As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Help] Linux servers: how do they work?

JerikTelorianJerikTelorian Registered User regular
I recently upgraded my gaming box, and had enough spare parts around to easily set up a second machine. I'd like to set up a Linux server for fun and education.

The primary tasks I'd like it to perform:
  • Servers for simple games (e.g. Minecraft)
  • Server for Mumble (Available from the web, not just local)
  • Remote access from outside my network: VNC tunneled over SSH, WOL for my gaming desktop, and the like
  • File server. I'm a graduate student and it would be nice to have a safe place to store/retrieve backups of data.
  • Perhaps some basic web hosting for shit like Firefly Media server or what have you

My primary concern about this is security. I'd like to make sure that this system is reasonably secure to outside attack. I realize that the tasks above open the system, but people host these sorts of things all the time.

What sort of distro should I run? Which will give me the best security? I barely know anything about navigating the terminal (save for very very basic tasks) so I'll need something that will teach me to use it to potential. I also need something that is (ideally) easy to install, because I have no doubt I'll be fucking up and blowing the whole thing away often enough.

The machine I have is a 3.0gHz Core-2 Duo with 4gb ram, an 8800GT, and 500gb hard disk. I can hook it up to a monitor if needed but mostly intend on running this headless from a terminal. What are the basic steps I should take to get started?

Thanks in advance.

SteamID -- JerikTelorian
XBL: LiquidSnake2061
Shade wrote: »
Anyone notice how some things (mattresses and the copy machines in Highrise) are totally impenetrable? A steel wall, yeah that makes sense, but bullets should obliterate copy machines.

I don't know about you, but I always buy a bullet proof printer. Its a lot more expensive, but I think the advantages are apparent.
JerikTelorian on

Posts

  • mspencermspencer PAX [ENFORCER] Council Bluffs, IARegistered User regular
    edited August 2010
    Security is a deep and complex subject. No distro really gives you security -- they just make it various levels of easy or difficult to shoot yourself in the foot.

    If you already understand all this, sorry for explaining too much. But here goes:

    As you configure your system you use various tools to protect against some threats, and to make other threats impossible. In general each tool provides a tradeoff between security and convenience. Direct VNC versus VNC-via-SSH: setting up the SSH tunnel is inconvenient but adds protection against a few threats. Allowing SMB (Windows file sharing) access directly over the Internet is convenient, if you want to go to someone else's PC and go Start -> Run -> \\1.2.3.4\share, but that server now exposes you to additional risks.

    Software contains bugs, unintended behaviors, security flaws, etc. Every piece of server software you add to a server could potentially be compromised. If a compromise occurs, you can assume the attacker will be able to access anything that software was able to access. If that server had root access to the entire server without exception, the attacker will have that access.

    If you run a server that can be accessed directly from the Internet, all of that server's security flaws could be exploited by anyone at any time. If you run a server that can only be accessed locally or via SSH tunnel, then that server's flaws can be exploited by anyone who gains access to one of your local machines (via unrelated Windows exploit or infection) or by anyone who gains the ability to SSH in as a less-privileged user.

    What some people do, if they need absolute security but can't trust ANY of their software to be secure, is to isolate EVERYTHING in a separate virtual machine, with VMware Server or User Mode Linux or something similar. If you run a DNS server, run it in a VM with an absolutely minimal install. Likewise mysql and apache -- give them separate VMs. Run each game server also in its own VM. This requires far more machine resources, but you aren't really working with a lightweight machine.

    If you do this, if someone compromises your DNS server VM, they'll find themselves in control of a machine with almost no software or resources, unable to make any connections that aren't DNS lookups. He can try to remotely exploit other VMs over your LAN, but that's about it.

    If you don't want to go that far . . . I'd recommend Ubuntu Server LTS.

    mspencer on
    MEMBER OF THE PARANOIA GM GUILD
    XBL Michael Spencer || Wii 6007 6812 1605 7315 || PSN MichaelSpencerJr || Steam Michael_Spencer || Ham NOØK
    QRZ || My last known GPS coordinates: FindU or APRS.fi (Car antenna feed line busted -- no ham radio for me X__X )
  • xzzyxzzy Registered User regular
    edited August 2010
    The simple rule of thumb for security is every service you have open to the internet increases risk. If some game server has a vulnerability in it, someone could use it to break in. If you shut down every incoming port on a box, you could probably leave it on the internet for years and not be broken in to. But it wouldn't be a very useful server.

    So you're always balancing between acceptable risk and providing the services you need to.

    Short version: keep your software up to date and you'll probably be okay.



    As for distro, I'd go for Debian these days. My current favorite is Arch Linux, but that might be a little too hardcore for a beginner.

    xzzy on
  • DeathPrawnDeathPrawn Registered User regular
    edited August 2010
    xzzy wrote: »
    Short version: keep your software up to date and you'll probably be okay.

    As for distro, I'd go for Debian these days. My current favorite is Arch Linux, but that might be a little too hardcore for a beginner.

    Unless things have changed since I last used Debian, it's notorious for being very conservative in terms of how recent the software in the official repos were. If your main concern is keeping your software up-to-date and you want package management, you probably don't want vanilla Debian. Debian-based distros rock, though, whether you're using something more noob-friendly like Ubuntu or a less hand-holding one like Arch.

    DeathPrawn on
    Signature not found.
  • theSquidtheSquid Sydney, AustraliaRegistered User regular
    edited August 2010
    DeathPrawn wrote: »
    xzzy wrote: »
    Short version: keep your software up to date and you'll probably be okay.

    As for distro, I'd go for Debian these days. My current favorite is Arch Linux, but that might be a little too hardcore for a beginner.

    Unless things have changed since I last used Debian, it's notorious for being very conservative in terms of how recent the software in the official repos were. If your main concern is keeping your software up-to-date and you want package management, you probably don't want vanilla Debian. Debian-based distros rock, though, whether you're using something more noob-friendly like Ubuntu or a less hand-holding one like Arch.

    Debian basically had a massive freeze where they stuck to the same version since 2000 for like 7 years or something (I'm probably way off) but they've had several releases then. It's actually good for the purposes of a server because of its slow updating process - the reason behind it is it uses the stable branch (make sure you get the stable branch of Debian btw) which they are absolutely positive has no bugs, and no flaws. The kind of new features it had problems with was it was lagging behind in stuff like wireless, print support, sound etc. - stuff that doesn't really matter to a straightforward server, connected to a network via ethernet cable. Debian is that server that people have effortlessly gotten an uptime of 5 years on.

    theSquid on
  • JerikTelorianJerikTelorian Registered User regular
    edited August 2010
    Thanks for the advice folks. It looks like I'm going to run Ubuntu server for now, and might encapsulate Mumble in a VM with a Debian netinstall. Minecraft is a Java game, so unless I'm wrong, I'm not really fearful of running it on the main OS because it's run in the jvm and should be secure, right?

    Fortunately, a GNU/Linux thread has popped up so if I have specific questions I can post there. Thanks for the advice!

    JerikTelorian on
    SteamID -- JerikTelorian
    XBL: LiquidSnake2061
    Shade wrote: »
    Anyone notice how some things (mattresses and the copy machines in Highrise) are totally impenetrable? A steel wall, yeah that makes sense, but bullets should obliterate copy machines.

    I don't know about you, but I always buy a bullet proof printer. Its a lot more expensive, but I think the advantages are apparent.
  • grouch993grouch993 Both a man and a numberRegistered User regular
    edited August 2010
    look into tcp-wrappers and some forms of access control. Port knocking might also be fun to mess with.

    grouch993 on
    Steam Profile Origin grouchiy
  • SushisourceSushisource Registered User regular
    edited August 2010
    One of the best things about linux is the way it segregates user permissions. The best thing you can do for your security is to make sure that the processes/servers/etc you are running are running on accounts that DON'T have access to anything that could compromise your system. IE: Don't run apache as root, hurp durp.

    As for an actually intrusive attack? Only someone really skilled is going to pull that off, and unless you have enemies it's really unlikely you'll be targeted. As for botnets/worms/trojans/whathaveyou you're for the most part already fine just by virtue of running linux. You'll still be vulnerable to DoS attacks, but so is everyone, and again, you probably don't have many enemies.

    To be honest, I wouldn't really worry about security at all, especially if your server doesn't have a registered domain name. You're more likely to die in a car crash than have someone randomly decide to launch an attack on your little old fileserver.

    Sushisource on
    Some drugee on Kavinsky's 1986
    kavinskysig.gif
  • mspencermspencer PAX [ENFORCER] Council Bluffs, IARegistered User regular
    edited August 2010
    Don't underestimate the complexity of script kiddie scripts. Remember that there's "money" in this. The classic script kiddie threat model of
    1. Use an automated tool to scan the entire Internet looking for exploitable versions of XYZ
    2. Run another automated or semi-automated tool on the machines found to be exploitable
    3. Save logs from "interesting" machines for further analysis by smart bad guys (for example, what if some admin chattr +i's some files they need to replace. It's easy to undo if you know what chattr is.)
    is more than sufficient to handle most servers out there.

    mspencer on
    MEMBER OF THE PARANOIA GM GUILD
    XBL Michael Spencer || Wii 6007 6812 1605 7315 || PSN MichaelSpencerJr || Steam Michael_Spencer || Ham NOØK
    QRZ || My last known GPS coordinates: FindU or APRS.fi (Car antenna feed line busted -- no ham radio for me X__X )
  • xzzyxzzy Registered User regular
    edited August 2010
    Don't overestimate them either.

    There are millions of windows machines out there that are much easier to infect than a bone stock linux server, most of their energy is going to go into the low hanging fruit.

    xzzy on
Sign In or Register to comment.