purpose. Additionally, I would rather not incur the expense of building an additional server. So if possible, I would like to keep the web server on the same machine as the file server. Finally, I am a lawyer with no formal CS training or education, and have no real understanding of routing, TCP/IP, DNS, or the general operation of the intarwebs. As far as I know, "packets" are what ketchup (or catsup) come in. So while I can navigate the linux command line, I'm a dummy when it comes to the important stuff.
Do you have any security tips for me or good links that a n00b like me can make sense of? Suggestions for remote access packages, or for how to configure them for security and ease of use? Any pointers or pitfalls to watch for in setting up a webserver on a machine that also holds all my important personal data? Am I crazy to even try? And, of course, much of this may depend on me getting a dynamic DNS system set up, so I would greatly appreciate tips or suggestions in that arena.
Thanks in advance for your help!
2. Yes, you can just forward SSH to your new box as you did your NAS. The usual security pitfalls apply here (as they do for anything public-facing): security updates, proper permissions, strong passwords, don't leak usernames, etc. I recommend installing the fail2ban package which will detect brute-forcing attacks (by watching the openssh log) and temporarily block that IP. It works very well. Dynamic DNS is easy through various free services like dyndns. All you do is run the client on your server (or, preferrably, router) and it'll post your new IP to the dynamic dns server. Many routers can do this right out of the box. The end result is that you'll be able to hit "myservername.dyndns.org" and it'll always resolve to your current IP.
3. Forward port 80 to your server and plug your "myservername.dyndns.org" name into the apache config. It'll just work. Getting SSL to work will be impossible this way unless you want to self-sign your certificate (fine for home use, but don't expect your average user to understand the warnings their browser will throw at them). (This is call because the certificate signatures are based on your domain name and no one will sign a "dyndns.org" subdomain for you because you can't prove you own the "dyndns.org" root.)
4. You can use OpenVPN, but it's a bit of a metric pain in the ass to set up if you've never done it before. The simplest solution is honestly using SSH tunneling and then an insecure protocol like RDP. (That is, you SSH to your home server, tell SSH to forward RDP traffic from your machine to the remote server, then launch RDP and connect to localhost.)
Re your current skill set, you're just going to have to wade through it. Start with something that works turn-key: install the package "openssh-server" and try to ssh to your computer from another one within the same network. Then port forward and try it from outside. Then try getting the Apache default home page working on the local network. The port forward... oh, you get the idea.
Security-wise, don't put anything important on the server or on your network until you really understand the potential problems. Just SSH server is pretty darned safe (again, good passwords or certificate-only logins, don't allow root to ssh in, etc.). Plain Apache is pretty safe. But as soon as you start dropping in web pages that allow people to upload things, browse files, etc., you're potentially opening up your entire network if you do something wrong.
If you have specific questions, I'll try to answer what I can. Post here or memail me.
posted by introp at 3:33 PM on October 7, 2011 [1 favorite]