Installing a home server - any advice?

Hi my friends,
I’m new to this subject and once again I’m trying to install a home server from scratch, but this time I want to have access from outside and I’m trying to implement all the information I can get, but I’d also like to know your opinion on this subject.
The server is being made with parts from an old PC. It’s basically to learn something more and also to learn docker.

I’ve only installed Ubuntu Server and I’m still working on the firewall configuration. I found some multicast errors, but I’ve eliminated them for now.
At the moment I only have the firewall responding to my main PC and, from the tests, I no longer have any errors in the ufw logs or identify anything abnormal in the syslog errors.

I already have a CloudFlare account for IP and to use the CloudFlare tunnel and access the apps on the docker that I can install, but I’d like to know, and right now only about the server, what basic protections I should have or add, to try to create a robust, well-configured server and clone disk just the server itself.

With your experience, can you recommend anything to do or configure, right now, just on the server?
For example:

• some initial configuration of the firewall more customized for this case;
• some program to install to improve security;
• precautions to be taken before opening the ip to the outside
• etc

At the moment, with Daniel Tripp talking about fail2ban, I’m learning what it is because I don’t know it.

I’m not asking for help on how to install a server or how it works, but just tips on what you do to improve the security of your servers.

Thank you all in advance for your help with my request.

Happy Easter to everyone

Regards
Jorge

Hi Jorge,
The only thing here I have any experience with is building my
own docker containers. If you want to do that I can help.
I suspect that you just want to download and run docker containers. That is easy . Have a practice with the docker
hub. The official docker manuals are as good as any.

If you are going to expose this old PC to the internet, and if it is only a learning experiment, it may be a wise move to disconnect it from other local machines. At least until you are sure of its security. You dont want some oversight leading to all your mechines being corrupted.

I am afraid I am no help on server details

Regards
Neville

Hi Neville,
Thanks for your reply.

I’ve already experimented with docker containers, but at the time I installed DietPi as a server.
Right now, I want to do something from scratch, maybe I’m wrong to do so…
I’d be happy to ask you for Docker tips once I start using it again, much obliged, my friend.

I have the server connected to the home network and the firewall is denying everything except ssh to one PC on the same network, because that’s the only way I can get to the server.

When I deal with it abroad, I’ll set up the configuration and access the server only via VPN (I’ll even set up CloudFlare, but I still have to study a lot to do that) and I’ll create a rule in the firewall to deny all the IPs on the local network.

I believe this is the type of protection you’re referring to, correct?

Jorge

I like the ideas you’ve had about CloudFlare access and VPN. Nev mentioned using a DMZ but didn’t call it that. If the server can be connected to from the internet it wouldn’t be a bad idea to isolate it on its own internal subnet. You have already limited access to the server from inside but making it more isolated would be good. Some routers have the concept of DMZ but others don’t.

Hi pdecker,
Thanks a lot for the tip, my friend.

I had some very basic ideas about the DMZ but I’m going to study it further because I didn’t know I could create better isolation.
I’m a total novice on this subject and I really appreciate the help you’re giving me.
My router has DMZ and IP and MAC binding and I’ve also enabled the latter for the server.

Thank you all in advance for your help with my request.

Jorge

Yes, that effectively isolates it from your local machines.

Thanks, my friend.

Hi Jorge,

Not sure if you saw this on It’s Foss or if it would be of any help.
https://itsfoss.community/t/setting-up-a-home-server

Have a good day,
Howard

Hi my friend Howard,
Thanks so much for the link you sent.

In fact, I know about that thread, because I’ve been trying to make the 2nd version of my server for some time now, I even considered buying the Odroid HC4 that László mentioned and later an Intel N100, but so far it hasn’t been possible, with my health condition getting worse and worse since July and sick leave status for January.
(sorry for venting. Please don’t comment)

As I got a bit better this week, I decided to do something from scratch with what I have at home, but I’m trying not to use a ready-made solution, in other words, I’m trying to figure out all the steps to have a minimally functioning headless server, regardless of the programs I use, for example: today, I’ve been looking at log rotation settings, testing again how the firewall works, trying to figure out how to use tshark and tcpdump, arp, IGMP, change rsyslog settings, things I’ve never heard or tested so far and I’m seeing how the server is working.

To all my forum users friends…

I’m trying to figure out how to make the server minimally secure and how to administer it, but it’s a whole new world for me and I’m afraid of not doing something crucial because I just don’t know. Let’s say I’m trying to study what is needed for the minimum security of a server and how to administer/manage it.

The help I’m asking for is not to teach me, just tips and I will study how to do or implement, for example, a simple one that I had to correct and it never occurred to me to do it in Linux Mint: I turned off access to IPv6 because there was a delay in loading a module during boot and I configured the server for IPv4 only and have IPv6 turned off on the router.Another example is that the firewall is giving multicast log errors every ± 2 minutes. When I looked at the Linux Mint firewall log, I got the same errors and never paid attention to it.

I believe that what I’m doing may even be exaggerated, because Ubuntu Server should have a good configuration as a server, but I just want to learn something more and not have an operating system and install programs and use it with the server

Does what I’m doing make sense to any of you? I could be wrong.
Feel free to give feedback.
Much obliged.

BTW, I’m working without a graphical environment, I didn’t install any. I’m going to do everything via terminal via ssh.

Jorge

Here is a place to start for server security from Ubuntu.

https://ubuntu.com/security/certifications#cis

Lots of reading there. At work we tend to use the CIS benchmark as a guide.

Hi Jorge,
You asked Howard, but I will put in my 2 cents worth.
Setting up something so you can learn is more than useful, it is really the only way to learn.
You can hear lectures and read books but you will never master the subject until you do hands on.
That is why most University courses have practical sessions.
It is a good project, keep at it.

Regards
Neville

HI pdecker,
Thanks for the link. I will see it now.

Jorge

Hi Neville,
The question I asked was poorly translated because in fact it was for all of you and I thank you very much for answering me.

My way of being, to learn something is to always try to do something with a practical component, but fully supported by theory as best as possible.
For me, and I’m sorry if any of you don’t agree, I can’t learn just by reading about a subject, I always have to have a practical objective to be interested in studying.

In this specific case, I can’t look at a PC box and say it’s my server, without knowing how it works.
What do I have to study? I have no idea, but I will try to obtain as much knowledge as possible to learn the theory behind a simple server.

Thank you very much for your support, my friend.

Jorge

Hi , my friends,

After following the advice of our friend László

I realized that the old PC (headless PC) that I was using to work as a server is consuming ~40w in idle, which is ~1kWh per day, which, for me, is very high.

I changed the governors, including for powersave and limited the freq to 800MHz,
I changed the CPU too, but the minimum I got was always ~40w.

So I’ve decided to take two steps back, start all over again and, with the help of my family, I’m awaiting the arrival of an N100 mini PC, whose N100 has a TDP of 6W (the total power consumption of the device remains to be seen).

I didn’t dislike Ubuntu Server, on the contrary, and before it, I’d already tested with DietPi, but as said before, I’ll like to done from scratch but in this matter I can take two steps back too, and I still want to do some more tests on the old PC, even to try out other distros for home servers.

In short: I’m a bit lost, and I’m asking for your opinion.

I know that many of you have servers. The main function of my server, as I said in my first post, is to learn.

My question is: Is there a distro that you recommend to test on the server and eventually use it?
Debian, for example?

So far I’ve mentioned distros based on Debian, because it’s the architecture I’m most comfortable working with, but I’ll be able to test other distros.

As a note: I’m quite curious about testing Devuan, because
the little I know is with systemd and I hope to start this project soon too.

Thank you very much for your help
Have a nice Sunday

Jorge

Hi Jorge,
If you try Devuan, use it with sysVinit.
The other init systems ( runit, etc) do not have adequate package system support in Devuan, so you end up writing run scripts which should really be supplied by the Devuan package system.

If you want a distro to look at alternate init systems… the best is Artix, or the
spin releases discussed in this topic

But, you dont really want to play with init systems, you want to build a server. I have not been involved with a server for many years, and that was Solaris, so I cant really recommend a distro… but I can say this
Any Linux ( or BSD) distro can be made into a server. All you do is

• remove the unnecessary apps ( eg the DE and Office )
• enable all the services ( daemons) you need to do whatever you want the server to do. eg if it is a file server you might need ntfsd
  Because you use the init system to enable services, that gets us back to init systems.

Init systems do 3 things

• start PID#1 ( and stop it)
• service management - ie the user enabling, starting, stopping … services
• supervision - ie making sure the needed daemons stay running … ie restarting them if they fail.
  Supervision is important in servers… you want them not to crash. The init systems strong on supervision are runit and S6
  Service management is easy - anything - even OpenRC will give the user commands to do that. There is a summary of service management commands here
  HowTo: Manage a service in systemd, SysVinit, Upstart, runit and OpenRC - UNIX.Cafe
  It has everything except S6

I hope that is not confusing. Init systems are rapidly evolving at the moment.

Some people talk about headless servers - no console. They dont have to be. If you want an easy task setting it up, use a screen and keyboard.
You can always turn the screen off, or even remove it, later on when you have it set up.

Sorry , that is about all I know

Regards
Neville

That’s nice! My Odroid idles at approx. 5.5W with 2 spinning HDD’s.

You could try different distros. Why not even Rocky?

I settled on Debian. If you want my highly biased opinion, it’s hard to find a better OS
If you want a less biased opinion, wait for the others to mention Gentoo, Arch and such…
And decide yoursefl

As László said, I can give you my biased opinion. I like Ubuntu best of the distros I have used. At work we have used Red Hat, CentOS, and now Alma. I “sneak” in a few Ubuntu servers here and there with the reason/excuse being support by a software vendor.

I should try to check my power consumption on my “server”. It sits idle a huge percentage of the time and is just a Windows 10 PC. It’s a Dell XPS Studio with a first gen Core i7. I consider it bought and paid for. Now it’s just slurping electricity at idle.

I’ve been thinking about something from:

or

Both sites have lots of options that consume much less power and desktop space, while being much quicker I’m sure.

Putting ssh on a non-default port. Perhaps configure port-knocking in combination with a script to turn on ssh. On top of that you could configure rotating skey login – no password.

Basically, this should keep out the script kiddies. If you’re especially sadistic you could install a tarpit on which you don’t have anything. It basically means the portscanner/attacker gets a massive resource hog at next to no cost for your machine.

You could also hide the tarpit behind a script which checks for portscans.

That alone is not sufficient, the brute-forcers are going to find the port.
Fail2ban with an exponentially increasing ban time is a cruel enough solution.

Edit: huge thanks for tarpit suggestion!

Can someone explain what a tarpit is, and how to make one?