My server, plans to setup

[+dave164 Subscriber¹]

Right i have my hard drive coming on Monday / Tuesday for my server, and also te replacement motherboard coming from eBay on Tuesday / Wednesday for me.

Basically i want to make it into a file / web / email server

I have downloaded Linux clarkconnect, as i was told this was best.

So any advice i need to make my server as secure as posible, and also good tips to making it the best performance?

dave164

[dotRoot]

Right i have my hard drive coming on Monday / Tuesday for my server, and also te replacement motherboard coming from eBay on Tuesday / Wednesday for me.

Basically i want to make it into a file / web / email server

I have downloaded Linux clarkconnect, as i was told this was best.

So any advice i need to make my server as secure as posible, and also good tips to making it the best performance?

dave164

585288310[/snapback]

You should learn how to use iptables, you should also post in the Linux Server forum as more linux users will notice it.

For a decent GUI frontend for iptables you should look at:

http://www.fs-security.com/

[John Veteran]

Moved to Linux forum

[+dave164 Subscriber¹]

Ok.... what are iptables?

[markwolfe Veteran]

iptables is part of 'netfilter', which is just a way of saying that iptables handles all IP/ethernet traffic before it is received by the kernel for inbound traffic, and after the kernel and before the NIC device on send.

Perhaps I should just say that it is your inbound and outbound packet filter (it also does more advanced processwing, if you wish). It is 'stateful', meaning that it is aware of connections already open, and can treat these differently than new connections.

You can edit the rules in the chain (it's like a flowchart) manually with text commands, or you can get a GUI frontend to handle the rules. (much easier with a GUI)

I have a GUI 'wizard' for my installation, but I don't recall what it was that I used at home (I am at work now). There is also fwbuilder at http://www.fwbuilder.org/ They aren't the one I use, but they all do the same thing, really - make it easier to set up your firewall (iptables) rules.

[kyro]

whats the domain name of ur server dude? lemme check the security :shifty: ...

:p nah .. i do penetration tests on server .. if ur server will be holding really imp imp files/data contact me . i will hardened it for a cost or ...

i give u some tips ( i found this on some free webhosters site)

1. Log into server as root.

2. Open /etc/httpd/conf/httpd.conf with an editor.

3. Change the line ServerSignature on to

ServerSignature Off

4. Find the line "HostnameLookups off"

After that line, add "ServerTokens Prod"

5. Save and exit.

6. Restart Apache with /etc/rc.d/init.d/httpd restart

Install System Integrity Monitor

System Integrity Monitor (SIM) monitors system services and provides a clean and information representation of system status. It is an essential tool for server admins to monitor servers. SIM has several modules that can be installed to help admin with common system processes. SIM will verify that system and services are online, check load averages, and maintain log files.

1. Login to server and su to root.

2. go to /usr/local 3. Get source file wget http://www.r-fx.org/downloads/sim-current.tar.gz

4. Untar file with tar -xzvf sim-current.tar.gz

5. cd sim-2.5-3 (or latest version of SIM)

6. Type ./setup -i

7. Enter and spacebar to continue.

8. Finally, get to auto-configuration script for SIM. Select options you want to install.

Security: Use SSH protocol 2

The old SSH Protocol 1 has several security leaks and faces many automated "root kits". Protocol 2 is an improvement to plug the holes. All servers with SSH 1 should use SSH 2.

1. Open /etc/ssh/sshd_config with an editor.

2. Find the line "#Protocol 2, 1".

3. Uncomment (remove #).

4. Save and exit.

5. Restart SSH with /etc/rc.d/init.d/sshd restart

: Disable direct root login

Root user is the most important account on a server. The root user has access to any file/program/application running on a server. By default, terminal services would allow the root user to login. This is a major threat to security as hackers can try to guess at the root password to gain access.

Disabling direct root login will create an extra user account before changing to root user. This will force a hacker to have try and guess 2 seperate passwords to become root user.

cPanel users/servers must add the user to 'wheel' group so that the user is allowed to su to root. Failure to do so would cause a lock out of the root account.

* A user with SSH access must already be created.

1. SSH into server as user and gain root access by 'su -'

2. Open /etc/ssh/sshd_config with an editor.

3. Find line PermitRootLogin yes

4. Uncomment it. Put no so thatPermitRootLogin no

5. Save the file and exit.

6. Restart SSH with "/etc/rc.d/init.d/sshd restart"

Security: Disabling Telnet

Telnet is a threat to server security. The protocol communicates on port 23 for both incoming and outgoing messages. Passwords and usernames are sent as clear text during logins, giving hackers the chance to tap the traffic between client and server and then gaining access. Telnet should always be disabled on web servers and replaced with a more secure platform like SSH.

To disable telnet on your server, follow these steps:

1. Login as root.

2. Open the file /etc/xinetd.d/telnet with your editor (pico/vi).

3. Find the line "disable = no" ,

replace with "disable = yes".

4. Restart the inetd service with command /etc/rc.d/init.d/xinetd restart

5. Do a quick scan to make sure port 23 telnet is closed.

nmap -sT -O localhost

warning :- DO this when u u.stand wht this means... do not blame me if ur dog eats ur cow or ur server crashes and burns.

[markwolfe Veteran]

kyro, that is some EXCELLENT and throrough advice! (Y)

Might I ask you to make a post in the Server FAQ section with that info? I am sure it will help someone setting up a *nix server. :yes:

[dotRoot]

Great advice, should be posted in the Server HOWTOs.

However I should mention that hardening is someone a new craze among server admins and there are many "Hardeners" popping up as well as "Hardened Distro Versions" (usually that someone other then the official dev team made).

[red8Rain]

Addition: for the SSH configuration, find ListenAddress and change it from any to the correct IP address

ipfilter .. that only works for Linux and not freebsd correct?

[+dave164 Subscriber¹]

Right im getting more and more confused now :p

Help *eek's*, if someone could give me a step by step after installing clarkconnect Linux, in basic language, not complex language!!!

What programs do i need? I obviously need TightVNC to control my server, but what else?

dave164

[+dave164 Subscriber¹]

And you can do a FTP server on a home wireless network, or does it require a direct connection to the net?

[dotRoot]

You can do an FTP server as long as you have an FTP daemon, which most linux distros have. I'm not sure about clarkconnect, but I'd assume so. Also you do have a webcontrol interface and you don't need a VNC connection if you don't want one.

I'm not sure the installation of clarkconnect, but most linux installers do a pretty good job of walking you through it. Are you having trouble installing it?

[+dave164 Subscriber¹]

Nope, im just getting everything sorted before i get my HDD on Tuesday, motherboard on Wednesday, then i install it all :)

Just getting all prepared.

Can anyone recommend me any other Linux distro... it was something beginnning with an M that i remember people talking about...

[dotRoot]

Nope, im just getting everything sorted before i get my HDD on Tuesday, motherboard on Wednesday, then i install it all :)

Just getting all prepared.

Can anyone recommend me any other Linux distro... it was something beginnning with an M that i remember people talking about...

585295098[/snapback]

Probably Mandrake, but I wouldn't use it as a server. It can be used as one and probably do a good job, but it wouldn't exactly be the best server solution in my opinion.

-

Don't worry about the installation, it should be painless.

[kyro]

kyro, that is some EXCELLENT and throrough advice! (Y)

Might I ask you to make a post in the Server FAQ section with that info?  I am sure it will help someone setting up a *nix server. :yes:

585293410[/snapback]

Sir .. Yes Sir.....

*stomps the ground * marches to Completed server howto thread and makes a howto*

Sir... your command was carried out sucessfully ...

:cool:

[+dave164 Subscriber¹]

So what do people recommend as a Linux server?

[dotRoot]

So what do people recommend as a Linux server?

585297298[/snapback]

If I'm not mistaken Clarkconnect will actually be your Linux Distro...your OS.

[+dave164 Subscriber¹]

yes i know that, but i was asking what other distros (OS's) people recommend for servers

[dotRoot]

Oh sorry. Take a look here: https://www.neowin.net/forum/index.php?showtopic=269495

[markwolfe Veteran]

I obviously need TightVNC to control my server, but what else?

585294805[/snapback]

That would be a very Windows-like way of managing your server.

dotRoot mentioned using a web interface (like webmin) to setup your server, which is an easy option for the GUI-centered. Logging in via ssh and changing things through a command line is another option, as well.

The link he points should probably be pinned and made into a sort of 'definitive' *nix server thread... :shifty:

[Bushrat]

To setup a successful file sharing server/production server ;

Get a linux OS installed on it; such as Fedora core.

Don't install a GUI, it just leads to security problems and its also a waste of resources.

You need to install the basics. NO GUI'S!

Ok, Then you need to secure it via ssh...

There are a lot of guides on the net for this

You will need to install a control panel, APF firewall, BFD - Brute force protection, antivirus, IDS - snort and acid

There are a heap of things....

But don't install a GUI, do everything over SSH. Its easier, and i don't think VNC works on linux ;)

[+dave164 Subscriber¹]

Lol i just keep getting more and more confused now :p

Does someone have a guide cos people keep saying stuf, and it seems more and more is coming all the time, doing things through commands has never been my kinda style, id rather "see" it happening.

I'd guess i should wait untill i install Linux, cos im getting really really really confused now *rubs head*.

My stages now:

1) Downloading FC2, heard it was more stable then FC3

2) Mobo + HDD coming on Tuesday

What im stuck with:

1) What programs are used to do what i want (ftp / mail / web sites)

2) What everyone is saying about SSH and not installing a GUI, etc..

Edited January 16, 2005 by dave164

[markwolfe Veteran]

Well, there is this HOWTO in our FAQ/HOWTO section:

https://www.neowin.net/forum/index.php?showtopic=258829

FC3 may have been a better choice than FC2, because you will have some updating to do. Other than that, it really doesn't matter.

You can use Apache (httpd) as your web server, ftpd for ftp, and probably qmail (default is sendmail in Fedora) for mail serving.

You don't need to install a GUI of any sort. Using webmin will allow you to set up your server via a GUI on another PC (point your browser to your server and go). You can ssh into your server and do everythign through the command line, once you get comfortable with that, but the main issue is there is no need to install X or any GUI environments.

(and, of course, if you as 20 Linux experts, you will get 50 opinions, as there are always alternatives) ;)

[+dave164 Subscriber¹]

Yeh i keep getting really confused :cry:

But thanks for summing it up mark :)

Can i just login to my server via the ip its on? How do i? *sounds really really n00b*

Installation is sounding really complicated now im reading more stuf, etc..

Im all ok about the apps now though!!

Im so damn confused, can someone talk to me on MSN please?

Edited January 16, 2005 by dave164

[markwolfe Veteran]

Can i just login to my server via the ip its on? How do i? *sounds really really n00b*

585300567[/snapback]

Hang in there! It sounds more complex than it is. :D

And, yes, when you have a server set up, you can log into it by IP or by name on the network.

• ssh can be used to log into it, just like you were at the keyboard right on it. Just ssh -l username hostname (or use IP), and it will prompt you for the password for the username you provided. Bingo! You are logged in.
  
• Or webmin can be used by any browser on your network. Point your browser to http://pcname_or_ip:10000, and login. (I haven't used webmin ever, but that is what the docs I could find say to do)
  

Hope that helps (and not confuses!)