The first home server I set up was built using parts from multiple old computers. I threw in two HDD’s for my first RAID setup, then installed Ubuntu 12.04 LTS. The main purpose for my server is to host a file cloud. *Seafile is my favorite software for private cloud storage.* Knowing nothing about network security means it wasn’t long before the server was infiltrated with a Postfix (mail server) spammer. Last week one of the drives failed and I decided it’s time to start from scratch and follow some security guides this time. I also upgraded to a real server distribution, meaning I have no GUI to work with, only a command prompt. Here I’ll do an overview of the steps I took to get the server set up and syncing files between my computers.
- Download Ubuntu. My server is old and 32-bit so I needed to grab a non-standard release (ubuntu-14.04.1-server-i386.iso) from http://releases.ubuntu.com/14.04/. If your server computer is 64-bit then the normal Ubuntu downloads page should have what you want.
- Burn Ubuntu .iso to a disk or usb drive. I prefer using disks so I can keep a permanent collection of operating systems. When on Windows, I like using ImgBurn to create OS disks. If you’re on Ubuntu, it’s easy as right clicking the .iso file and selecting “Burn to Disk”.
- Install Ubuntu. The install process is pretty simple so just follow along with it. When installing Linux distros, I just look up any option I don’t understand yet.
Now boot up the server and the rest is all setup.
Almost every command for setting up the server requires superuser privilege. To save myself from typing ‘sudo‘ over and over, I log into root with
sudo su. If you don’t feel comfortable logged in as root, just use ‘sudo’ before each of the following commands.
- First step of course is updating software.
apt-get update && apt-get upgrade && apt-get dist-upgrade
- Now install a firewall and activate it. Might as well open the ports now that we will need for the Seafile sync service.
apt-get install ufw
ufw allow 8000/tcp
ufw allow 8082/tcp
ufw allow 10001/tcp
ufw allow 12001/tcp
- Next I followed Matt Brock’s nice guide on Security Hardening Ubuntu Server 14.04. I skipped the steps related to Apache because I won’t be serving any websites from this server for now.
- Install and configure Fail2Ban. The Ubuntu community guide on Fail2Ban works great for this.
- As I found out before, it’s very important to harden an email service like Postfix. It’s a commonly installed program on servers and many people want to use your computer to send spam. When we installed Fail2Ban, it automatically installed Postfix to email reports. I followed this Postfix Hardening Guide on AskUbuntu.com.
- Configure Logwatch. Again I used an Ubuntu community guide.
- The last and most important step for my setup, is to install Seafile. At this point you’ll probably want to exit the superuser login. It’s just too easy to put the Seafile installation in the wrong home folder.
- Go to the download page and find the server link for your system. For my 32-bit Linux system, the correct download is 3.1.6 32bit. Right click the link and hit Copy link address.
- Now I can download it on the server using the wget command. Don’t forget to change this link to the current version for your computer!
- After downloading the Seafile server, read the manual and follow the instructions. I went with the simplest setup, which is using the SQLite database. The walkthrough is thorough and clear so no extra explanation is needed from me.
After going through all of these steps, I now have my server set up how I want it. Just download the Seafile client on any of your computers and you’ll be syncing files in no time.
If you have any questions at all please feel free to ask. I’m still learning, so if you ask about something I don’t know yet we can learn about it together! Thanks for reading and I hope my server experiences have proven useful to you. Have a happy day!
Last week, while going through and changing passwords because of Heartbleed, I started to think about security and what of mine could be affected. First thing that came to mind was the server running in my room, which hosts a website and a cloud syncing service. Though I’m getting quite comfortable with Linux, I’d consider myself a total beginner when it comes to being a network sysadmin. So, I naively thought my server was safe because “How would anyone even know about my little private server to try to hack it?” I was so, so wrong and it was shocking to say the least.
After searching for “Linux server security” I found My First 5 Minutes On A Server; Or, Essential Security for Linux Servers by Bryan Kennedy. Immediately I realized I had a gaping security hole, the SSH Server! Not only had I not secured it at all, but the silly Sparkleshare cloud application I used to use had actually completely overwritten the default file instead of just adding a few lines! I had no security at all! To my absolute horror upon checking the ssh logs in /var/log/auth.log, I was getting hundreds of unauthorized login attempts per day! The logs only went back three days because of how many people were trying to hack in. Honestly I was so overwhelmed I shut down my server for a day to process and think about what that meant.
Fast forward through the weekend and I feel much more comfortable with the state of my server.
- I’ve installed Fail2Ban, which monitors login attempts and temporarily blocks ips with too many failed attempts. This should stop a script from brute forcing its way in.
- Next came Logwatch, a wonderfully easy to use tool that emails me a copy of all server logs once a day. Now I can always have my eye on security without even needing to go check the server.
- I actually just uninstalled openssh-server for now. I realized that I don’t actually need it at the moment. My second monitor is on a KVM switch, allowing me to view the server and work on it whenever I need to. Seeing as I never need to modify the server while out of the house, this is technically the most secure I can be for now. However, to be prepared for the future, I made a secure sshd config so it’s ready when I eventually reinstall the server. In the config I’ve disabled root login, turned off password authentication in lieu of ssh keys, and finally even allow only certain users from certain ip’s.
If you’re new to running a server, hopefully you can learn from my mistakes and look into security before it becomes a major problem. Luckily the files I sync are mostly open-source assets with backups in other locations, so it wouldn’t be a huge deal if they were compromised. But still, this has been a major wake-up call. Nobody with a computer is beyond needing at least the basics of security.
Have a great week everyone and remember, stay secure!
When I boot up my computer, I only want to see one login option. Nobody will be using my computer as a guest, and I have no need for remote login. It’s just one of those things that I like having cleaned up and looking crisp. Removing the Guest and Remote Login options is easy. All that’s needed is editing the config file for LightDM, Ubuntu’s display manager.
Simply undoing the changes to the file will revert back to original behavior. However to be on the safe side, you could make a backup like so:
sudo cp /etc/lightdm/lightdm.conf /etc/lightdm/lightdm.conf.backup
Here’s how to remove both items from Ubuntu startup:
- Open the file:
sudo nano /etc/lightdm/lightdm.conf
- Change the line
- Add this line at the end:
- Save the file and reboot to see your newly unblemished login screen.
In the end your file should look like this:
Don’t forget to leave a blank line at the end! If you have any questions or something went wrong please don’t hesitate to ask!
Happy New Year everyone! I’m kicking it off with a change from SparkleShare to Seafile for my private, self-hosted cloud storage. I have a server (Ubuntu 12.04) in my room that’s been running a SparkleShare cloud for about five months. It was my first time setting up anything of the like, so I’ve stuck with it through the annoying bugs. It does have many awesome features and has been super convenient, but I can’t get over the fact that it will never work with Git repositories. Admittedly I didn’t look that hard, but I thought the only other option for private cloud hosting was CloudShare.
Anyway, I was at Barnes & Noble yesterday and saw mention of Seafile in one of the many Ubuntu/Linux magazines on display. I’d never heard the name, so of course I looked it up and started reading. It was immediately apparent that the level of polish on Seafile is outstanding. It has no problem with Git repos and syncs extremely fast. It hosts a web server called Seahub so users can collaborate on and discuss files. To top it all off, the documentation is excellent, which makes installation a breeze. The installation and setup only took a few hours last night, including transferring my files from the old system and creating all of my libraries. It’s even running on an extra domain I have so I don’t need to use my IP or a freeDNS URL.
The docs alone on Seafile were almost enough to convince me it was worth changing over. Still, I’m glad I found Pat’s articles on Patshead.com about his experience with the software. They really helped answer the remaining questions I had. My time with Seafile so far may be slim, but I’m already so glad I went for it. Everything about it has been awesome and I’m very excited to have a new cloud!
Hope you all have a wonderful start to 2014!!
This is a friendly reminder to always leave a blank line at the end of your text files. You might be thinking that it doesn’t really matter, and in many cases you’d probably be correct. However, there are also plenty of configuration files for apps that require it to be there. Those that do will most likely not tell you so it would be quite hard to find and fix the problem.
Technically, a text file is just a series of lines ending in a newline character “\n”. On very old systems, a file without the ending newline would not even be considered a text file. Operating systems and applications nowadays can handle this and still read the file, but not without problems. The most likely issue is that the last line will be completely ignored. Due to the missing newline, it’s not even considered a line of text. Hope the last line of your file wasn’t important!
A prime example is cron in Unix-like operating systems. Filling up the last line in a crontab and forgetting to add a newline at the end is one of the most common problems people run into when new to cron. That last command at the end of the crontab will simply not run.
I’ve run into this a few times in the past, so I decided to look it up and find out the deeper reasons behind programs expecting “\n”. I thought it would be interesting, and it was. I hope you’ve learned a useful tip, even if you don’t care about the reasons behind it.
If you want to be sure to never have this problem, check out Sublime Text, my favorite text editor for code and everything else. It has an option to force a newline at the end of a file on saving. Sweet! If you are already using Sublime Text, see my previous post on replacing the default icon with something much cooler.