Hello everyone, I was hoping you all might be able to help me set up a server for my fiends and family. I read here, in a diffeent thead, that Ubuntu was a good choice for free server O/S. I am currently downloading it. My ISP wants to bind my static IP to a MAC address of the device that will be making my connection for me. Should my server be behind my router or in front of it? I kinda wanted it to be the access point and be able to monitor the usage from all the terminals in my house. We have 4 other PC's, a laptop and a PS3. My server is a Acer Altos G530 with 3.2 Xeon Processor, 4 gb of ECC DDR, blahblahblah!

You don't say what it's for.

What kind of router, and what kind of internet service? Home cable/dsl modem and cable/dsl router?

You said that the main purpose will be to monitor or control traffic in your LAN.
If you mean a cable/dsl ethernet router, then between the router and switch may be best.
If you have a cable/dsl ethernet/wireless router, then you will need to be between the modem and the router, else you may not be monitoring wireless traffic.

It is gonna be a web server, game server, email server. My router is a D-Link WBR-2310.
Should I just PortForward through it?
My ISP is Wireless. I have upgraded our package to the fastest they have.

Ubuntu is now installed and I am at the LogIn screen! Now what? lol, boring! jk

I just want to put in a quick plug for thinking about how to secure this box before you expose it to the intertubes. A few things to think about:

- What kinds of web sites will it be serving? HTML or PHP based stuff. If the latter, you may seriously want to think about installing something like mod_security to help Apache deal with the crap that will be thrown at it. Heck, you may want mod_security anyway.

-How are you going to test/secure against your email server becoming an open relay?

-How are you going to monitor for intrusions? Something like Snort may be overkill for your situation, but a monitor like AIDE might help in case of an intrusion.

-Do you have an upgrade plan in place? Lots of cracked machines are the result of known vulnerabilities that can be avoided simply by paying attention to upgrades (and this applies to the web sites you'll be serving as well.

-Do you have a backup plan so if you do get cracked, you have a way to recover?

-Have you looked at the machine to see what services you're actually running and turned off everything you don't absolutely need?

Any box attached to the Internet is going to be attacked. Period. So if you don't want this being turned into a spam-spewing zombie in some botnet, you should do some planning.

1 members found this post helpful.

This is exactly what I need! NO! I have not done any of these things and I plan on using PHP with sql. What is mod_security? Where do I get it and how do I install it? Sorry for being such a noob but so far I have the O/S installed and that is it. Have no idea what to do next really but I am a fast learner.

UPDATE! OK, I have installed AIDE and downloaded mod_security. With mod_security and AIDE installed my box should be safer, is there anything else that I should do before I launch my first website?Like, should I use AppArmor?

I like that you refer to the box as "safer" instead of "safe". As long as you remember that these programs do have limits, you're on the right track. AIDE is simply going to monitor your filesystem for changes, it doesn't actually prevent anything. And mod_security will intercept URLs it considers harmful, but it can't prevent what it doesn't know about.


Make sure you've got PHP locked down. Poor PHP practices have been a major (and by major, I mean gargantuan) security headache over recent years. If you're going with a pre-packaged system like Drupal or Joomla, make sure you pay attention to patches.

I'm not sure that AppArmor is supported any more. It was Novell project and I thought I heard the development team got canned a few years ago. The alternative would be SELinux, and I believe Ubuntu supports SELinux, but you'll need to do some digging into how to configure it properly. I don't use SELinux on my personal server as I've found mod_security and AIDE to be a pretty good combination.

Other than that, like I said, make sure you know what services are exposed to the internet, and turn off EVERYTHING that isn't in active use. And be sure you have a regular schedule for updating the OS and any websites you're hosting. And the biggest thing is to pay attention. Tools like AIDE are useless if you're not looking at the reports. You also might browse through the Security References sticky for additional articles on hardening your system. And if you do set up an email server, PLEASE check it for an open relay before letting it loose.

1 members found this post helpful.

And just for giggles, I'll toss one other option out for you to think about....

Rather than run your machine as a single server, you could install virtualization software and run your servers as a guest OS. That has the advantage that if something bad happens, you can always just blow away the guest and replace it with a snapshot taken before tragedy struck. Given the hardware you outlined in your original post, it shouldn't be too much of a drag on your system.