Home file and minecraft server
 

Hello everyone,

I've been using linux in VMs for a few years, but I'd like to set up a 24/hr box to run in a corner. As I've been planning this, I keep expanding what I want it to do, which is how I usually run into trouble. My searches have all involved problems more advanced than mine, so I'm sorry that I'm starting from scratch.

My goals are:
home file server to stream movies and music to Windows boxes, laptops, xboxs, etc.
power efficient distro,
secure distro,
minecraft server accessible from the internet as well if possible (only 1-5 people at a time, and rarely).

What I know:
I'll be using a decent 65W Sandybridge Pentium chip (G860),
8Gb of DDR3,
and booting off a smallish performance SSD (30 GB Intel 525 series).
I'll be attaching a 2TB disk for the data, and will be creating a RamDISK for minecraft.

What I don't know:
I've been reading the forum results for minecraft and home servers and have learned a lot already, but I have a few specific, and probably ignorant, questions.
1: Is any distro going to make much of a difference in terms of energy use? Electricity here is almost $.2/kW/hr which is why I'm using a low power CPU and SSD, and letting the 2TB sleep when not in use.
2: With sufficient effort and research on my part, any distro is equally safe and secure, correct?
3: I hate to ask an opinion questions, but I am. Should I aim for a well documented distro like UbuntuServer, that is easily used for file sharing, and adapt it for minecraft as well, OR should I use a minecraft distro and adapt it for file sharing, OR should I use XYZ instead and learn a little bit more along the way? I have heard many people mentioning Debian, which I have played with very briefly, and CentOS, that I have not.
4: What don't I know? Besides what I asked, what do I need to do to have an always on, but power efficient server in the corner? I want it to update automatically, with a minimum of intervention. Tell me whatever you think I might not know, or have overlooked please.

Thanks in advance guys, you've always helped me with stupid projects before. Special thanks to whoever introduced me to Gparted years ago :)

Do you plan on keeping the server on 24x7? If you do there's not much you can do in the way of power saving besides spinning down your disk using hdparm. You're doing the right thing with a low voltage CPU and SSD for power savings. However, your system will always be drawing a minimal amount of power while it's on if that's the case. Most power saver distros do things like put the computer to sleep or in hibernate mode. Which isn't always desirable for an always online system.

This is a big "depends". When you say secure, do you mean on the network? Not all configurations are created equal. At the very least you should implement a firewall and decide what rules you're going to allow. Here's a decent basic iptables firewall for a CentOS/Fedora/RedHat server that could be implemented. I run iptables on my Ubuntu 12.04 machine at work in a similar fashion.

Note: In networking 192.168.10.0/24 is the same thing as an IP address range 192.168.10.1-192.168.10.254 with a 255.255.255.0 subnet mask.

I would go for a well documented distro. Using Ubuntu Server wouldn't be bad. I'm more inclined to use CentOS/Fedora but that's just me. You should analyze a few things when choosing a distro.

• How long do you want to support it? Do you want to stick it in a closet for 10 years or are you willing to reinstall every other year? If you prefer your system to stay in the closet forever then use a long term release distro. CentOS has a 7 year support cycle and UbuntuServer LTS has a 5 year support cycle.
• Do you want to run the system headless (without a GUI) or are you planning on utilizing a GUI? This is important in my opinion because the package management tools in CentOS/Fedora are better than Ubuntu's without a GUI. But with a GUI I like using Synaptic in Ubuntu the best.
• What kind of kernel support do you need? This past summer I built a relatively recent machine but it had hardware the Linux 2.6 kernel didn't support. I had to use a distro with a Linux 3.x kernel so that ruled out CentOS for me. I'm using Fedora instead. You'd find this out when you try to boot from a live CD.

This comes down to power efficient hardware and power efficient software settings. Google around for ACPI settings in the Linux distro of your choice and maybe even compile your own kernel with good ACPI settings. Running the system headless will likely be more power efficient than having a GUI because there will be fewer processes vying for processor time and less work for the graphics chipset. Even if you install a distro with a GUI you can turn the GUI off by switching the run levels on default start up. This can be controlled with /etc/inittab on some distros or another way using systemd.
runlevel 3 is what I would recommend as it's the multiuser headless "mode" (runlevel 5 is usually used for the graphical environment).

Other things to consider

• You should check out hdparm for setting your hard drive sleep settings.
• You should also check out using smartmontools/smartmond for detecting hard drive failures by analyzing your HDD S.M.A.R.T. reporting.
• You should think about monitoring your system with email alerts. Security is a living thing and setting up a "secure system" is actively maintaining the security.
• You should think about a recovery plan. What if your 2TB drive fails with all of your data? Would you care? If so then read more in this thread.

Interested to learn more about monitoring for security and getting alerts?

• Check out Icinga for monitoring and receiving alerts.
• PNP4Nagios will hook into Icinga and show you a performance trend of your system over time.
• Configure sendmail to use gmail as a relay (assuming you have a gmail account). And then modify /etc/aliases so that all email is forwarded to your address. Be smart and take advantage of gmail filters by filtering them into a label. This way your inbox isn't overly spammed and you can delete the whole queue when you want.
• Use your phone service email to receive text message alerts on really important happenings on your system (such as a drive failing which you'd want to know right away). To do this with Icinga check out escalations in the docs.
• You could install syslog-ng to aggregate your logs and send you a daily digest email of your logs. You could take that a step farther and implement filtering so that you don't get "normal" logs emailed to you and you only receive "unusual logs". Depending on the system you're using it is either using syslog (config file /etc/syslog.conf) or rsyslog (config file /etc/rsyslog.conf). See the man pages for the logging systems "man syslog.conf" or "man rsyslog.conf".

It depends on how much you want to do and how complicated you want to get. I have all of those implemented on my file sharing server and more. It's more of a one stop shop of everything hackery for me. Granted a lot of the software I mentioned for you at the end is designed for handling hundreds and thousands of systems simultaneously but they work well for one system. I use them for my system at home.

SAM

Re Support Lives for RHEL/Centos
https://access.redhat.com/support/po...pdates/errata/

Note that Centos only keeps up with the latest version eg 6.3 is currently available, but 6.2 is now 'vaulted'.

Sam, that was great, thanks a bunch. I will be setting up Ubuntu Server in a VM and playing with some of the tools and software you mentioned, and moving it to the hardware when I have it. I totally agree about security being a process, not a destination, but I'm only knowledgeable with Windows security. I was thinking about going headless just for the energy savings, but I think I'm already cutting out a few weeks or months of work for myself. So, I'll stick with a gui for now. I appreciate all the help, and I'll be tweaking my VM and asking questions as I go.

Thanks again!

I've looked into CentOS, and RHEL by default, Debian, and Ubuntu server now. The last few days have had me googling the crap out of the internet. Thanks again for all of the leads so far, I'm having a blast giving myself a shock course in Linux! I've settled on Ubuntu Server as my home file system, at least for now. I'll be using a gui at first, even if I mostly use a terminal for editing settings, and I like the safety net of being able to point and click instead of staring at a cursor waiting for my input. I've installed a samba server on an Ubuntu VM, and started learning about iptables thanks to what you posted.

I want to set up this server to do two things: 1 - serve music, picture and video files to my home network (specifically my subnet? still learning the terms and going to community college at night) and deny all other connections from my network except eventually an SSH or equivalent from one 'whitelisted' mac/IP address (mine) & 2 - allow connections from the internet to play minecraft and do nothing else. So, I want to stop anyone not on the network from trying to administer the server or accessing files, and I want to stop anyone not physically using my computer from doing so as well. IPtables seems like a start for broadly separating the two groups, on the network vs from the internet, but how do I include a MAC address filter? I'm sorry if I'm asking things poorly, I'm only used to Windows terminology, and not well either.

Oh, lastly, should I move this to the Server Forum? I've checked there, and they seem loads more advance than I am, but I don't want to clog the Newbie forum either.

Ubuntu Server is good. You can always make the server headless by modifying /etc/inittab (see my original post). If you want to learn a terminal editor then I suggest checking out vim.

Knowing how your network is configured would be useful in determining how you should tackle the problem. The iptables rules I originally gave you restrict all services to your local network with exception for the minecraft server.

I assume your network is set up like so...

filesharing Linux server -> <home network 192.168.10.x> -> wireless router -> ISP modem/cable

That being the case there isn't necessarily a need for my 192.168.10.0/24 restrictions since your system is protected behind the NAT of your router. However it is protected against the router port forwarding services that you don't want to be public.

As far as accessing a service such as SSH over a single port just change the -s (source) value to an IP address instead of a range.
In that configuration you would need to port forward your minecraft server in order for it to be publicly accessible. In the iptables rules from my original post I link you to an article setting up minecraft with port forwarding on your router.

You ask questions adequately. MAC address filter for what? Filtering by IP should be sufficient if you're utilizing a static IP for the client. MACs can be spoofed and is a false sense of security (easily circumvented). If you still want to know googling iptables mac filter will give you the answer.

Also, read the man page for iptables (terminal).
Moving to the server forum may get you better exposure to other sysadmins who can help you better than the newbies area. If you decide you want it moved just click on the 'Report' button on your original post and ask a moderator to move your thread to said desired forum.

SAM

How can I automatically update the server/
 

A quick update: I've learned a ton about iptables and I've installed and configured ufw. I'm not completely comfortable with ufw yet, and trying to parse that many rules in order to understand the outcome has taken a while. I've installed and configured the samba service on ubuntu, accessed it from a windows machine, and messed with the permissions. I've tested it by writing to the Ubuntu Server from Win7, and then editing that file back in Ubuntu. Success! I still have to tweak ufw to work with Samba, but you've already given me everything I need to do that myself.

A few questions, as usual. I'll try to be succinct and make my thoughts discrete and not a long narrative.

1: How can I automatically make Ubuntu run apt-get update and apt-get install routinely? Some sort of script that starts with Ubuntu?

2: Are those even the best commands to keep my entire system up to date in one fell swoop?

3: How do I then restart the computer, say at 4:30AM every Wednesday? (or is that even necessary? I'm seeing that the linux kernel is abstracted from services and thus immune to the Windowsesque decay that running processes cause) I do NOT want to update the kernel, just whatever services I have installed.

One more thing
 

Thanks so much for the iptables starter you gave me, the specific examples and commenting was what made the difference between reading a man page and understanding the usage. The Samba line was the aha moment for me, and the rest has been much easier. I'm really liking how modular linux is.

Iptables
 

So, I didn't even realize that you had %100 tailored those iptable rules to what I had described to you. I started writing my own iptables rules from scratch, and kept referencing yours, and then I started to see the patterns :) Thanks a million for the effort that went into that.

The helpful article you had linked me to on minecraft port forwarding is one that I had read back when I was running my server on my windows box. Now that I'm making an ubuntu box though, the forwarding I set up on my modem and router will apply just as well. My windows machine has an overclocked 2500k, whereas the Ubuntu server is only going to get a Pentium G860, when and if I get a tax return, which is part of the electricity saving process. As I understand the code you gave me:

So, all I really did was add a mac filter to the SSH connections. Any reason it won't work the way I did it? Also, why did you start with *filter and end with COMMIT?

*filter is the default table. See the iptables man page (man iptables and search for filter with /). The COMMIT keyword tells iptables it should commit all rules currently in the pipeline to the kernel. If a commit is never executed then the specified rules will never be active.

You should only use a # (hash comment) at the beginning of a line. I don't know how iptables will behave adding it to the end of a rule (probably poorly). Also, you have comments listed that don't start with # when you're talking about adding the -m mac. I don't know if those are your actual rules or you were just demonstrating the change you were going to make. In that case just post your actual changes; I'll be able to tell where you changed it.

If you want to add comments as part of the rule then I recommend the comment module.
Make use of man page keyboard shortcuts when browsing the pages.

This should work

Problem with starting Iptables on Bootup
 

When Ubuntu boots now, I can't see it on the network. If I disable the iptables I can see it fine though. Which part of this iptables did I screw up?

I have /etc/network/interfaces set to load the pre-up iptables when the computer starts, and that stops Ubuntu from using the internet or being visible. I've obviously missed something somewhere. This is what the last three lines of my /etc/network/interfaces looks like:

Ubuntu works fine when the last line is commented out, but otherwise has network problems. I'm going to start commenting rules in order to find which one is to blame. How else can I test this problem further, or do you see an easy fix right away? Thanks for being so patient with the same problem!

Also: I've been editing in vim and it's showing colors strangely. It won't always show a commented line as blue, for instance, and I can't find the answers on Google ANYWHERE.

What do you mean you can't see it on the network? You can't SSH? You can't telnet services? nmap shows all ports closed? What are you using to detect that it is "on the network" the way you expect?

Rather than rebooting your machine several times to test that /etc/network/interfaces configuration you can just flush and reload the rules until you get a working configuration that you can live with. For instance to flush the iptables rules...
List the rules in iptables (to check they were flushed or that your own rules were loaded)
Restore your own iptables rules to check if they're working.
As always you can read the man pages about those two commands to learn more.
Your problem is likely the OUTPUT rules. Get rid of them all initially and see that your system is working. Until you have a working system from the outside in; don't start configuring rules for the inside out. For configuration of outbound rules for your system you really have to know what kind of applications you require connectivity/where/how/why.

You could use tcpdump (similar to wireshark for analyzing network traffic on an interface) to troubleshoot how and what applications are trying to communicate outbound. Then you can start designing a set of rules for what applications should be able to communicate.

So first get rid of OUTPUT rules and work from there. Remember to use the quick shortcuts I gave you earlier for flushing and restoring the rules so you're not restarting the system a lot; it will save you time.

Don't worry about the vim colors. I have the same problem with vim colorizing my iptables rules on Ubuntu. I don't know which color scheme it's using but the colors were not designed for iptables-save/restore scripts (maybe some other script type?). If you really want to change that then perhaps install a vim syntax plug-in designed to handle coloring iptables scripts.

Found the problem
 

I found the rule that is causing the problem, a global deny outgoing rule. I checked iptables -L and it comes after all of the other rules, so I'm not sure why it's not working. Anyway, I've disabled it for now, until I can figure out which services to explicitly allow out before it is executed. Thanks for the flush and update hints, those save about a minute each time, multiplied by a million times lol.

Thanks a ton Sag47, I'm going to start a thread in the security forum to work specifically on the firewall rules that I need to develop. I particularly appreciate how detailed you've been with your answers, and how many problems you've worked me through in the last week. I already love Ubuntu more than I can say, and I've been a dedicated Windows fan for a long time.

Cool, enjoy!