Setting up a world accessible server at home
|
Author | Content |
---|---|
jimbauwens Jan 18, 2011 4:44 AM EDT |
In a sudden change of fortune, I managed to get a business internet pack at my home.
Since it is made for little businesses, I'm allowed to set up a web server and a mail server (and allot more).
We have 1TiB of bandwidth, so this is enough to have a decent webserver.
My server hardware is an Asus P5B deluxe motherboard, with a core 2 duo processor (can be overclocked to 3.6Ghz), and 6GiB of ram.
For storage I am planning to put 2x 500GiB in raid(1). This will be enough for the beginning, as I can always add more later. I was thinking to do my software setup like this: Ubuntu 10.04LTS Server: What do you guys think? Should I use another distro? Other software? Thanks in advance! |
Bob_Robertson Jan 18, 2011 9:49 AM EDT |
Jim, I'm with you on adding users, not virtual machines. I had a world-accessable server of my own from 1995 to 2003, when a @#$%^-spam bugger used my domain as their fake "From:" and caused the mail receiver to overload. Hard to imagine a 386-33MHz running Linux at 5-10% utilization, but it did. Anyway, my main focus would not be how many services are running (Linux on modern hardware scoffs at such limited thinking!), but that each service is LOCKED DOWN. There is one heck of a lot of automated port scanning and script-based cracking going on out there. I'm on a home network where my ISP blocks both port 80 and 25, and the "WAN traffic" light blinks constantly. Those are packets being sent directly to my WAN IP by who-knows-who for who-knows-what, even though I have ping response turned off. I would enjoy the mental exercise of putting a sniffer in place of the router some day and seeing just what it is, and who, that is "knocking at my door". |
herzeleid Jan 18, 2011 1:18 PM EDT |
The distro is fine, the hardware is fine - Just adding a user is more straightforward than creating a "mail account", I'd only mess with virtual users if there were a lot of them to manage. As far as the apps, I've found that dovecot is much simpler to set up than courier, has good performance and works well with postfix. Proftpd is featureful, but has had some security holes. I like pure-ftpd and vsftpd for good performance and security. Be sure and use encryption for all internet services (pop3s instead of pop3, imaps instead of imap, make sure web mail is https-only, etc) |
Steven_Rosenber Jan 18, 2011 1:33 PM EDT |
I'd say set it up as a test environment (i.e. w/o critical data of any kind), let it run a few months and see how you do before dropping "real" data on it. |
jimbauwens Jan 18, 2011 5:30 PM EDT |
@bob, with virtual users I don't mean virtual machines, just a list of "virtual" users in a database. And yes, security is one of the biggest issue
@herzeleid, thanks for the tips, I'll definitely look at dovecot and pure-ftpd! What I'm now thinking on is how I should partition my harddrive. Separate home directory? How big, how small? Any help in this area would be very appreciated :-) |
Steven_Rosenber Jan 18, 2011 5:40 PM EDT |
Find some "real" admins and ask them. In my limited experience, admins want to put lots of things in their own partitions - /tmp, /var, /var/www (if your system uses it), /swap, /usr, /usr/bin, /etc, /home. I'm unfortunately a little hazy on which of these need to be a "primary" partition and which can live in a secondary partition. I've only done this kind of hard-core partitioning in BSD, and now I'm even too lazy to bother with that (especially when the installer in OpenBSD will cheerfully do it for me). |
Bob_Robertson Jan 18, 2011 6:17 PM EDT |
Jim, Got it. Database entries, not user accounts. I haven't done anything like that myself, so as Steven says, go find a real sysadmin. And I'll agree with him here too, real sysadmins love lots and lots of partitions. |
herzeleid Jan 18, 2011 6:20 PM EDT |
I'm a real admin, at least they pay me for working away at it... Separate partitions were a must back in the day, when you had to make them small enough to be backed up onto a tape of limited size. Nowadays that's not really an issue. Separate partitions also make sense for performance reasons, if you actually have separate spindles - but carving up a single disk into lots of little partitions only makes for a lot of overhead, and forehead-slapping moments when you see that one partition has quickly become 100% full, while another partition is under 10% full. Some advocate LVM as the best way to overcome this woe, and LVM is indeed nifty, but I just avoid the overhead and create a 3 partition setup in most cases - /, /home and swap. For some cases, separate /var or /tmp with different mount options and/or filesystem types can be beneficial for performance or security - it all depends on your use case. Joe |
Sander_Marechal Jan 19, 2011 2:00 AM EDT |
I like LVM because I can just keep on adding disks and growing my partitions. As for FTP, do you need it at all? Use ssh/sftp. FTP is a security issue because passwords are sent plaintext over the network. The latest few versions of OpenSSH server allow for chrooted sftp accounts, so there's really no excuse to use FTP anymore. |
jimbauwens Jan 19, 2011 3:57 AM EDT |
Ok, thanks for the answers, i'll take them in consideration :) About ftp, the only reason why I want to use is because some of my family are windows users, and I don't know how Windows handles sftp (if it even can). Maybe I'll just use ftp internal, not to the outside world. |
jimbauwens Jan 19, 2011 5:24 AM EDT |
It look like the "raid" controller in the Asus p5b Deluxe is just fake raid :(
So I will probably use software raid. @Sander, Do you know if LVM can handle (software) raid disks? Can I add another raid pair later? Like this: [=500=] = harddrive Hope it describes enough :-) |
cr Jan 19, 2011 5:38 AM EDT |
Quoting: About ftp, the only reason why I want to use is because some of my family are windows users, and I don't know how Windows handles sftp (if it even can). Google 'PuTTY'. It's a WinDOS app that does ssh, scp and sftp. Oh, and if you're using a Maildir system for your email server (I use qmail), you may well want to format the partition /var is in to have lots more inodes than normal. |
Bob_Robertson Jan 19, 2011 10:40 AM EDT |
> I don't know how Windows handles sftp (if it even can). FireFTP https://addons.mozilla.org/en-US/firefox/addon/fireftp/ "Along with transferring your files quickly and efficiently, FireFTP also includes more advanced features such as: directory comparison, syncing directories while navigating, SFTP, SSL encryption, search/filtering, integrity checks, remote editing, drag & drop, file hashing, and much more!" Maybe they could learn to use FireFox? |
Steven_Rosenber Jan 19, 2011 1:09 PM EDT |
I'm not crazy about FireFTP. I generally use FileZilla. Even though it doesn't have the best UI, at least it's the same across all architectures and OSes |
Bob_Robertson Jan 19, 2011 2:38 PM EDT |
Ah, more than one answer to the problem. All I did was search FireFox add-ons. I've used WinSCP for years for SSH file access. |
herzeleid Jan 19, 2011 3:09 PM EDT |
Agreed, filezilla is the best way to handle ftp/sftp/ftps connections - much more intuitive than putty/winscp, plus it's cross platform, so I can use the same tools on linux as my windows-burdened friends, which facilitates tech support. Sander made a good point, I was going to suggest sftp, but then you have to make sure that you don't give shell access to people who you merely intended to give file transfer access. In cases like that, you can set the user up with one of those "sftponly" shells |
jimbauwens Jan 19, 2011 3:42 PM EDT |
Thanks for the tip's guys, I'll tell my sisters to install filezilla on their computer :-) I installed 10.04 on the server, with software raid (raid1) and LVM. I just have a problem with my swap lvm partition, it reports that it is "suspended", and doesn't mount. Not a problem really, I'll just use a swap image for now. Now all I have to do is install the mail stuff, and register a web domain name (free with our internet plan), and the fun can begin :) |
Sander_Marechal Jan 19, 2011 4:18 PM EDT |
Quoting:@Sander, Do you know if LVM can handle (software) raid disks? Can I add another raid pair later? Absolutely. Just add disks in pairs and create new mdadm devices out of them. Then, add those mdadm devices as physical volumes to your LVM. One tip: blacklist your raw raid devices in your LVM configuration. E.g. if sda1 and sdb1 are in raid1 to make md0, then add sda1 and sdb1 to the blacklist in your LVM configuration. Reason: If you have a serious LVM problem, LVM can scan the raw devices and recreate it's configuration. But if it scans the raw sda and sdb devices it will try to use them as LVM physical volumes. You don't want that, because LVM should be using the raid device, not the raw devices that make up the raid. And here's another tip: When you create the the sda1 and sdb1 partitions that will make up your raid, do not use the entire disk. Leave a little but of unused space at the end. Reason: not all 500G hard drives are created equal. The exact number of blocks vary depends on manufacturer and model. Now suppose one of your drives dies and you buy a different one (or they send you a different one under warranty). It may have a few less blocks available. So, now you cannot create a partition of the right size to get your raid back up and running. Oops! If you make your partitions just a tiny bit smaller, you can still recreate it on the new disk with the right size, even if the raw disk has a few less blocks that the old disk. The difference in blocksize will be hidden by the unused space at the end. It's a really neat trick that you can only do with software raid like mdadm. Edit: Also, pick the right filesystem for your workload: http://www.jejik.com/articles/2008/04/benchmarking_linux_fil... |
jimbauwens Jan 19, 2011 4:25 PM EDT |
@sander: Thanks for the blacklisting tip!
About leaving space at the end, its already to late...
Its already installed. But of course reinstalling is no problem, once you know how it goes :)
Thanks for telling me, as this will be important in the future. Edit: and thanks for that link! |
jimbauwens Jan 20, 2011 10:59 AM EDT |
Ok, I repartitioned my harddrive to have space left behind the raid partition, and on the end of the lvm partition. Everything works now (even swap). I just don't know were to blacklist my raid drives. I've been looking, but didn't really find out how to do it. Hope that one of you might be able to help me :) As you can see, I don't have much experience setting up a server. But one of the reasons I'm doing this is to learn, and have fun administrating my servers. |
jdixon Jan 20, 2011 12:02 PM EDT |
> I just don't know were to blacklist my raid drives. Hmm. He said specificly to blacklist them in the lvm configuratuion. I'll have to do some research on that. Google doesn't turn up anything obvious. Maybe Sander can provide more details. |
Sander_Marechal Jan 20, 2011 2:31 PM EDT |
/etc/lvm/lvm.conf, where else? There should be a section there already that blacklists the floppy and cdrom drivers. Just add your raw devices. E.g:devices { ... # Exclude the cdrom drive filter = [ "a/.*/", "r|/dev/cdrom|", "r|/dev/sd[abc]1|" ] |
jdixon Jan 20, 2011 4:02 PM EDT |
> /etc/lvm/lvm.conf, where else? Obviously. :) Thanks Sander. I haven't played with LVM at all, and doubt I'll have time to in the near future. |
jimbauwens Jan 20, 2011 4:08 PM EDT |
I must have missed it when I checked it, stupid me :) Thanks Sander! |
You cannot post until you login.