# Building a Gentoo server for Home

## Geministorm

I am about to embark on rebuilding my home server using Gentoo. 

The primary reasons why I want to do this are to; update my system (presently running Mandrake 8.2), get rid of cruft (did you notice I said Mandrake?), have the ability to keep up-to-date on programs and vulnerabilities, and to have a lean & mean machine. I'll also want to offer certain services to my home network and I am considering making it a file server to share music. store data/pictures, mirror my website, and such.

Here is what I'm currently planning on placing on the system. I'd like as much input as I can get, so please feel free to add apps, advice, etc. I'll probably document my process and make my steps available for others to use, if they wish.

OS: Gentoo; using the Jackass! Project (gcc 3.4.3) with 2.6.11-r11 kernel, udev, nptl, blah blah blah

Hardening/Firewall: Bastille, iptables, NAT (for private addressing internal) --> packet filtering with default deny rule 

MTA: Postfix

IDS: Tripwire or Prelude 

IP: DHCPcd for external, DHCPd for internal (or I'll just do static assignment)

DNS: Bind/named, just for the internal machines to use

Watchdog1: Post/Log/Hostsentry 

Watchdog2: Snort/dsniff/ethereal 

Self-evaluation: nmap & nessus/satan 

Internal website: Apache2 

snmpd 

Time: ntpd

File Sharing: Samba

I still need to figure out how I might stream media, setup a data base, do automatic mirroring of my website, etc.

Thanks in advance!

----------

## Crisis

You sound like you know what you are doing and have a plan already layed out, so I will only adress this:

 *Quote:*   

> I still need to figure out how I might stream media, setup a data base, do automatic mirroring of my website, etc. 

 

For databases you have a few options, I'd recommend MySQL because most applications seem to have support for it.  Postgress is also a good choice.  You can always install both!

For automatic mirroring, I assume you mean host a local mirror at home of your website somewhere else.  I prefer to accomplish this with rsync.

Media streaming, icecast is a nice tool for streaming mp3s, however with samba as a file share, you should be able to access most media stored on the server from a regular client application.

----------

## Geministorm

MySQL might be a steep learning curve, which I don't mind, I just have little or no experience with data-bases. I'm a n00b when it comes to them.....  :Embarassed: 

Yeah, I'm mirroring my website at 1and1 (external to my internal network), so I want to work on the website locally and then export it to the website. I haven't looked at rsync, so I'll look into it and see if its going to accomplish what I need.

</me thunks head> Doh! Yeah, I guess with Samba in place, the girls can just access all the content/stuff they need. I'm not really experienced with Samba either, but if our IT guy here can do it, I know I can.  :Wink: 

Thanks!

----------

## beandog

 *Geministorm wrote:*   

> Yeah, I'm mirroring my website at 1and1 (external to my internal network), so I want to work on the website locally and then export it to the website. I haven't looked at rsync, so I'll look into it and see if its going to accomplish what I need.

 

Or you could use subversion.

----------

## lotw

 *Geministorm wrote:*   

> MySQL might be a steep learning curve, which I don't mind, I just have little or no experience with data-bases. I'm a n00b when it comes to them..... 
> 
> Yeah, I'm mirroring my website at 1and1 (external to my internal network), so I want to work on the website locally and then export it to the website. I haven't looked at rsync, so I'll look into it and see if its going to accomplish what I need.
> 
> </me thunks head> Doh! Yeah, I guess with Samba in place, the girls can just access all the content/stuff they need. I'm not really experienced with Samba either, but if our IT guy here can do it, I know I can. 
> ...

 

MySQL isn't that hard to learn the basics.  There are also some good utils to help create databases too.  I would suggest installing MySQL and mod_php.  Then you could create online (web based) databases.  There is also a good PHP maker that will convert your MySQL database into a working web page based editor/viewer. http://www.hkvstore.com/phpmaker/  The only problem with that program is that it is Windows based, haven't found a good Linux version yet.  Also if you plan on using MySQL I would recommend getting phpmyadmin.  It allows you to import/export data and some other nice things from a web browser.

----------

## c4

 *Geministorm wrote:*   

> I still need to figure out how I might stream media, setup a data base, do automatic mirroring of my website, etc.

 

For audio files, mpd is a great choice as a mp3/ogg/flac etc server. Since you would be running a webserver, you could set up a variety of interfaces like Ampache or phpMp for streaming audio to clients. Then again with samba you could always choose to play any kind of files (audio , video) if the servers dirs are added as remote directories at your clients.

Mysql is a good choice for the small home database, lots of tools to manage it and it isn't really that hard once you start playing with it.

----------

## Geministorm

Is there a way to cage the mp3/ogg/media directories in Samba so that no other directories are accessible? I'm not used to making anything available to anyone other than the local filesystem since I'm usually security paranoid. I'm concerned that if someone is able to access my system, I want to do damage control. 

As soon as I emerge k3b here on my primary machine, I'll probably get started on my server. I have a Linksys wireless router sitting here, so I'm going to re-arrange my network so that the Linksys will act as the firewall/NAT/router while I'm reconfiguring the server so that the other systems don't lose connectivity. Since my primary and server share a KVM switch, I'll be able to keep access to this forum and other help sites....

----------

## lotw

 *Geministorm wrote:*   

> Is there a way to cage the mp3/ogg/media directories in Samba so that no other directories are accessible? I'm not used to making anything available to anyone other than the local filesystem since I'm usually security paranoid. I'm concerned that if someone is able to access my system, I want to do damage control. 
> 
> As soon as I emerge k3b here on my primary machine, I'll probably get started on my server. I have a Linksys wireless router sitting here, so I'm going to re-arrange my network so that the Linksys will act as the firewall/NAT/router while I'm reconfiguring the server so that the other systems don't lose connectivity. Since my primary and server share a KVM switch, I'll be able to keep access to this forum and other help sites....

 

Think of Samba as a full file server, you can have any access directories, username/password ones, and even hidden ones.

On my server I have samba for filesharing inside (with all my music cds stored there in MP3 Extreme), data backups, etc.  Then I have an FTP server so I can access whatever I want from the outside.  Apache2, Mod_PHP, and MySQL setup with some databases that I or my friends can access.

Also on your router you will have to open/close ports to make it works from the outside for the desired programs, IE: port 80 to the IP of the server.  Then you can get the free www.no-ip.com and they can redirect a name to the site, so if your IP changes on the net you don't have to tell your friends or who ever the new IP all the time.

There are lots of ways to secure your server, you can even block all outside access to it if you wanted.  That way it still would be a secure inside only server and allow internet access out.  Just make sure that you pay attention to the security updates, to make sure that if a security hole is found in any of the server software that you patch and fix the holes.  It is a lot, and I mean a lot, easier to setup and maintain a Linux server than a Windows one, not to mention a hell of a lot cheaper.

----------

## Geministorm

 *lotw wrote:*   

> 
> 
> There are lots of ways to secure your server, you can even block all outside access to it if you wanted.  That way it still would be a secure inside only server and allow internet access out.  Just make sure that you pay attention to the security updates, to make sure that if a security hole is found in any of the server software that you patch and fix the holes.  It is a lot, and I mean a lot, easier to setup and maintain a Linux server than a Windows one, not to mention a hell of a lot cheaper.

 

 :Wink: 

I rebuilding. I've been using a linux server/router for about 6 years now. Back then, just getting a modem to be recognized and working was a big deal.....

Thanks for the info on Samba. BTW, I'll have a default deny ruleset for everything on the outside (external) except maybe a p2p port.

----------

## echto

Good choice on going with Gentoo!

----------

## boilersuit

I knocked up a very simple domestic server with a couple of large hard disk drives just for music, movie files and backups to save having multiple hard drives installed in each of the other machines on the home network. It doesn't get a lot of simultaneous welly so an old recycled processor and motherboard was fine, no need to waste money on it.

Since all members of family have their own machines and 50% cannot be talked out of using Windows, 'samba' was the obvious choice. The server is bare bones, runs Gentoo in text mode and is remote controlled via 'putty' from any machine.

The server runs 'rsync' once a day to get portage updates and also incrementally copy the contents from one hard drive to the other as a fallback in case of primary drive failure (belt and suspenders).

The whole network is behind a cheapo 'Linksys' ADSL gateway/router with all incoming connections blocked to outside access although port forwarding is used for p2p.

Chucked out all the wireless kit, disabled wireless access on the router and buried CAT6 wiring in the walls (only a couple of day's work including plastering and touch up paint). I found wireless networking far too unreliable, perhaps there is excessive RF interference where I live, even the wireless doorbell goes off in the middle of the night.

Anyway, it all works fine, should have done it years ago. Can watch any of the movies or play music files directly from the server on any machine using VLC on Windows or Xine/Totem with samba on Linux.

----------

## lotw

 *boilersuit wrote:*   

> I knocked up a very simple domestic server with a couple of large hard disk drives just for music, movie files and backups to save having multiple hard drives installed in each of the other machines on the home network. It doesn't get a lot of simultaneous welly so an old recycled processor and motherboard was fine, no need to waste money on it.
> 
> Since all members of family have their own machines and 50% cannot be talked out of using Windows, 'samba' was the obvious choice. The server is bare bones, runs Gentoo in text mode and is remote controlled via 'putty' from any machine.
> 
> The server runs 'rsync' once a day to get portage updates and also incrementally copy the contents from one hard drive to the other as a fallback in case of primary drive failure (belt and suspenders).
> ...

 

You should check out webmin for doing the server stuff, makes using samba and all other server apps pretty easy to use.

----------

## echto

 *boilersuit wrote:*   

> I knocked up a very simple domestic server with a couple of large hard disk drives just for music, movie files and backups to save having multiple hard drives installed in each of the other machines on the home network. It doesn't get a lot of simultaneous welly so an old recycled processor and motherboard was fine, no need to waste money on it.
> 
> 

 

As a suggestion you might want to spin down the drives when their not in use.  When nobodys streaming why burn the electricity. 

hdparm -S time /dev/device

See man hdparm for more details.

 :Cool: 

----------

## boilersuit

Thanks for the tip. I'll do this now.

----------

## wjholden

You mentioned doing mirrors of your other website...you could easily use FTP to do this for you.  Speaking of FTP, it may be useful to go ahead and setup a simple VSFTPD server just in case you need it.  I realise you intend to use Samba, which is cool, but sometimes FTP can be just as useful and you can safely expose an FTP server to the internet (I strongly caution you against opening port 445 to the internet!).

Ok, so let me hack up a script that you do your mirror:

```
#!/bin/bash

WEBSITE_DIR = /var/www/localhost/htdocs #the directory your website is in

ORIGINAL_SITE = www.example.com #the website you intend to mirror

cd $WEBSITE_DIR

rm -r *

wget --limit-rate=15k --html-extension --mirror $ORIGINAL_SITE #see man wget

chmod -R 644 *

find . -type d -exec chmod u+x {} \; #make directories executable

chown -R apache:apache #if you're running an Apache webserver it's good practice

# to give everything to the Apache user.  See /etc/apache2/conf/commonapache2.conf
```

Save this as, say, /usr/local/bin/mirror_website.bash.  Type "chmod a+x /usr/local/bin/mirror_website.bash" to make it executable. Type "crontab -e" and enter something like this:

```
0 0 * * * /usr/local/bin/mirror_website.bash
```

This will result in a backup being created every night at midnight.

Another vote for Webmin!  "emerge webmin", "rc-update add webmin", "/etc/init.d/webmin start", then point your webbrowser to https://localhost:10000 .  You can set up your Cron script there if you wish.

Edit: I said --limit-rate=15k in the script as I don't know whether your original website is on a LAN or intenet or what.  If you've got movies on there you'd best not cap the bandwidth at 15k  :Wink: 

----------

## Geministorm

Destuxor,

I won't be opening any external ports, no worries. I also stick with SSH and have left ftp behind years ago. Since my primary system and my server share a KVM switch, I know I can just switch over and do everything by hand or cronjob/script it, although mirroring the website is really more a luxury than a necessity. My primary concerns are security from the "dirty net" (internet) and giving access internally to some shared files. I have an odd arrangement where I have two devices that must access wireless (due to wife and daughter's insistance) so I have to deal with that headache. Presently, I have a Linksys wifi router to my switch to my Linux server/router/firewall. That much will stay the same.

Thanks for some goods ideas, keep them coming....

----------

## wjholden

Sweet.  It occured to me after I posted that if there are any folders on your website that might get missed by a robot program (wget), like say there wasn't a link anywhere on your website to a /hidden/ webpage or something, you may want to use FTP for backups instead.  I do not know if you can easily move files around over Samba from the command prompt, and obviously Bash scripts are nothing more than commands in a program.

You have so many options when it comes to server management...  :Smile: 

----------

