bit-tech.net | Build your own server: Part 2

spartan777 21st August 2007, 08:07

@glider; I should have known someone would answer that (semi) seriously.

i'm about to head off to college, but my college blocks all bittorrenting (one of the reasons for making this server and following these awesome tutorials) and all ports over 1024. rather than use port 2222, what other port can I use that is 1024 or under? can i look at the iana port list and find anything unused, or is there a good, unused port anyone can suggest?

Zeloz 25th August 2007, 10:47

Hello, great guide. Completed the second part of the guide a moment ago, everything is working greatly, but I wonder how I add a new folder to the mysite.no-ip.org ?

E: Problem solved, just a new folder into /var/www/

spartan777 26th August 2007, 19:48

another question is under the "wrapping up" page. For the second port forward step, in which we redirect public port 12345 to private port 80, I'm looking at my router config, and wondering if "start" port and "end" ports correspond to "public" and "private" ports. I thought that "start" and "end" fields were to give a range of ports that would be forwarded. I don't want to risk forwarding ports 80 through to 12345, so can anyone help me with this?

Glider 26th August 2007, 20:03

Take a look at portforward.com and see if your brand and/or type of router is listed. They offer great guides.

Also, you can just try what happens, you'll figure out quickly if you forwarded the entire range or you redirected the given port.

riggs 3rd September 2007, 09:21

Great guide Glider!

What can we expect in part 3?

One question for you; is it possible to set up the server as a router? I.e;
Phone line -> ADSL modem (internal/external) -> Server (running DHCP software) -> Switch/hub/WiFi -> LAN

I just figured that as the server will be running 24/7, I may as well use it as a router too. Surely, it'll do a better job than a standalone router and offer more advance features such as bandwidth management etc. How would I go about doing this, and can you recommend any PCI/USB ADSL modems that are Linux compatible?

Glider 3rd September 2007, 16:45

Part 3 is a CLI guide ;)

Sure, you can set the server up as a router/gateway, no problem. Some links to get you started, not al Ubuntu based, but you'll sort it out ;):

A guide:
http://gentoo-wiki.com/HOWTO_setup_a_home-server

Iptables (for routing / NAT / port remapping / Firewall:
http://www.iptables.org/
http://www.linuxguruz.com/iptables/howto/

DHCP server:
http://oob.freeshell.org/nzwireless/dhcpd.html

If required, DNS:
http://www.isc.org/index.pl?/sw/bind/
http://gentoo-wiki.com/HOWTO_Setup_a_DNS_Server_with_BIND

Proxy:
http://www.squid-cache.org/

completemadness 5th September 2007, 00:36

Quote:

Originally Posted by riggs
One question for you; is it possible to set up the server as a router? I.e;
Phone line -> ADSL modem (internal/external) -> Server (running DHCP software) -> Switch/hub/WiFi -> LAN

I just figured that as the server will be running 24/7, I may as well use it as a router too. Surely, it'll do a better job than a standalone router and offer more advance features such as bandwidth management etc. How would I go about doing this, and can you recommend any PCI/USB ADSL modems that are Linux compatible?

its is a very bad idea to run Samba and a router

Infact, routers (/firewalls) should be independant boxes, if you want a nice linux firewall, fine, but dont run all your server software on the box too
If you want a firewall distro of linux, i reccomend IPCop - IMO its very good

riggs 5th September 2007, 08:31

Really? What are the main security issue(s)?
I was hoping to have the box set up as a router/firewall/DHCP, SAMBA file server, FTP (intra/internet), torrentflux, & occasionally a BF1942 server...

completemadness 5th September 2007, 14:57

Well i just spend like 30 Min's trying to find somewhere that actually says why its a bad idea, i know i have a book, but you would have to pay for that ;)

Quote:

Originally Posted by http://www.frogge.de/pepper/linux/linuxrouter_config.html
As I have now mentioned a few times, there is a trade off between convenience and security. Initially when I was experimenting a lot, it was handy to have SMB access to the files on the router. Since then I haven't used it anymore. For everyday use all I really need is a way to log on to the router and maybe transfer the odd file. This can be done using SSH in a more secure fashion. Therefore I will move to SSH with the next version of my Internet router.

It goes without saying that you should remove all unused services from /etc/inetd.conf. In case you are not planning to offer any services at all, make sure you don't start inetd from the startup scripts in the first place.

Basically you can think about it this way
Every service you run has a possibility that it can be hacked, and is insecure
The more you run, the more back doors there are, samba is especially bad, because its opening up the filesystem with relatively insecure security systems

You want your firewall to be as hard to break into as possible, even on a Firewall distribution like IPCop they warn that any plugins, or modifications your make, could weaken the security of the box

In the end, its your choice, but i strongly recommend you do not combine your firewall with anything else

Hell they even say that a better firewall wouldn't have DNS, DHCP, Snort, etc etc services, because everything you add, increases the possibility of you being hacked, however, there needs to be a balance between convenience and security

Glider 5th September 2007, 16:35

But tell me, what are the chances a home connection gets hacked? I'm a more advanced user, and I never got hacked...

From a security stance it's a bad idea, but for home usage, why not?

completemadness 5th September 2007, 19:03

Quote:

Originally Posted by Glider
But tell me, what are the chances a home connection gets hacked? I'm a more advanced user, and I never got hacked...

From a security stance it's a bad idea, but for home usage, why not?

it depends what you do

if you start hosting web servers, game servers, or P2P - things like that, You will become a target, i know my firewall detects thousands of probes/lame attempts a day on my network
If your a standard user, play the odd game, youll probably be ok

I guess it depends what risk you wanna take, id rather be safe and not get hacked and root kitted and all that crap ;)

Glider 5th September 2007, 20:16

Quote:

Originally Posted by completemadness
if you start hosting web servers, game servers, ...

You should get a DECENT uplink separated from your own internet connection, at least if you aim to host a decent service

Quote:

Originally Posted by completemadness
I guess it depends what risk you wanna take, id rather be safe and not get hacked and root kitted and all that crap ;)

With a decently set up IPtables ruleset, a secure policy on your server and tweaks here and there any home user should be safe... Or paranoid...

styler13189 6th September 2007, 03:10

I am having a problem. I want people in my family to be able to access the server and I can not get them into it. My address to the server is tserver.servehttp.com.

Please can anyone help me?

Thanks,
Shane

Glider 6th September 2007, 17:06

That could be so many things, ISP blocking ports (probable), routing not set up properly (Samba uses more then 1 port), ...

But, Samba isn't made to share over the internet. It's possible, but not recommended. FTP is much better suited for that.

I nmap'ed your host:

Code:

Starting Nmap 4.20 ( http://insecure.org ) at 2007-09-06 18:08 CEST
Interesting ports on dsl-209-55-78-233.centex.net (209.55.78.233):
PORT    STATE    SERVICE
21/tcp  filtered ftp
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap finished: 1 IP address (1 host up) scanned in 13.086 seconds

styler13189 6th September 2007, 21:45

How can I make it work? I have a Linksys WRT54G Router. I may have not forwarded the ports correctly. I just don't know. The main thing I want to be able for my family to access is the Torrent Flux and be able to add files to my server.

Thanks,
Shane

Glider 6th September 2007, 22:30

As noted in the article on the last page, portforwarding.com offers a guide

http://www.portforward.com/english/routers/port_forwarding/Linksys/WRT54G/default.htm

styler13189 6th September 2007, 22:39

I have tried that. I did the ports the way that I was told to on the website and still it does not work. Everything works fine on my network but when my family tries to access it they can't.

I don't know what to do.

Thanks,
Shane

Glider 6th September 2007, 22:41

What service are they trying to access?

styler13189 6th September 2007, 22:48

Torrent Flux and I want them to be able to put files on the server.

Here are my current router configurations.

http://www.shanesvirtualcloset.com/screenshot.png

Glider 6th September 2007, 22:59

Chances are (probable) that your ISP blocks those ports. You need to either remap them, or change the port the webserver is listening on. You do that by editing /etc/apache2/ports.conf

Can your relatives log in through SSH? I'd let them SCP (via WinSCP) in.

styler13189 6th September 2007, 23:08

How would they get into the server through SSH using WinSCP. Put the xxxx.no-ip.org address in?

Thanks
Shane

completemadness 6th September 2007, 23:48

yes

aslong as you open up port 22 (or whatever u set it to, probably best to change it) in your router

styler13189 7th September 2007, 03:45

Now nothing will work! I can not even access it on my network.

Shane

styler13189 8th September 2007, 04:31

Does anyone suggest anything? I am out of answers. I have changed the port and still it does not work.

Thanks,
Shane

steveo_mcg 8th September 2007, 11:38

If you've changed the port you have to tell ssh where to look. ie

Code: