I recently upgraded my gaming box, and had enough spare parts around to easily set up a second machine. I'd like to set up a Linux server for fun and education.
The primary tasks I'd like it to perform:
- Servers for simple games (e.g. Minecraft)
- Server for Mumble (Available from the web, not just local)
- Remote access from outside my network: VNC tunneled over SSH, WOL for my gaming desktop, and the like
- File server. I'm a graduate student and it would be nice to have a safe place to store/retrieve backups of data.
- Perhaps some basic web hosting for shit like Firefly Media server or what have you
My primary concern about this is security. I'd like to make sure that this system is reasonably secure to outside attack. I realize that the tasks above open the system, but people host these sorts of things all the time.
What sort of distro should I run? Which will give me the best security? I barely know anything about navigating the terminal (save for very very basic tasks) so I'll need something that will teach me to use it to potential. I also need something that is (ideally) easy to install, because I have no doubt I'll be fucking up and blowing the whole thing away often enough.
The machine I have is a 3.0gHz Core-2 Duo with 4gb ram, an 8800GT, and 500gb hard disk. I can hook it up to a monitor if needed but mostly intend on running this headless from a terminal. What are the basic steps I should take to get started?
Thanks in advance.
Posts
If you already understand all this, sorry for explaining too much. But here goes:
As you configure your system you use various tools to protect against some threats, and to make other threats impossible. In general each tool provides a tradeoff between security and convenience. Direct VNC versus VNC-via-SSH: setting up the SSH tunnel is inconvenient but adds protection against a few threats. Allowing SMB (Windows file sharing) access directly over the Internet is convenient, if you want to go to someone else's PC and go Start -> Run -> \\1.2.3.4\share, but that server now exposes you to additional risks.
Software contains bugs, unintended behaviors, security flaws, etc. Every piece of server software you add to a server could potentially be compromised. If a compromise occurs, you can assume the attacker will be able to access anything that software was able to access. If that server had root access to the entire server without exception, the attacker will have that access.
If you run a server that can be accessed directly from the Internet, all of that server's security flaws could be exploited by anyone at any time. If you run a server that can only be accessed locally or via SSH tunnel, then that server's flaws can be exploited by anyone who gains access to one of your local machines (via unrelated Windows exploit or infection) or by anyone who gains the ability to SSH in as a less-privileged user.
What some people do, if they need absolute security but can't trust ANY of their software to be secure, is to isolate EVERYTHING in a separate virtual machine, with VMware Server or User Mode Linux or something similar. If you run a DNS server, run it in a VM with an absolutely minimal install. Likewise mysql and apache -- give them separate VMs. Run each game server also in its own VM. This requires far more machine resources, but you aren't really working with a lightweight machine.
If you do this, if someone compromises your DNS server VM, they'll find themselves in control of a machine with almost no software or resources, unable to make any connections that aren't DNS lookups. He can try to remotely exploit other VMs over your LAN, but that's about it.
If you don't want to go that far . . . I'd recommend Ubuntu Server LTS.
XBL Michael Spencer || Wii 6007 6812 1605 7315 || PSN MichaelSpencerJr || Steam Michael_Spencer || Ham NOØK
QRZ || My last known GPS coordinates: FindU or APRS.fi (Car antenna feed line busted -- no ham radio for me X__X )
So you're always balancing between acceptable risk and providing the services you need to.
Short version: keep your software up to date and you'll probably be okay.
As for distro, I'd go for Debian these days. My current favorite is Arch Linux, but that might be a little too hardcore for a beginner.
Unless things have changed since I last used Debian, it's notorious for being very conservative in terms of how recent the software in the official repos were. If your main concern is keeping your software up-to-date and you want package management, you probably don't want vanilla Debian. Debian-based distros rock, though, whether you're using something more noob-friendly like Ubuntu or a less hand-holding one like Arch.
Debian basically had a massive freeze where they stuck to the same version since 2000 for like 7 years or something (I'm probably way off) but they've had several releases then. It's actually good for the purposes of a server because of its slow updating process - the reason behind it is it uses the stable branch (make sure you get the stable branch of Debian btw) which they are absolutely positive has no bugs, and no flaws. The kind of new features it had problems with was it was lagging behind in stuff like wireless, print support, sound etc. - stuff that doesn't really matter to a straightforward server, connected to a network via ethernet cable. Debian is that server that people have effortlessly gotten an uptime of 5 years on.
Fortunately, a GNU/Linux thread has popped up so if I have specific questions I can post there. Thanks for the advice!
XBL: LiquidSnake2061
As for an actually intrusive attack? Only someone really skilled is going to pull that off, and unless you have enemies it's really unlikely you'll be targeted. As for botnets/worms/trojans/whathaveyou you're for the most part already fine just by virtue of running linux. You'll still be vulnerable to DoS attacks, but so is everyone, and again, you probably don't have many enemies.
To be honest, I wouldn't really worry about security at all, especially if your server doesn't have a registered domain name. You're more likely to die in a car crash than have someone randomly decide to launch an attack on your little old fileserver.
- Use an automated tool to scan the entire Internet looking for exploitable versions of XYZ
- Run another automated or semi-automated tool on the machines found to be exploitable
- Save logs from "interesting" machines for further analysis by smart bad guys (for example, what if some admin chattr +i's some files they need to replace. It's easy to undo if you know what chattr is.)
is more than sufficient to handle most servers out there.XBL Michael Spencer || Wii 6007 6812 1605 7315 || PSN MichaelSpencerJr || Steam Michael_Spencer || Ham NOØK
QRZ || My last known GPS coordinates: FindU or APRS.fi (Car antenna feed line busted -- no ham radio for me X__X )
There are millions of windows machines out there that are much easier to infect than a bone stock linux server, most of their energy is going to go into the low hanging fruit.