Help setting up a new server
 

I own a physical server that is located in my home:
Dual Core 2.6ghz
500 GB x 2 HDD (RAID setup)
4 GB Ram

I have installed:
CentOS 5.5
Webmin
Cloudmin
Xen

I haven't done any hardening yet on this box.

Originally I was going to go with the HyperVM option for Xen but when I installed it, I was looking for help in the forums and got really uneasy about the security issues with the software so I did some research and decided to go with software that is a little more stable/proven = webmin/cloudmin.

Purpose: My server will be kept at my home office but I want it accessible from the WWW. I have 1 static IP from my ISP which I was planning on pointment a domain name to so that my server will be easily accessible.

I'm in the process of setting things up but am having a difficult time finding information/tutorials. Unfortunately, I do not know enough about DNS to understand this section so I was hoping if someone here can help me through this process?

Current setup:
HOST System (physical server): CentOS 5.5 w/Xen

Desired system:
I want to create virtual machines so that I can run a few different VPS's on this machine. I want to do this so that I can optimize each VPS for the software that will be installed. One of the VPS's that I want to create will be to tryout a couple of control panels for virtual hosting (ISPConfig 3 and a couple of others).

Here are a few questions:

1) I know that you are suppose to use a FQDN for the hostname, but does it have to be resolvable from the www?

2) Do I have to have a domain that resolves on the www to my webmin/cloudmin server in order to get the virtualization with cloudmin working -- including the ability for the domain names to resolve within the control panel?

3) What steps should be taken to secure/harden the box?

I have done something like this as well. At some point I even wrote a document, although it is a bit outdated now...

What I did to secure my network was to block all internet traffic to the physical server and create a VPS with firewall/nat functionality. All other VPS'/servers/clients will connect to this server to gain internet access. For this setup you will need 2 NIC's in your server. With a NAT you can redirect traffic from one the firewall server to any other system in your network. To make it a bit easier, you can also put a good router with these kind of features between your server and internet.

DNS is basically a translation system. With forward and reverse lookup zones, it can translate an ip address to a FQDN and the other way around. For a more detailed explanation, you better do some reading. For help on setting up a DNS server, you will need to tell us which dns server you are going to use. On the internet bind is used a lot, but might not be the easiest system to learn/use. With a good dns setup, you can find your servers/clients just by using their computer name and the FQDN is not needed.

If you have registered a domain on the internet pointing to your static ip address and put your nat in place, you can make your server resolvable. Which ports you open determines how and what can access your network.

Thank you for that tidbit of information. I do have 2 NIC's in the server and I was planning on setting it up so that the my server acted as the firewall. I have a 24 Port switch as well which I forgot to mention. I have networked my house and office so that I can avoid using wireless.

I understand the bit about DNS that you mentioned, I'm looking for some more detailed info. I have BIND on the server and was planning on running that because of the fact that I have that on another VPS that I have (semi-managed). I would like to learn more about DNS (how it works, how to configure, etc).

You mentioned that I better do some reading. Do you have any resources that you can point me to? Or any books that I should buy that will help me learn/setup BIND from the ground up?

I also need to know more about DNS in general because I have no idea what a master zone is, forward and reverse zones. I bascially just understand that DNS nameservers translate domains into IP addresses.

Well, there is a lot to tell about how DNS works and how it should be configured. I personally did a lot of research on the internet and used the book DNS and Bind of O'Reilly. Some basic information can also be found at Wikipedia.

That is, imho, the wrong way around. Don't install BIND first and then start worrying about how DNS works.

BIND is not your only choice for DNS. Almost anything else is easier to configure and almost anything else has a better security record, or at the very least, not worse (which may not be the biggest problem if you keep up with updating software and the info on 'sploits, but it may not be a problem that you want).

Understand some networking (it is covered early in the Ablitz & Liu book that you have already been recommended, although you can read other stuff, too). You'll need that to

• Understand the DNS protocol
  
• Set an objective (What do you want it to do for you? If you don't know this, how will you know whether you have achieved it?)
  
• Select a DNS server
  
• Read how to configure your choice of server.
  
• Do it

In addition to, or instead of, the Bind book, you should have a look at
linuxhomenetworking
yolinux

and, in general, a search on terms like 'DNS' and 'tutorial' will find good links.

You may not need that, depending on your aims.

No. You need to define your objectives (do you just want to cache lookups of internet names? establish names that can be used on your own network? establish names that can be used on the internet to refer to your machines? Before you do it, you need to be able to answer thos questions (and others).

Salasi, that is very helpful, thank you.

Honestly, DNS is just one of those subjects that I find hard to wrap my head around. I'm not sure why but I only know a few little things here and there. At this point, I can't answer the questions you pose because I don't even know what the options are.

Here is my immediate goal:

1. I would like to be able to setup virtual machines.
VPS 1 - I want to run/test Asterisk and play around with it. I have installed the hardware card for 3 input ports and 1 output port.
VPS 2 - I would like to run a server that is optimized for MySQL queries that will mainly be used as a client database system.
VPS 3 - I would like to run/test some control panels (ie. GPL Host, ISPConfig 3, ISP CP Omega). I will eventually use this to setup a Hosting server which will be used for when I develop sites. This way, it can be on my local machine but still be accessible for clients to view. Once the sites are done, I will transfer them over to my remote VPS.
VPS 4 - Test different distros and learn more about linux. I like to learn about linux but don't want to play around on working VPS's so I would like one dedicated to this so that I can rebuild it anytime I want.

2. I would like to run a control panel for the purpose of handling Xen virtual machines. As mentioned above, I was planning on HyperVM but with the security issues, decided to go with Cloudmin. Since I'm not selling the VPS's I wasn't too worried about the added features that the Pro version of Cloudmin offers. And since I'm not reselling, I didn't want a control panel that costs money as it doesn't make any sense.

So... If you can tell me what type of a setup I will need, or at least make some suggestions, I would greatly appreciate that.

You spend some time giving details of what you want to do. What is remarkable is that most of the things that you spend most of your time on don't even need DNS at all.


Nice, but not really a DNS problem.

You could do both of these without any DNS involvement. Depending on whether your work with asterisk needs only internal access (testing, internal use), you could need just a little networking involvement but I'd guess that you have other ambitions. MySQL is essentially not a networking issue at all.

Again for internal testing puroposes, you don't need much networking to be able to play with panels, if that's all you are trying to do.

And now, all of a sudden, we are deep into networking, security, firewalls and DNS. My guess is that this big jump in the amount of networking stuff involved in this one step is that you do need to read more on networking, but maybe you already know how much detail is involved here and it is part of your plan.

• You need a test machine for development. You make your life harder by allowing the outside world to access to this machine.
• I am unclear whether the non-development machine(s) will be inside or outside your network. As this has a big impact, you need to be clear about this.
• It might be easier to host the 'client preview' somewhere else than on your development machine, for the purposes of keeping your security interfaces 'clean'.

You seem to have an enthusiasm for as many virtual machines as is possible. This can have advantages, but, if taken to excess will increase the minimum amount of hardware that you need and generally complicate set up. You have to ask yourself 'what problem is this actually solving?'.

You mention selling something. What is it that you intend to sell (web design services? content creation? content management? business services? hosting? maintenance and updates? security?). Maybe you know but aren't prepared to tell the rest of the world. But until you are clear about this, there is no possibility of worthwhile analysis of what you are offering to customers.

I can't really offer any worthwhile advice on control panels (except, maybe, that they allow people not to get involved in the detail, but still run systems....this is very popular, but be aware that this level of detachment from the detail also leads directly or indirectly to security problems) but it is unclear who will be using these panels to do the controlling, you or your clients.

Just back to DNS briefly; as a general message, for stuff that remains within your own network, you don't need DNS; you could do everything with fixed hostname to IP address associations. At some point, this gets to be a maintenance problem and practically you want to use DNS internally just for convenience...I suppose by the time you get to an enterprise scale of operation, you could argue that you need DNS because maintenance will get too difficult to cope with.

There is a different issue with the outside world; for the outside world to access your sites as they would expect to, you will need domain names registered with a registrar. This has got to happen for the internet's naming system to work and is essentially a separate problem from the stuff that happens internally.

I would suggest that you learn by doing. Set up your machine and start trying to implement these things. Start with a tutorial or two on a subject of interest and try setting it up. Read up on the parts that you don't understand. When stuff doesn't work, make use of google and try to figure out why as you will learn more from what doesn't work (and fixing it) than you will by what goes right.

All of the things you mentioned should be doable on a single platform. I can't really comment on the running these as separate virtual machines as I have never done that, but most modern PCs can handle hosting basic internet platforms (web, mail, etc) as well as MySQL and Asterisk.

DNS capability isn't really required for a smaller setup, but it won't hurt either. I would suggest that you can start by setting up your local LAN, on non public IP range) and try it out. You can combine it with a DHCP server and implement what is called dynamic DNS (ddns) for your LAN so that machines are automatically given IP addresses and they are resolvable on your LAN by name, both forward and reverse. This is a good step before attempting to run a public DNS server, which isn't necessary to host a domain as the registrar will undoubtedly offer DNS capability too. Setting up a DNS server isn't too hard, it just has an odd syntax that is sensitive to column spacings, where to put a dot at the end and where not to, and some other non user friendly things. I personally run Bind for this purpose, but as others have mentioned, it isn't the only program out there.

Here are a couple of links to get you started. These are what I used to configure my first server. By the way, I had a DNS + DHCP LAN setup and working on my first day, so like I said, it isn't really hard. Just keep checking syslog for error messages after a restart while your implementing it.
http://lani78.wordpress.com/2008/08/...local-network/
and
http://lani78.wordpress.com/2008/08/...e-dns-records/