Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: server setup

  1. #1
    Join Date
    Feb 2013
    Beans
    27

    server setup

    hello everyone
    This is my first attempt to create my own server and make it public. I am running ubuntu server 12.04.3 on an old laptop.
    I have installed webmin, phpmyadmin etc etc and I am planning on hosting a web-site for a project of mine. I also want to have remote access via FTP and store my databases using mySQL. I have a couple of questions but first things first!
    I have set everything up and working locally (ftp access using filezilla and my webpage). I forwarded the required ports and I managed to have access remotely as well. I used no-ip.com to create a domain name and that worked fine as well for both the FTP and the website.
    I restarted my router and my public ip was reset (my ISP provides me with a dynamic ip). Now every time my router restarts I need to lookup my new public IP to access my files and page. Is there any way I could work that out?

    Thank you

  2. #2
    Join Date
    Mar 2010
    Location
    Metro-ATL; PM free zone.
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: server setup

    Congratulations! Many people started out just like you. Fun stuff.

    A - don't restart your router very often. You are providing services on the 24/7/365 internet now to the entire world. It doesn't matter if you don't know about those foreign users, they have certainly discovered your FTP site already.
    B - setup a no-ip Dynamic DNS server that will auto-update the no-ip DNS records. Be certain that your DNS TTL is 30 min or so. There is a no-ip package for Ubuntu that does this.
    C - FTP probably isn't the best service to run unless you want anyone, anywhere in the world to have access to your machine (and not just the FTP areas you specify). See, the most popular FTP servers have been hacked a few times - back doors added. Plus FTP doesn't have any encryption, so using logins are just providing credentials to anyone between the remote system and your box. Almost everyone should stop using FTP.
    D - Webmin and phpmyadmin are security issues waiting to be exploited. **Both** have been exploited before, so if you must run them, then please, pplease, please, please do not allow external access.
    E - Never allow external access to your MySQL DBs. NEVER, NEVER, NEVER.

    The best service to allow on the internet for home users is ssh - nothing else. With it, you can avoid using password - ssh-keys ROCK!. You can scp, sftp, remote shell and remote desktop back to the system over ssh-tunnels. With keys, it is actually more convenient AND more secure. Things to help secure ssh/scp/sftp/etc ... The main methods to secure ssh are:
    * run an iptables-based firewall
    * use ssh keys for all authentication outside the LAN.
    * install fail2ban so that failures are blocked quickly (using the firewall)

    Backups - versioned backups. These are the most important thing to running a public service. Restore files from yesterday, last week or last month, since we don't usually notice being hacked for a day or 10. Backups are good for other reasons too.

    Anyway - have fun and I hope you don’t get hacked. OTOH, being hacked was some of the best education that I've ever had.

  3. #3
    Join Date
    Feb 2013
    Beans
    27

    Re: server setup

    Quote Originally Posted by TheFu View Post
    Congratulations! Many people started out just like you. Fun stuff.

    A - don't restart your router very often. You are providing services on the 24/7/365 internet now to the entire world. It doesn't matter if you don't know about those foreign users, they have certainly discovered your FTP site already.
    B - setup a no-ip Dynamic DNS server that will auto-update the no-ip DNS records. Be certain that your DNS TTL is 30 min or so. There is a no-ip package for Ubuntu that does this.
    C - FTP probably isn't the best service to run unless you want anyone, anywhere in the world to have access to your machine (and not just the FTP areas you specify). See, the most popular FTP servers have been hacked a few times - back doors added. Plus FTP doesn't have any encryption, so using logins are just providing credentials to anyone between the remote system and your box. Almost everyone should stop using FTP.
    D - Webmin and phpmyadmin are security issues waiting to be exploited. **Both** have been exploited before, so if you must run them, then please, pplease, please, please do not allow external access.
    E - Never allow external access to your MySQL DBs. NEVER, NEVER, NEVER.

    The best service to allow on the internet for home users is ssh - nothing else. With it, you can avoid using password - ssh-keys ROCK!. You can scp, sftp, remote shell and remote desktop back to the system over ssh-tunnels. With keys, it is actually more convenient AND more secure. Things to help secure ssh/scp/sftp/etc ... The main methods to secure ssh are:
    * run an iptables-based firewall
    * use ssh keys for all authentication outside the LAN.
    * install fail2ban so that failures are blocked quickly (using the firewall)

    Backups - versioned backups. These are the most important thing to running a public service. Restore files from yesterday, last week or last month, since we don't usually notice being hacked for a day or 10. Backups are good for other reasons too.

    Anyway - have fun and I hope you don’t get hacked. OTOH, being hacked was some of the best education that I've ever had.
    thanks for the reply and the tips
    I forgot to say that I don't know that much about linux and servers.
    A-I am not planing on restarting but it happens from time to time
    B-It was impossible for me to install the no-ip update client because I was getting errors after the extraction (make install) so I downloaded the ddclient and set it up for noip. It doesnt seem to work yet but I am going to try it a bit more by myself and then ask for help.
    C-I stopped the ftp service. how do I setup and use the sftp? any guides?
    D-As I said I am new to the field. How do I block the external access? using the gui of webmin?
    E-My database will not be linked to my website atm(if this is the reason why it is dangerous). I just want to create it and give access to a friend (logging from another ip)

    Ps I dont worry about being hacked because there is nothing valuable at all in my server. It is 100% for educational reasons.
    Last edited by mourgolikos; October 5th, 2013 at 02:51 AM.

  4. #4
    Join Date
    Mar 2010
    Location
    Metro-ATL; PM free zone.
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: server setup

    Quote Originally Posted by mourgolikos View Post
    thanks for the reply and the tips
    I forgot to say that I don't know that much about linux and servers.
    We all started not knowing much. I've been learning about UNIX/Linux for over 20 yrs. Feels like I know about 10% today.
    Quote Originally Posted by mourgolikos View Post
    A-I am not planing on restarting but it happens from time to time
    I think my router has been restarted 3 times the last 2 years. It is on a UPS. A properly running router shouldn't need to be rebooted "just because."
    Quote Originally Posted by mourgolikos View Post
    B-It was impossible for me to install the no-ip update client because I was getting errors after the extraction (make install) so I downloaded the ddclient and set it up for noip. It doesnt seem to work yet but I am going to try it a bit more by myself and then ask for help.
    Good plan. try, try, try, google, ask. I had it running a few years ago, but have since switched to officially static IPs. We still use no-ip as 1 of the DNS services. I thought there was an Ubuntu package for this?

    Quote Originally Posted by mourgolikos View Post
    C-I stopped the ftp service. how do I setup and use the sftp? any guides?
    sftp is included automatically with ssh ---- apt-get install ssh-server is my guess. My setups are automatic. Even so, when I install a fresh server the ONLY service I enable at install time is the ssh-server. NEVER anything else.
    Quote Originally Posted by mourgolikos View Post
    D-As I said I am new to the field. How do I block the external access? using the gui of webmin?
    I wouldn't know anything about web-based administration tools. They have a place, but not on any of my servers. Security risk. The easy way is to block the port on the router and setup a firewall on the machine that blocks all access from non-LAN IPs. If you have IPv6 enabled, be certain to do that for IPv6 addresses too.
    Quote Originally Posted by mourgolikos View Post
    E-My database will not be linked to my website atm(if this is the reason why it is dangerous). I just want to create it and give access to a friend (logging from another ip)
    Well, that is exactly the behavior I'm saying you shouldn't allow. Disable that access until you learn how to block it for everyone else. Until you learn that, you aren't ready, grasshopper.

    Quote Originally Posted by mourgolikos View Post
    Ps I dont worry about being hacked because there is nothing valuable at all in my server. It is 100% for educational reasons.
    That is a complete crock. Seriously, they (you know .. "them" ) aren't out to get just you. They are out to get everyone foolish enough to put an non-secure system on the internet. Then they just want your bandwidth to launch attacks, This Washington Post article will explain. Updated version. Setup your RSS reader to follow Brian Krebs - you'll thank me and he will open your eyes.

    Running a server on the internet makes you into a paranoid person since there are attacks against your machine constantly ... if that machine falls, your entire internal network is gone too. If you have a smart-TV - it will be hacked too. Do you think about patching your TV, microware, toaster and every other "networked" device? Once inside the trusted LAN, gaining access to other devices is much easier. I haven't been hacked since 2002 and was hacked in 1995 while on a government LAN connection. They took over my machine, deleted my account and changed the root password in less than 20 minutes ... over a dial-up connection. Government security took the HDD and investigated. I never heard about it again and didn't get my HDD back.

    Being paranoid now will save you from hassles. Sure, you don't think you have much to lose today, but imagine when every device on your LAN has been compromised. What will you do then?

  5. #5
    Join Date
    Feb 2013
    Beans
    27

    Re: server setup

    I have not yet managed to set up correctly ddclient (it stopped displaying the errors but it does not update my ip).

    There is no ubuntu server package for noip I am afraid! Although, instructions on how to download and install the client (which did not work for me) can be found here: http://www.noip.com/support/knowledg...ent-on-ubuntu/

    Anyway, I have ssh server already installed (chose it during installation of the OS) but I need to create new user accounts to log in! don't I? And then I guess I will connect using filezilla?! The port which I should be using is 22?

    Any suggestions on the firewall I should use?

    What you are saying about the database is that I should block all incoming connections except from specific IPs?

    I surfed a bit on http://krebsonsecurity.com/ It looks REALLY interesting. It seems like I am going to spend days on it :-p thank you

    PS paranoid mode: on

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: server setup

    Quote Originally Posted by TheFu View Post
    I think my router has been restarted 3 times the last 2 years. It is on a UPS. A properly running router shouldn't need to be rebooted "just because."
    You too, huh? So far mine has only rebooted due to a move. I usually have it plugged into a battery backup, but not right now.

    I wouldn't know anything about web-based administration tools. They have a place, but not on any of my servers. Security risk. The easy way is to block the port on the router and setup a firewall on the machine that blocks all access from non-LAN IPs. If you have IPv6 enabled, be certain to do that for IPv6 addresses too.
    Well, that is exactly the behavior I'm saying you shouldn't allow. Disable that access until you learn how to block it for everyone else. Until you learn that, you aren't ready, grasshopper.
    Likewise, I don't really like web-based admin tools but if you need to use them, firewall them so that they can only be accessed from certain IP addresses to limit your attach surface.

    I've only ever used a db server that listens on localhost, so it won't accept any external connections.

    That is a complete crock. Seriously, they (you know .. "them" ) aren't out to get just you. They are out to get everyone foolish enough to put an non-secure system on the internet. Then they just want your bandwidth to launch attacks, This Washington Post article will explain. Updated version. Setup your RSS reader to follow Brian Krebs - you'll thank me and he will open your eyes.
    Good links. I've had a ton of brute force attacks (and mod_proxy attacks too!) on both my VPSes, but so far no one has been able to get in. Reading logs to get familiar with what is normal and what isn't is a good way to keep an eye on things. I use logwatch for the most part, but it doesn't catch everything.

    Running a server on the internet makes you into a paranoid person since there are attacks against your machine constantly ... if that machine falls, your entire internal network is gone too.
    That is why I use a VPS for my web and mail servers instead of hosting it at home. If it was hosted at home, I'd be sure to isolate it from the rest of the network.

    As far as firewalls go, iptables ftw! Although, you can also use ufw, I prefer iptables.
    http://bodhizazen.net/Tutorials/iptables
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    Mar 2010
    Location
    Metro-ATL; PM free zone.
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: server setup

    Quote Originally Posted by mourgolikos View Post
    I have not yet managed to set up correctly ddclient (it stopped displaying the errors but it does not update my ip).
    ddclient ... isn't that for dyndns? Unless you are paying for an account, you still **must** manually login monthly to keep your account active. I think this changed in May. I'm grandfathered there from there 1990s. Many routers will handle DynDNS for you - no need for a separate client.

    Quote Originally Posted by mourgolikos View Post
    There is no ubuntu server package for noip I am afraid! Although, instructions on how to download and install the client (which did not work for me) can be found here: http://www.noip.com/support/knowledg...ent-on-ubuntu/
    Last time I used it, it was trivial for me to setup. OTOH, I've worked as a professional C/C++ dev for over a decade and have learned a deeper level of understanding for building software. Plus I like perl.

    Quote Originally Posted by mourgolikos View Post
    Anyway, I have ssh server already installed (chose it during installation of the OS) but I need to create new user accounts to log in! don't I? And then I guess I will connect using filezilla?! The port which I should be using is 22?
    ssh uses your normal login (i.e. system) account. This ain't windows. You connect using any ssh/sftp/scp client that you like in the world. There must be 500 of them across all the different platforms. There is an ssh-client package for Ubuntu that I use, plus putty for Windows and under Android there must be 50 different Apps - I like Terminal IDE because it includes the things I miss about Linux for android. Remember, ssh is a remote login, sftp is a file copy interface designed to be like plain-unsecure-FTP and scp is a file copy interface designed to mirror rcp. On UNIX, almost all tools that worked with rcp, ftp, and rsh work unchanged with scp, sftp, and ssh - the interfaces were designed for backwards compatibility. I've worked places with hardcoded system() calls to these older tools, so we just used aliases or modified the PATH to use the secure, encrypted versions instead. Same, same, but with security.

    I've never used Filezilla - WinSCP is nice, however.

    Be certain to setup your ssh-keys and push the public keys to those remote systems you want to connect. Google is your friend for this. To make life even easier, setup a ~/.ssh/config file with aliases for all the remote systems you use. You can change the userid, port, server-name ... and it will keep a record of remote systems where you have accounts ... plus you probably are religious about backing up your HOME, right? That means this data is secure should something bad happen to the HDD.

    Quote Originally Posted by mourgolikos View Post
    Any suggestions on the firewall I should use?
    There is only 1 firewall for Linux, iptables. Anything else is a GUI/CLI over that. I use iptables directly to have complete control. google with "ubuntu firewall" will probably yield suggestions. This isn't Windows. You are learning an entirely new language with 10% similarities, but 90% differences from the last language you used.

    Quote Originally Posted by mourgolikos View Post
    What you are saying about the database is that I should block all incoming connections except from specific IPs?
    That really isn't what I'm saying. You shouldn't allow remote access to any DB, but you probably won't listen to me. I'd rather see you give your friend a login on your box ... using ssh ... then allow the DB interface on the internet.

    Quote Originally Posted by mourgolikos View Post
    I surfed a bit on http://krebsonsecurity.com/ It looks REALLY interesting. It seems like I am going to spend days on it :-p thank you
    You might enjoy my blog too, though I don't have as much to say these days. jdpfu.com/tag/linux

    Quote Originally Posted by mourgolikos View Post
    PS paranoid mode: on
    I don't think the average person understands how open the internet is - it is like the wild west still. Ok - just for fun, I did a little grep on my reverse proxy logs ... this is where I block blatant hacking attempts ... any SQL injection and any php (my security mind doesn't allow php to be use on internet services).

    Attempts just for PHP:
    * attempts against the generic IP (not using a domain at all) - 34
    * attempts against a non-published dns name - 1
    * attempts against my blog - 404
    * attempts with malformed requests - 65

    Attempts to inject SQL:
    * attempts against my blog - 101
    * attempts against a non-published dns name - 3

    These logs are swapped daily. The DNS name that isn't published is known to 4 people in the world. There is no reason for anyone else to use it, so they clearly did a port scan, found an open service and started attacking it.

    These are modest attempts. A popular server would see thousands of attempts hourly.
    Last edited by TheFu; October 5th, 2013 at 10:24 PM. Reason: added tinhat comment

  8. #8
    Join Date
    Feb 2013
    Beans
    27

    Re: server setup

    It seems like I got loads of studying to do. There are so many things you mentioned and I had no idea about! I will try to gather some info about all that new stuff and I will be back with more questions :-p

  9. #9
    Join Date
    Aug 2009
    Beans
    2

    Re: server setup

    my newest best friend as a serveradmin is Denyhosts. Put it this way it's banned me once, but with the 500 people it's legitimately banned today i can live with that! (resolved that issue by adding my static ip to /etc/hosts.allow)

    sudo apt-get install denyhosts

  10. #10
    Join Date
    Feb 2013
    Beans
    27

    Re: server setup

    ddclient successfully set to update my no-ip account.

    Next up: iptables to block all remote access but ssh

    Q: How can I edit the services that start when the server boots?
    Last edited by mourgolikos; October 6th, 2013 at 11:23 AM.

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •