Linux Home Sever (Part II)

In an earlier article I described the services and functionality that my Linux Home Server provided. These were primarily internal services such as printer and file sharing, IMAP/POP for e-mail, internal Domain Name Services (DNS), etc. In this article I'll describe the outward facing functionality of my server.

Operating System

My server runs CentOS 4.6 (as of this writing). This is a community supported clone of Red Hat Enterprise Linux (RHEL) version 4. I briefly flirted with the idea of upgrading the server to CentOS 5 but version 4 fully supports the hardware of the server (see Part 1 for more on the hardware) and it is extremely stable. What's also nice is that CentOS will continue to support version 4 as long as Red Hat does which should be for seven years from the release date. I'm guessing I will upgrade the server before that happens but it's nice to know that I don't have to buy new hardware every few years unless the system load forces me to (I should be so lucky).

Web/blog Server

If you're reading this blog you're already making use of my server. I run Apache 2.0.52 (as of this writing) as it is the version included with CentOS 4. After I added the pictures from the Gathering of Mustangs and Legends to my web site, I decided to add this blog in order to allow two way communications with anyone who wanted to know more about any of my pictures.

My other recent addition to the web server is squirrelmail. squirrelmail allows us to read our e-mail remotely. In the past I had just logged in through ssh (see below) and then used a command line mail client such as pine to read my mail. This was OK for me but as my squirrelmail blog entry points out, wasn't acceptable for my wife.

Firewall/NAT

Easily the most critical function of my server is to provide firewall and network address translation (NAT) services. The firewall protects the server itself and the rest of my home network. No magic here as I just run hand crafted iptables firewall rules. A couple of the more interesting rules are:
-A RH-Lokkit-0-50-INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN \
-j LOG --log-prefix "packet with FIN+SYN rec'd: "
-A RH-Lokkit-0-50-INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
which logs and then drops any malformed packets. I also like to keep track of who is attempting to access my box who shouldn't so I log any attempt to connect to either port 22 (ssh) or port 5901 (VNC):
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --source ! 192.168.0.0/16 \
-j LOG --log-prefix "SSH port probed"
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 5901 --source ! 192.168.0.0/16 \
-j LOG --log-prefix "VNC port probed"
ssh server

Another nice thing about Linux is it includes the secure shell (ssh) and the secure shell daemon (sshd). These provide a mechanism for encrypted remote access. The down side is I still have to open port 22 or some other port. Since I use public key authentication this doesn't present much of a security risk since only my laptop and my internal systems have the public key. Unfortunately, those same systems that get logged when they attempt to connect by my firewall rules then up the ante and try to guess a user account/password combination that works. None do but they try anyway. If I get annoyed enough I run a perl script that I wrote that extracts the IP address of systems generating failed login attempts and crafts excluding (DROP) firewall rules from them. Buh-bye.

It has been pointed out that I could move sshd to listen on a non-standard port instead of port 22. If I ever come up with a way to configure sshd so that it listens on the non-standard port on the external interface and on the standard port on the internal interface I'll probably implement this. It really doesn't make the system more secure since a port scan will still detect the open port but it will at least cut down on the noise generated by script kiddies who don't know enough to look for services on non-standard ports.

e-mail

I run sendmail as my mail server. Lots of people prefer postfix but I learned enough about sendmail back when I worked at a company called Exactis.com that doing a minimal setup wasn't that hard. Over the years I've been running my own mail server I've tried various anti-spam measures with varying success. I'm currently using dSPAM which does a fairly reasonable job although I still have to store the garbage until I get around to deleting it. I'd love to see the author include an auto-delete threshold so I could just send the majority of this stuff to the bit bucket where it belongs without even knowing it ever got to my system. I'll probably create an article on installing and configuring dSPAM in the near future.

Internally I run dovecot as my IMAP/POP server. Since there are only two "real" users here I don't need the scalability of cyrus IMAP.

External DNS

I also run my own external DNS or domain name services. Nothing really fancy here although the one trick I found was how to make it so people could just point there browser to davenjudy.org and it would work. The trick was to set up a round robin DNS arrangement with only my single server. This looks like:
davenjudy.org. A 72.19.169.230

MX 5 mail.davenjudy.org.
MX 10 fraud.davenjudy.org.

Naming convention

I use the alias DaveAtFraud as my login at a number of web sites like slashdot, 2cpu.com, etc. This came about because I spent the first twelve years of my professional career working at TRW. While I was there computers on a network were invariably named using some cute theme such as names of the hawaiian islands, Civil War generals, Star Trek characters, etc. My running joke was I wanted to name the computers for a project waste, fraud and abuse. Needless to say I never got my wish while I worked there since there was a distinct lack of a sense of humor about such things since they were primarily a defense contractor. When I created my own network I named the computers waste, fraud and abuse.

Systems have come and gone since my original network but my main gateway system is still fraud.davenjudy.org and Judy's computer is abuse.local.davenjudy.org. waste is now sitting in the basement as it was my last Windows system (dual boot NT4 and 98) with a 500MHz PIII it's just not up to much anymore.

When my network expanded I had to venture beyond waste, fraud and abuse so I settled on bend (the system I usually use), fold (was a loaner system from my previous job), spindle (my laptop) and mutilate (the internal interface to fraud).

That's about it.

Cheers,
Dave