Please help me configure and secure my Ubuntu-based combined home file server/public web server/VNC server! I am building a low-ish power home file server, which will likely run Ubuntu 11.04 or 11.10 (possibly server edition), and I should be able to set up a basic samba share easily enough. But I would also like to use the same computer to serve a few basic webpages, and I would like to provide ssh and ideally VNC or RDP-like access from outside the LAN. I can probably get the basic software set up, but I'm a n00b when it comes to NAT stuff, firewalls, and security issues generally. I would also appreciate help with setting up dynamic DNS.
My primary goals are, in order of priority: (1) to have my personal files stored centrally on a machine I physically and logically control at home; (2) to have those files accessible by me (and only me) from anywhere (and accessible without authentication by anyone on my home LAN); (3) to host low-traffic, personal, non-commercial, publicly accessible websites on my own server; and (4) to be able to remote into the server via VNC, RDP, or some similar method/protocol - all to the extent I can do so without opening myself to significant data security risks. I'd also love to host my own mail/SMTP server at some point, but I don't plan on tackling that anytime soon.
To achieve goal (1)
, I was planning on setting up a dedicated HDD (possibly a RAID array, but I'm leaning toward just rsync-ing the primary HDD nightly to another disk) as a samba share with no authentication. That should be accessible by the five Windows computers in our household and any other computer on our LAN. This setup should be fairly straightforward (though I welcome comments on any common pitfalls).
To complete goal (2)
, I plan to configure ssh to allow limited users access from outside the LAN, which would allow sftp or scp. I currently have ssh access to a NAS box at home, which I accomplished by forwarding port 22 to the NAS. I initially plan to replace the NAS with this new server, and simply continue to have port 22 forwarded, but am not well educated on the security risks of doing so (though I haven't experienced any problems so far - that I know of). The challenge is with DNS: I don't have a static IP address WAN-side, so I need to find a way to do dynamic DNS. See also Goal 3:
is where I start having real trouble. Given a static IP address, I can configure apache and just fine, and I've been using the free ZoneEdit
for DNS for websites hosted on a server with a static IP address. But I'd like to get rid of that server account and move everything to a home server, and (a) I don't have a static IP address WAN-side, (b) I don't know anything about setting up dynamic DNS updating on the server, (c) I don't know how a dynamic IP address will affect the apache config (is listening on ports 80 and 443 enough? do I have to mess with the hosts file?), and (d) I have no idea what security risks I will face running apache on a home webserver with ports 80/443 forwarded to it. Any good suggestions or links for dynamic DNS (preferably free), and how to get it to work locally? I am happy to use DNS services like ZoneEdit, and do not need to run my own DNS (or do I??). Do I have to do anything with BIND? Because I don't understand BIND at all. Or DNS generally, really. Websites are very low-traffic and non-commercial. I currently have four domain names I use.
: I assume I can install OpenVPN
and use TightVNC
, or something similar that does not go through a fixed third-party server or require subscription. Ideal solution would be something with a portable client that I could run from my work computer, on which I have very limited privileges (but I can run PortableApps apps, for example). I've never set up anything like these programs, but I can probably get through it. But to the extent I need to tunnel them through ssh, I don't know how to do that at all. Is that set up in the VNC/rdp config file (e.g., by just setting an option flag to use ssh)? Or is it more complicated than that? And will I run into NAT issues? I would rather not use something like Hamachi that requires an account on a proprietary server elsewhere. Any good suggestions for what to use? Know of any good tutorials? The more functionality the better: I'd love to be able to transfer files, remote audio playback, mouse/keyboard integration, etc.
Security concerns: the server will be directly connected to a D-Link DIR-655 router, which currently has near-default security settings (it is password protected, with web admin disabled, but that's about it). I have no other firewall or security hardware. Do I need to set up a firewall on the Ubuntu server? Suggestions on which one to use, and how to set it up? For what it's worth, I've not been able to make sense of any iptables documentation, so I'll need a dummy's guide to anything like that. Other security measures I need to take, e.g., beefing up the /etc/hosts file or running other protective software?
The hardware I have for the server should
be adequate for my needs: I got an AMD E-350 APU (mobo
) with 8 Gb DDR3 RAM, which should be plenty of CPU and more than enough memory. If I run linux, I'll probably set up a large, dedicated swap partition. I'll be running the OS on a separate HDD from the shared drives to minimize wear to the shared drives. The server will be connected to the LAN through a gigabit connection to the router.
As far as software is concerned, I am much more comfortable with linux than Windows for server-related functions (and Ubuntu more than other distros), and Ubuntu is free, so I am inclined to run some version of Ubuntu, but I am open to other suggestions, e.g., if running WHS with a virtualized linux webserver, say, is a vastly superior option for some reason.
A couple of limitations: I cannot have a separate, dedicated web server (whether in a DMZ or otherwise) - Comcast's terms of service for our home internet service prohibit running a dedicated web server, but I believe they do not forbid serving non-commercial web pages from a machine not solely dedicated to that purpose. Additionally, I would rather not incur the expense of building an additional server. So if possible, I would like to keep the web server on the same machine as the file server. Finally, I am a lawyer with no formal CS training or education, and have no real understanding of routing, TCP/IP, DNS, or the general operation of the intarwebs. As far as I know, "packets" are what ketchup (or catsup) come in. So while I can navigate the linux command line, I'm a dummy when it comes to the important stuff.
Do you have any security tips for me or good links that a n00b like me can make sense of? Suggestions for remote access packages, or for how to configure them for security and ease of use? Any pointers or pitfalls to watch for in setting up a webserver on a machine that also holds all my important personal data? Am I crazy to even try? And, of course, much of this may depend on me getting a dynamic DNS system set up, so I would greatly appreciate tips or suggestions in that arena.
Thanks in advance for your help!