Home server security: where do I start? [closed]

• You could go with dynamic IPs and something like DynDNS or maybe EasyDNS.
• Linux is good. And, if you are not into getting too deep, you could consider Ubuntu server edition; Book reference: Beginning Ubuntu Server Administration
• For the hardware, if you are setting up at home, consider a UPS unless you are located in some place that will never have power outages of any sort.
• You might want to consider a RAID configured redundant disk system.
• Once you have some stability, consider a kernel hardening patch like grsecurity. There are other hardening patches you can lookup too (no flame wars please).

First of since your are talking about a home server and have strong budget constraints (nearly) forget about physical security. Place the box somewhere where your spouse/kid/pets can't reach it to not run into trouble when someone unplugs this thing just to get a place to plug the vacuum cleaner in.

Label that plug so that it is absolutely clear!

Should I be using Linux? Which distro? How do I lock it down? I realize that this question can start myriad flame wars, but I just want some pointers on how to set up a secure server with those services running (and nothing else, under the assumption that more services = more security holes).

Use the OS that you know how to secure. It's no good going with OpenBSD (which has a good security reputation) if you don't know how to keep it secure. The OS I'm most confident with is Debian so I'd use that, your knowledge may be with Windows, Plan9, Solaris. Use the OS you know best!

Define your requirements (you seem to have done so already - that's excellent), and think about wether you absolutely positively need that uber-cool server hardware. I don't think you actually do, rather spend the money on a backup device for offline backups or marketing (or porn).

Where can I get good information on setting up a VPN through that router? Should I be going through that apple router, or is there some 'gold standard secure' router I should be looking at?

I'd go with OpenVPN it is relatively easy to set up and forward that (and only that) port from your router to the box you use. Possibly add in some port knocking (I only know of linux solutions) - the screamers will now come and say security by obscurity and they are right, but given you have a budget I'd consider any cheap layer of security is worth it - hower with that route you'd need additional ports forwarded to the server.

Make the needed services listen only on IPs/interfaces that are not reachable without being connected by a VPN. I'd guess the only services you need will be HTTPS (subversion and a bugtracker).

Configure OpenVPN to use certificates secured with password and passwords for the users (Yes that's possible).

Static IP (which means changing my ISP) or a dynamic IP? Is it possible to do these sorts of things with a dynamic IP, and if it is, how do I go about setting up the server to be securely, remotely accessible via a dynamic IP?

No, don't throw out your money, use free services like dyndns (or whatever that's the only one coming to my mind). As you said you are a startup and paying monthly extra for a static IP won't do any good if you don't really need it - that is unless you want to run Email-Services on your server, then you'll not only need a static IP but make sure you do have control over your reverse DNS also. And also if changin to another ISP that provides static IP cheaper than your current: Go for it!

You may have short outages while the IP service is transitioning to the new IP but that should be doable, if it is too much you can later still switch to a static IP.

What kind of hardware should I be looking at? I was thinking about something along the lines of just a core2 duo processor (maybe i7?), regular hard drive, 4 gb RAM, and that's about it, connected to some other backup drive, like a USB-attached hard drive attached to the system with cron jobs to do nightly backups to the second drive. Is that reasonable?

I'd go with relatively cheap hardware one of Dells Tower Servers (the cheapest one you can find to be exact), the money you saved should be spent on a good support contract in case of a hardware failure and a dedicated backup system and probably a UPS that will at least have enough power to let you server shut down in a sane way.

Given you want to run a source code repo and a bug tracker I conclude you're developing locally and do checkins. Communicate in a formal way over the bugtracker so you and your business partner have something to blame against each other :). 99% percent of the time your server won't do anything.

If you want to get some automated testing add in some RAM, you don't actually care if the build takes 5 minutes or 15 minutes with 2 developers, but you'll be driving nuts if the OpenVPN daemon/service get's killed because of RAM outages everytime your build is runnning.

Do yourself a favor and get a hardware router with good VPN support. Even something as inexpensive as the Netgear ProSafe line can be had for $70 or so.

https://www.netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVS114.aspx

These types of units will be very easy to set up and configure. If you end up needing dynamic IP services (which you can just as easily do), use DynDNS as suggested.

Since you are unsure about setting some of the pieces up, why not let someone else do it?

Consider a hosted environment like Assembla, Unfuddle, Origo, XP-Dev, ProjectLocker, CodeSpaces, bitbucket, or github.

Keeps you out of the setup and maintenance of the server and repositories, and most of the hosting sites are inexpensive enough that your $1k will go far.

The downside is that you might have to find a separate continuous integration solution. From the list above, only ProjectLocker mentioned continuous integration tools as a feature.

A few words about backups.

If you don't make sure you can read them, you haven't backed up.

If you don't have off-site backups (your friend's house will do), you don't have good backups.

If your backups are on-line (RAID or hot server), they aren't backups.

Figure what sorts of events could wipe both your system and your backups, and make sure you'll accept the risk. If you have good backups at your friend's house, and the server at yours, then a single event would have to be pretty darn large (and rare) to take out both of them. If the city where I live is nuked, for example, I probably won't worry too much about the business.

None of the lower-cost media for backups are all that durable, so don't just have one backup that you might lose for assorted reasons.

And, if you decide to go with a hosting service, keep your own backups anyway. If your hosting company loses your data, they've hurt a customer, which isn't good, but your business is dead, and that's worse. If your service goes out of business, you may never see your data again.

The person most concerned with your backups is you, and this is something you can normally do for yourself. Do so.

This is exactly how I got my start, and I still run a home server sandbox.

• Use a wired connection for your server, not airport.
• After using Slackware, Fedora, SuSE, CentOS and Ubuntu, I would suggest Ubuntu Server https://www.ubuntu.com/products/whatisubuntu/serveredition as it makes management and improving security somewhat easier out-of-the-box, but really, distribution is mostly dependant on personal preference. All the above distributions have big communities behind them (though Slackware's is pretty small in comparison).

As for hardware: my home sandbox runs on a 64-bit server-quality tower with two SATA RAID arrays (system, services) and 2 gigs of RAM, which is plenty for this application. The specs you suggest are possibly overkill, but if you can afford it, definitely go for it. In the long run, you'll only need more, right.

As for backing up, you can save some cash by forgoing the USB hard drive and just putting in a second hard drive that copies in the same cron-based manner. Note, though, that I'm not suggesting a RAID mirroring array, since this is not a backup, but just a second hard disk. You'll save money on the enclosure, and transfer speeds will be somewhat higher than with an external. A superior backup method would be off-site, or to a NAS device.

And security: learn how to tunnel everything. You'll likely only need to open 80 (and maybe 443) and 22 to the outside world. Tunnel the rest over ssh for remote administration. You may even be able to tunnel all the services you need, saving the cost of a VPN router.

EDIT To create an ssh tunnel:

ssh remote.host.com -L local_port:remote_network_address:remote_port

So, from outside my network, if I want access to my router's web interface from my laptop which is outside my LAN, I use

ssh my-home.com -L 8081:192.168.0.1:80

and then open up a browser and hit https://localhost:8081 and voilà--encrypted tunnel from localhost:8081 to 192.168.0.1:80 on the remote host's LAN. If you need to do this from Windows, PuTTY (IMHO, the de facto Windows ssh client) will allow you to configure them before you connect. The above code works on any *nix (including Mac OS X).