# Home server/router pointers needed

## foobar.bernie

The story

Up until now my home router has been a very simple configuration for NAT and 4to6. It's a very minimalist Intel XEON E3-1220L based box with an average power consumption of 14.6 Watts (solar powered).

Current setup:

```
net-firewall/shorewall (NAT and firewall)

net-firewall/shorewall6 (IPv6 firewall)

net-misc/radvd (IPv6 router advertisement)

net-dns/dnsmasq (forwarding DNS server, DHCP

net-misc/openssh (secure shell, only accessible from LAN)
```

The server was almost undetectable from the outside and has been doing its job for a while now. I am now required to add several functionalities that increase the vulnerability significantly.

New requirements:

```
VPN gateway

SSH access from the outside (probably through VPN)

Mail server

Backup server (LAN, VPN)

LDAP (LAN, VPN)

```

My plan is to use qemu-kvm based virtualisation to isolate publicly accessible services, which has me quite worried since I want to keep it as easy to maintain as possible. I have had a look at several virtual machine management applictations and all of them look quite complex. The one I liked the most was libvirt. 

The question

I would be more than happy for some pointers from users with experiences in VM management and maybe monitoring before I go down the road of no return.

Would libvirt be the right choice? 

Thanks a lot in advance

BernieLast edited by foobar.bernie on Fri Jun 06, 2014 9:15 pm; edited 1 time in total

----------

## Ant P.

libvirt+qemu is a perfectly reasonable choice here. You also get a nice GUI admin tool with built in remote viewers and sane VM defaults for free.

Xen is good too if you can spare the effort, but it's a lot of effort, whereas libvirt can be dropped in a running system with no disruption.

----------

## kikko

Do you mean KVM (with qemu and libvirt I suppose)? 

Since you only have to run services in a separate way, instead of set up and run different Vmachines, have you checked out Linux Containers (https://wiki.gentoo.org/wiki/LXC) instead?

Libvirtd is a good choice for managing and monitoring VMs. It's quite easy to set up and maintain (BTW, it manages LXC as well, but I haven't tried that...)

----------

## Pearlseattle

What is "KML"?

On my side, I am using purely qemu-kvm to run VMs which group services based more or less on their type (e.g. public web, public mail or very private services) and risk/needed awareness/maintenance criteria (public web is medium, public mail is high, private services is low).

- I don't use "libvirt" - startup/shutdown of the VMs is done using custom scripts.

- I used Xen for a while (and I subjectively think that it gives the best performance) and I honestly don't know if nowadays you need a custom kernel to run it or not (can I use "gentoo-sources" to run a Xen-kernel?).

Stability of qemu seems to be good - all really bad problems I had so far (a VM totally stuck because of a low-level script I wrote + the whole system going offline because of a power surge on both power plugs) could be recovered without complications.

My recommandation is therefore as follows:

- Use VMs in any case, as a base. Use qemu-kvm or Xen (doesn't matter which one - you just have to feel comfortable with whatever you choose)

- On the host keep only the ssh port open, on an unusual custom port. When using VMs you're relying on the host to be untouched and if you add any additional services you just raise the chances that somebody will break into it and in such a case you'll have to assume that all VMs are corrupted (basically just because the host has read/write access to the VMs filesystem).

- Run the services grouped by VM depending on what you think about which service could run together with another (e.g. if you put the accent on security/needed focus then a public ftp might be coupled with the mail service, but if you give priority towards the type of data that is served then you would keep them separated).

- As kikko wrote, you might want to use "Containers" within a host or VM to put additional barriers => the above example of public ftp and email server might be such an example where both are high-risk (high-visibility + high-desirability by crackers)

Additional notes:

- the mailserver will be the trigger to attract A LOT of attention towards your server. At the beginning nothing will happen, but as soon as one of your hosted domains will show up in some list then expect at least ~200 daily attempts of email redirection through your domain and peaks of 1000 password-guessing client connections per day => I'm using "fail2ban" (bans a source IP after X attempts for Y many minutes) but you should ideally find a solution which is more intelligent (many attacks are distributed over many source IPs and they adapt to the ban-time you set).

- strictly monitor logfiles.

- stuff like "suhosin" for apache is mandatory.

- you'll need to keep an eye on the used ram/cpu/disk/network that the host and your VMs and containers are using (using whatever you choose being le.g. nagios, munin, observium, netxms). You might notice problems and/or organized attacks only if you keep distance from the details.

It will be an interesting experience - hope that you will enjoy it!!!

I did and still am  :Very Happy: 

----------

## foobar.bernie

When I wrote KML I meant KVM. Sorry for that brain fart.

Regarding LXC

I have had a look at lxc and felt like the containers were better suited for less exposed scenarios. I know they provide quite good isolation and have not really considered running LXC on a VM for added security. I have to think about this. It kind of makes sense. Especially for the mail server. Virtualization is the closest I can get to hardware separation, which I cannot afford since I live off the grid and have no job.

Host configuration

My plans are to have the host run no public service at all besides the sshd which I want to be accessible through VPN only. It would seem logical to group VMs for LAN, VPN and public services. The last time I ran a public FTP server was back in 2005 and I have no intention of ever doing it again. I wish I could ditch the mail service as well but I cannot do without it. The safest thing would be to relay only messages coming from localhost and within the VPN. My smtpd of choice will probably be postfix, since I have used it before.

Monitoring

It seems prudent to implement the whole thing with monitoring in mind. I have not decided between nagios/icinga and munin yet but am opting for the latter.

My guess is that it will take me two to three months to implement the system. Would it be ok to regularly post my progress here?

I am really grateful for all the input so far

----------

