Build a(n Ubuntu) home server in one hour…


Tux!

…and secure it too.

When Aaron, Matthew and I incepted our Linux classes, we did so with a nebulous aim of offering a course of comprehensive beginner material, with our ultimate, nebulous goal being to offer “more advanced stuff”. Well, here we are. I dove into the basics of manipulating the Bash shell, simple scripting, SSH, and confidently administering a headless system as root. In the midst of my preparations for these classes, I had a theatric lightbulb-over-head moment: How hard would it be, really, to turn a desktop into a basic home server? Set aside performance and security concerns for a moment and just consider accessibility and turnaround time to live access on the Internet.

As it turns out, this takes about one hour. Maybe two if you are installing Linux from scratch. All you need to begin is a method to connect your dynamic home IP to a static domain and then a method to remotely access your home server:


apt-get update
apt-get upgrade
apt-get install openssh-server openssh-client

Sign up for a free DynDNS account and domain (remember to complete checkout!).


apt-get install ddclient

Populate three lines in /etc/ddclient/ddclient.conf with:

  1. Your DynDNS user name.
  2. Your DynDNS password.
  3. Your DynDNS domain.


/etc/init.d/ddclient restart
/etc/init.d/ssh start

Now give DynDNS and ddclient about five minutes (on the safe side) to update. Congratulations, you have a live Internet server for your file-access, media streaming, jerking-around-while-at-work, and general geek needs.

Now, we have a server. Locking down its Internet connection? Mmm, ten minutes. It was actually over an hour for me because I was engrossed in crash-learning netfilter/iptables syntax from scratch.


#/bin/sh

# Clear all existing iptable rules.
iptables -F
iptables -X

# Drop all incoming, outgoing and forwarded packets.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Permit loopback activity (client and server programs on this machine).
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Permit TCP connections to and from this machine on port 22 (SSH).
iptables -A INPUT -p tcp -dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -sport 22 -j ACCEPT

You’ll eventually need to open up ports for NTP, mail, DNS and others, but really: This is all there is to it. And because I am awesome, I wrote all of this up on Google Docs and made it freely available for download. Any notes suggesting alterations, additions or deletions can be made directly on the document, or by email to me directly.

Your Home Server and You

8 Comments:

Mike O'Donohue

Thanks for this guys. I look forward to trying it out soon.

Carles Sentis

Having also setup an Ubuntu server just for the laughs I found that using a GUI app like firestarter to set up the ip tables was the easiest way specially for newbies.

To set up an server from an dynamic ip address with a hostname. I found quite useful this website: http://www.no-ip.com/

Good post…

Mark

Firestarter is a fantastic application in its own right, but my goal is to never, ever have to touch my server short of physically switching it on.

Mark

Or dousing the flames after it combusts. Mmm, flames are bad.

Cam McKenzie

ummm your iptables script will stop you from accessing anything outside of your box without manually inputting firewall exclusions. A little bit too restrictive i think….

Mark

Cam, you are absolutely correct on that point. My intention was to give you the means to create a barebones home server framework in a minimal amount of time while simultaneously giving you the incentive to go out and learn more about the process.

That said, I do believe that “secure your Ubuntu home server in one hour” might be a good next part.

Andreas

Instead of using the ddclient you could use curl to update the ipaddress. Very usefull when you are using dns-o-matic wich will update your opendns and dyndns account (same company).

Its german but i think the command could everybody understand -> http://www.andreas-puls.de/opendns-update-curl

Scott

This is great. Thanks!

Tell us what is best in life:

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>