We are still actively working on the spam issue.

Difference between revisions of "Setting up a Server"

From InstallGentoo Wiki
Jump to: navigation, search
(Securing your shell)
m
 
(100 intermediate revisions by 25 users not shown)
Line 1: Line 1:
[[File:Setting_up_a_Fileserver.jpeg|thumb|This picture details the ramblings of an incompetent years ago, please do not follow it.]]
+
Need to email? Set up a web server? Well, here's some advice.  We're gonna try to write this page like you've never done this shit before.  It does, however, assume you have at least some basic [[GNU/Linux]] knowledge.  If you don't, you probably aren't ready for this.  You weren't going to set up a server using Windows, were you?  Jesus Christ, how horrifying.
Need to [http://wiki.installgentoo.com/index.php?title=Email#Self_Hosted_Email selfhost] mail? Need a fileserver? Well, here's some advice.  We're gonna try to write this page like you've never done this shit before.  It does, however, assume you have at least some basic [[GNU/Linux]] knowledge.  If you don't, you probably aren't ready for this.  You weren't going to set up a server using [[Windows]], were you?  Jesus Christ, how horrifying.
 
  
A lot of this applies to both a physical machine as well as a [[VPS]] setup.
+
Common uses for a server:
 +
* Install a media player system and stream content to your local network
 +
* Install a cloud service like Nextcloud to run your own Dropbox service, no privacy issues, full control, unlimited space (well, limited by how many drives you can cram in).
 +
* Always on seedbox. Start torrents with your phone through the web interface while out, they're done by the time you're back home.
 +
* Host a personal website.
 +
* Run your own mailserver just like Hillary!
 +
** Warning: Running a mailserver is a shitton of work, especially if you want emails to google/outlook to be seen.
 +
* Run a dedicated game server.
 +
* Run various webapps, develop your own webapps.
 +
* SSH-tunnel to the server from work/school/etc to use it as a proxy, so that the admin of the network you're on can't see what sites you're going on.
 +
* Run a VPN for location spoofing or security when you're out and about.
  
== Protecting Your Private Network ==
+
=Getting Started=
Use a [https://en.wikipedia.org/wiki/DMZ_%28computing%29 DMZ], nigger.
+
* [[Encryption|Encrypted or unencrypted drive (LUKS)]]
 +
* [[Home server/Choosing an Operating System]]
 +
* [[Home_Server/Setting up your Storage]]
 +
* [[Home server/Remote access]]  
  
== Protecting from DDoS and shit ==
+
=Recommended software=
Use [http://www.fail2ban.org/wiki/index.php/Main_Page Fail2Ban] and perhaps a redundant computer in the DMZ. Also never use passwords, only keyfiles.
+
* [[Home server#Server software]]
 +
* [[Home server#System administration software]]
  
== Securing your shell ==
+
==Common home server services==
 +
Most packages have clear tutorials on their repo/project site. Here are some handpicked guides for the most common types of software used
 +
* Cloud Storage - Nextcloud
 +
* Web Server - [https://homebrewserver.club/fundamentals-webserver-website.html Apache] or NGINX
 +
* VPN - Wireguard or OpenVPN
 +
* Media Streaming - Jellyfin or PLEX
 +
* XMPP - [https://homebrewserver.club/configuring-a-modern-xmpp-server.html Prosody]
  
Add a non-root user. Then, while logged in as root, do this:
+
=Centralized storage=
 +
A server is perfect for this job. It is (supposedly) an always available resource on the local network. If using this in your house, you can expect reasonable speeds, even over WiFi that will let you do many daily tasks. One option is to set it up with NFS (Linux-centric, can be used on windows but it's shit) or Samaba if you have Windows clients on your network, so you can watch your chinese cartoons on any device and keep your documents/whatever synchronised. This synchronisation is a key benefit of the network storage.
  
  visudo
+
You may want to consider a [[Wikipedia:RAID|RAID]] array for long-term file storage. RAID is not backup, but will protect your files in case of drive failure. See [[Home server#File Systems and RAID]] for more information.
  
Go down to the bit where it says ''# User privilege specification'', and copy the setup for the root line.  So, if your non-root user is "faggot," make it look like so:
+
== Web server ==
 +
[[File:Tidle town.png|thumb|right|alt=A reminder why you should always self-host and if you don't, avoid inbred retards|A reminder why you should always self-host and if you don't, avoid inbred retards]]
  
# User privilege specification
+
A web server serves up a page. The nice things about serving it from a server, than, say, Wordpress or your Dropbox share, is that now you can run web apps and server side code for a dynamic page.
root    ALL=(ALL) ALL
 
faggot  ALL=(ALL) ALL
 
 
Install [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html PuTTY], on a different machine than the one you are setting up as the server.  This will include PuTTYGen.  PuTTY is [[freedom|free]] software, and is available for Windows and most GNU/Linux distros.
 
  
Run PuTTYGen to generate a public/private key pair.  Go with SSH-2 DSA, 4096 bits - nobody's gonna crack that shit easily.  When done, it will display your public key.  Except for the very beginning and very end, it will look like a shitton of gibberish - this is normal.  Copy and paste that text into a text filr, but omit the last bit that says "dsa-key-########".  DO NOT PUT IN A PASSPHRASE.  Save the private key.
 
  
Open PuTTY and log in as your non-root user. Then do this:
+
===HTTPS===
 +
The extra CPU burden of TLS is minuscule. Your server should serve up everything on HTTPS only. Keep port 80 (plain HTTP) open but redirect everything to HTTPS. If port 80 is closed, typing the address of your server into the address bar of a browser will probably fail (because the browser assumes you meant HTTP, but you have to go to HTTPS).
  
mkdir /home/faggot/.ssh
+
Issue a self-signed certificate. CAs are for jerks. Set the duration short (eg. a year) and don't forget to make a new one. If you've got a domain, get a Lets Encrypt-signed cert and set up a cron job to renew it. They're pretty sweet.
nano /home/faggot/.ssh/authorized_keys
 
  
Paste in your public key that you saved as a text file. MAKE SURE IT IS ALL ONE LINE, like so:
+
[https://certbot.eff.org/ Certbot] makes https easy to implement with Let's Encrypt certificates
  
  ssh-dsa [insanely long string of crap]
+
=External links=
 +
* [https://library.linode.com/ Linode Library] - Good beginner tutorials
 +
* [https://landchad.net/ landchad.net] - "Chad's Guide to Starting Your Own Website"
 +
* [https://github.com/x08d/lockdown.sh Script to secure Debian and Debian based Linux installs]
 +
* [https://gist.github.com/deergod1/818ec78ab70947a2f89df2bb5bb28896 Setup pfSense]
 +
* [https://github.com/pikvm/pikvm Raspberry Pi KVM for managing servers remotely]
 +
* [https://devconnected.com/syslog-the-complete-system-administrator-guide/ The Complete System Administrator Guide]
 +
* [https://github.com/erebe/personal-server/blob/master/README.md Example of a personal server]
 +
* [https://www.cyberciti.biz/cloud-computing/increase-your-linux-server-internet-speed-with-tcp-bbr-congestion-control/ Increase Linux Internet speed with TCP BBR congestion control]
  
And save it.
+
=See also=
 
+
* [[Home server]]
Now take ownership of it:
+
* [[Setting up a Server/Home or Remote?]]
 
+
* [[Setting up a Server/Mail]]
chmod 600 ~/.ssh/authorized_keys
+
* [[Setting up a Server/DNS]]
 
 
DO NOT LOG OUT OF PuTTY YET, but open another connection to your server, only this time point PuTTY to your private key file to test it out.  If it all goes well, your login will look something like this:
 
 
 
Using username "faggot".
 
Authenticating with public key "dsa-key-########"
 
 
 
Assuming that works, close your previous PuTTY session and do this:
 
 
 
sudo nano /etc/ssh/sshd_config
 
 
 
You can change the SSH port here to a random number - that's optional though, because hacker bots are gonna find it anyhow.  But if you do change it don't forget to change it in PuTTY as well. 
 
 
 
But DO make the following changes:
 
 
 
PermitRootLogin no
 
PasswordAuthentication no
 
X11Forwarding no
 
UsePAM no
 
 
 
Add the following to the bottom if missing:
 
 
 
UseDNS no
 
AllowUsers faggot
 
 
 
If you have additional users, put a space after "faggot" and add the next user, and so on if you have more. 
 
 
 
Save these changes and restart your SSH server.  On [[Debian]] or other system using a deprecated initscript setup it would be:
 
 
 
/etc/init.d/ssh reload
 
 
 
If you are using systemd, it would be:
 
 
 
(beats the fuck out of me, my server is Debian)
 
 
 
BOOM.  Assuming all went well, you have now set up your shell so that 1) "root" cannot log in, 2) ONLY "faggot" can log in, and 3) "faggot" can ONLY log in using their private key file instead of a password.  You'll still want to set up and install fail2ban or similar to secure things further.
 
 
 
Oh, and don't lose that private key file.  You cannot recreate it, so losing it means you are doomed. Back it up in multiple places. You may wish to place a copy on a floppy drive (if you're a time-traveller from 1995) or USB stick as well, for safekeeping.
 
 
 
== Setting Up Email ==
 
 
 
''See also:  [[Email]]''
 
 
 
Want to use your own email server to avoid the [[NSA]]?  Good call!  But setting up email servers can be pretty complicated.  Assuming you mostly don't know what the hell you are doing, and assuming you're already secured your system per above, have a peek at [http://www.iredmail.org/ iRedMail].  iRedMail is an automated email and web server setup package.  It works best if installed on a FRESH system - if you're already fumbled around with Apache and/or dovecot and/or postfix and failed, wipe your shit and start over with iRedMail.  It will install and configure Postfix, Dovecot, Apache, and MySQL.  It also installs and configures fail2ban and iptables.  It includes spam filtering and greylisting.  It just works.  Its pretty awesome. 
 
 
 
You will, however, still need to manually set up your DNS records (MX, SPF, and DKIM).
 
 
 
If you want to get fancy and replace MySQL with MariaDB, or replace Apache with, say, Nginx, you can do that after you set up iRedMail, but any breakage is up to you to fix.
 
  
 
[[Category:Tutorials]]
 
[[Category:Tutorials]]
 +
[[Category:HowTo]]

Latest revision as of 09:23, 3 July 2023

Need to email? Set up a web server? Well, here's some advice. We're gonna try to write this page like you've never done this shit before. It does, however, assume you have at least some basic GNU/Linux knowledge. If you don't, you probably aren't ready for this. You weren't going to set up a server using Windows, were you? Jesus Christ, how horrifying.

Common uses for a server:

  • Install a media player system and stream content to your local network
  • Install a cloud service like Nextcloud to run your own Dropbox service, no privacy issues, full control, unlimited space (well, limited by how many drives you can cram in).
  • Always on seedbox. Start torrents with your phone through the web interface while out, they're done by the time you're back home.
  • Host a personal website.
  • Run your own mailserver just like Hillary!
    • Warning: Running a mailserver is a shitton of work, especially if you want emails to google/outlook to be seen.
  • Run a dedicated game server.
  • Run various webapps, develop your own webapps.
  • SSH-tunnel to the server from work/school/etc to use it as a proxy, so that the admin of the network you're on can't see what sites you're going on.
  • Run a VPN for location spoofing or security when you're out and about.

Getting Started

Recommended software

Common home server services

Most packages have clear tutorials on their repo/project site. Here are some handpicked guides for the most common types of software used

  • Cloud Storage - Nextcloud
  • Web Server - Apache or NGINX
  • VPN - Wireguard or OpenVPN
  • Media Streaming - Jellyfin or PLEX
  • XMPP - Prosody

Centralized storage

A server is perfect for this job. It is (supposedly) an always available resource on the local network. If using this in your house, you can expect reasonable speeds, even over WiFi that will let you do many daily tasks. One option is to set it up with NFS (Linux-centric, can be used on windows but it's shit) or Samaba if you have Windows clients on your network, so you can watch your chinese cartoons on any device and keep your documents/whatever synchronised. This synchronisation is a key benefit of the network storage.

You may want to consider a RAID array for long-term file storage. RAID is not backup, but will protect your files in case of drive failure. See Home server#File Systems and RAID for more information.

Web server

A reminder why you should always self-host and if you don't, avoid inbred retards
A reminder why you should always self-host and if you don't, avoid inbred retards

A web server serves up a page. The nice things about serving it from a server, than, say, Wordpress or your Dropbox share, is that now you can run web apps and server side code for a dynamic page.


HTTPS

The extra CPU burden of TLS is minuscule. Your server should serve up everything on HTTPS only. Keep port 80 (plain HTTP) open but redirect everything to HTTPS. If port 80 is closed, typing the address of your server into the address bar of a browser will probably fail (because the browser assumes you meant HTTP, but you have to go to HTTPS).

Issue a self-signed certificate. CAs are for jerks. Set the duration short (eg. a year) and don't forget to make a new one. If you've got a domain, get a Lets Encrypt-signed cert and set up a cron job to renew it. They're pretty sweet.

Certbot makes https easy to implement with Let's Encrypt certificates

External links

See also