home server - router, firewall, webserver, email?

I know security wise this isn't the best but its just a hobby/home type
deal. Can this be done with ubunutu? Don't want to use IPcop or
Shoreline or ClarkConnect. Need a true distro here. Router, firewall,
then perhaps the webserver - now this is the difficult part for me at
least - if I change ISP's (I do own a domain and can point it anywhere)
I would like a good mail gateway with spam killer/ad blaster/virus
check etc. Can this be done if I am willing to compromise a little on
security? Also would like to trade files via Samba...thanks - Bill

On Sat, 02 Dec 2006 07:06:26 -0800, Bill wrote:

> I know security wise this isn't the best but its just a hobby/home type
> deal. Can this be done with ubunutu? Don't want to use IPcop or
> Shoreline or ClarkConnect. Need a true distro here. Router, firewall,
> then perhaps the webserver - now this is the difficult part for me at
> least - if I change ISP's (I do own a domain and can point it anywhere)
> I would like a good mail gateway with spam killer/ad blaster/virus
> check etc. Can this be done if I am willing to compromise a little on
> security? Also would like to trade files via Samba...thanks - Bill


I have this setup:

Main Box:
runs 24/7
Fedora FC5
arno's ip tables firewall script
vmware server ( has 2 full time guests )
mythtv backend ( dual hdtv tuner cards )

Apps Server:
Fedora FC6
vmware Guest ( runs on the main box's vmware server )
Postfix
Apache
mysql
uses the NAS box for most of it's files.

Asterisk PBX:
Centos OS
vmware Guest ( runs on the main box's vmware server )
Asterisk PBX software

NAS File Server:
runs 24/7
Custom OS:
2TB of drives

Desktop box:
used as needed. off when I'm not here.
fast video, small hard drive. uses NAS to
get video files. Used for multi-media.


All Public stuff goes to the main box. The web, mail, pbx, etc ports
are forwarded to the vmware guests on their private network addresses.
The NAS box and the Main box are connected on a private, gigabit, jumbo
frame LAN.

I like using vmware for the guests because I can backup / restore the
vmware guest OS files easily. They reside in a single directory that
consists of 15 ( at most ) files. They can easily be saved and restored.
If something gets screwed up, I just restore the previous tarball backup
and reboot the guest os.

jack

--
D.A.M. - Mothers Against Dyslexia

see http://www.jacksnodgrass.com for my contact info.

jack - Grapevine/Richardson

On 2 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) m>, Bill wrote:

>I know security wise this isn't the best

Bingo

>but its just a hobby/home type deal.

The only difference is going to be the skill of the person maintaining the
server, and the likely "attackers".

>Can this be done with ubunutu? Don't want to use IPcop or Shoreline or
>ClarkConnect. Need a true distro here. Router, firewall, then perhaps the
>webserver

_Can_ it be done? Sure. As you point out, it's not the best way to go (I
would never use a "popular" distribution for a server - to much eye-candy),
but it's easily done. Have a look at http://www.distrowatch.com.

>now this is the difficult part for me at least - if I change ISP's (I do
>own a domain and can point it anywhere) I would like a good mail gateway
>with spam killer/ad blaster/virus check etc. Can this be done if I am
>willing to compromise a little on security?

There are several ways to go there. Sendmail with milters, anti-windoze-
malware tools running on Linux. A brief period on google will provide you
with tons of leads.

>Also would like to trade files via Samba

Locally, that's fine (though not having windoze, I've never bothered with
it), but do not try to use that over the Internet.

Old guy

On Sat, 02 Dec 2006 12:55:31 -0600, Moe Trin wrote:

> _Can_ it be done? Sure. As you point out, it's not the best way to go (I
> would never use a "popular" distribution for a server - to much eye-candy),

Can you please explain why you think Ubuntu be less secure that other
distos?

Dan

On Sat, 02 Dec 2006 07:06:26 -0800, Bill wrote:

> I know security wise this isn't the best but its just a hobby/home type
> deal. Can this be done with ubunutu?

Yes, absolutely. Ubuntu is a good choice. There are other well-suited
distros as well.

> Don't want to use IPcop or
> Shoreline or ClarkConnect.

Good. You can do everything these distros can do and more.

> Need a true distro here. Router, firewall,

Ubuntu is fine. Debian is good if you have an old box and don't want a
gui. I suggest you use shorewall for your router/firewall.

> then perhaps the webserver
Apache2. World's best and most used web server; secure, robust, scalable,
well documented. This is software at its best and open source at its best.

- now this is the difficult part for me at
> least - if I change ISP's (I do own a domain and can point it anywhere)

Don't worry if you change isp, just point your domain to your new address.
You don't even need a fixed ip address if you use dynamic dns.

> I would like a good mail gateway with spam killer/ad blaster/virus
> check etc.

I personally use postfix, and that's the default mail server for Ubuntu.
Use clamav in conjunction with postfix and you'll have a top class virus
scanner that will isolate viruses well before they even get to the
recipient. Amavisd and spamassassin will help tag spam as well.

> Can this be done if I am willing to compromise a little on
> security?

Absolutely no need to compromise on security, you'll in fact be enhancing
it by using a linux platform.

Note that security is not automatic, but is something that you design in.
But with linux, you're working from a platform built with security in
mind.

Dan

On Mon, 04 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed) t>, Dan N wrote:

>Moe Trin wrote:

>> _Can_ it be done? Sure. As you point out, it's not the best way to go (I
>> would never use a "popular" distribution for a server - to much eye-candy),
>
>Can you please explain why you think Ubuntu be less secure that other
>distos?

Any distribution can be configured securely. Any can also be insecure, and
the reason I recommend against using "popular" distributions for a server
is that they install and run extra crap that has no place on a server. An
example of this is X. The job of a server is to serve files - either web
pages of some form, FTP, mail, or home directories (or similar). These tasks
do not require the user to log in to the server, and thus does not require
a desktop, or similar. Running X on a server is bad for two reasons - it's
wasting CPU cycles that no one is going to use, and it is an unnecessary
exposure for bad things to happen. (Think - if application $FOO is not
running, it isn't wasting those CPU cycles, and it can't be exploited.) I
would much rather those CPU cycles being used to serve stuff to clients.
Run the command 'ps auwx' and see what is running. How do those processes
help your server? Run the command 'netstat -anptu'. Do you need all of
those ports open? If you are using a distribution with a package manager,
query it to see what all is installed ('dpkg -I' 'rpm -qa'). Use the
man page for your package manager to see the information about each
installed package.

If your server is for hobby use and is the only box you have, then you
probably want additional stuff running. Expect the performance hit, but
that may not matter to you. Also, if you are exposing the server to the
Internet, make sure you have things bolted down nice and tight. Do you
really mean to offer printing services to the Internet? How do they pick
up the hard copy output?

Old guy

> Any distribution can be configured securely. Any can also be insecure, and
> the reason I recommend against using "popular" distributions for a server
> is that they install and run extra crap that has no place on a server. An
> example of this is X.

How is it a problem for the crap to be installed if it's not running?
Although Ubuntu installs X, you don't have to run it, don't you?

On 5 Dec 2006 23:50:25 -0800, (E-Mail Removed) <(E-Mail Removed)> wrote:

> How is it a problem for the crap to be installed if it's not running?
> Although Ubuntu installs X, you don't have to run it, don't you?

Ubuntu installs X if you do a "normal" install; i.e. hit return at the
boot prompt. It won't be installed if you do a server install.

That being said, having it installed just makes for more places for
potential problems to lurk. Even if the X server isn't running, the
could theoretically be security issues in the client libraries; e.g.
see the recent bugs in some of the image handling libraries.


Mike

--
Michael Zawrotny
Institute of Molecular Biophysics
Florida State University | email: (E-Mail Removed)
Tallahassee, FL 32306-4380 | phone: (850) 644-0069

On 5 Dec 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, (E-Mail Removed)
wrote:

[I wrote]

>> Any distribution can be configured securely. Any can also be insecure,
>> and the reason I recommend against using "popular" distributions for a
>> server is that they install and run extra crap that has no place on a
>> server. An example of this is X.
>
>How is it a problem for the crap to be installed if it's not running?
>Although Ubuntu installs X, you don't have to run it, don't you?

Note - I was using X as an example. It's far from the only problem.

Why install it if you're not going to use it? Ubuntu is a Debian based
system, and disabling X (or in reality - the GUI display manager) is a
bit different from the 'separate run-level' used by most other distributions.
With something like Fedora, Mandriva, SuSE (and similar) setting the system
to run-level 3 doesn't start X or the GUI manager. With a Debian based
system, you always run in run-level 2, and wound need to alter the boot
scripts (renaming the links to /etc/init.d/gdm would do it).

Likewise, while you can directly edit the appropriate configuration files,
most of the "popular" distributions (Ubuntu specifically included) has
provided "helper" tools that are generally graphic, and discourage editing
the configuration files directly.

The preference remains however to simply not install the unneeded stuff.
This means you don't have to maintain it (another plus).

Old guy