Tips for Running My First Personal Ubuntu Server at Home?

[StarLord64]

Hello!
 

I have acquired an old computer and intend to turn it into a personal server running Ubuntu Linux. I am planning on running a streaming service like Plex to watch movies and shows I have downloaded, I would like to run a picture server like PhotoPrism so I can stop paying for OneDrive, the ability to run gaming servers would also be nice so i could play Minecraft or Just Cause 3 with friends, and a pi-hole or similar ad-blocking service would be awesome as well.

I have a basic understanding of Linux based software, I have a raspberry pi running steam link so I can stream games to my living room TV, but that's about the extent of my knowledge and I just followed a tutorial to set it up.

My biggest worry is security for the server, and my home network in general. I have no clue where to start with making sure that when my home server is set up it's secured against the majority of potential attacks. I know I probably can't prepare for everything, but does anyone have any tips for where to get started with this?

I have watched these videos for my basic understanding of Linux-based servers, and the last one is about server security. Biggest take away I got from that video was to make it so that the SSH only listens on IPv6, and I have no clue how to do that haha.

 

Thanks! -StarLord64

 

[StarLord64]

Woah, thanks! 
So literally all I'd have to do is just add that "ListenAddress [insert IPv6 address here]" into my config file? Just that one line, and that makes it so it only listens for SSH on IPv6?
Do you know of any common issues with this? I run a number of smart devices and other wireless devices in my house, would this interfere with them at all? Or connecting new devices?

 

Thank you for the response!

[Jarsky]

I wouldnt even bother with restricting SSHD to IPv6 for home use. Especially if your SSH port (22) isnt forwarded (exposed to the internet). 

Someone would first have to get into your network, and then be able to brute force it. The chance of that is nothing. 

 

SSH is for remote terminal, while you could use the protocol as a SOCKS proxy or for secure FTP etc....none of your smart devices would be doing this. 

 

If you do want security, then I would learn UFW (Uncomplicated Firewall) which is the default firewall on Ubuntu. You should enable it

https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands

 

Heres an example of one of my firewalls, its deny by default, and allows only these ports from the specified destinations

 

You could setup Fail2Ban as well, which will create a ban system that automatically creates firewall rules to block IP addressess that fail on the protocols you specify (e.g SSH) to many times in a row..this shuts down brute force attacks. 

https://linuxize.com/post/install-configure-fail2ban-on-ubuntu-20-04/

 

You could also setup SSH key authentication and disable passwords, which makes it impossible to brute force SSH. If youre using something like PuTTy, you can export the key and run it through PuTTy Gen to convert it to a key file compatible with PuTTy (.ppk). 

https://linuxize.com/post/how-to-set-up-ssh-keys-on-ubuntu-20-04/

 

 

As for using the server, much of what you mention can be Dockerised. Id personally look at material on setting up and using Docker

 

Particularly? 

 

Ubuntu comes with Docker, but i'd recommend removing that and installing Docker-ce (Docker Community Edition)

https://computingforgeeks.com/how-to-install-docker-on-ubuntu/

 

I'd also recommend installing docker-compose (apt install docker-compose)

 

As an extra you could also install Portainer which is an excellent web management interface for managing Docker:

https://docs.portainer.io/v/ce-2.9/start/install

 

 

Heres a Plex example from Linuxserver.io for setting up a Plex docker, including a docker-compose config. 

https://docs.linuxserver.io/images/docker-plex

 

Docker-Compose is a configuration file that makes it super simple to redeploy containers. 

Heres an example of using docker-compose to deploy the UniFi Controller

 

(You can see for security, each of my apps also runs as its own user which I specify the users UID (User ID) & GID (Group ID) in the apps docker config)

 

 

And then I can manage it through Portainer without having to use CLI 

 

 

 

 

[StarLord64]

Thank you for the information! I just got the basic computer up and running that will run the server, setting it up to remote into it through my windows PC is next.

[jde3]

Security Patches:
You want to make sure it's current and updated. Ubuntu is pretty good with auto-updates, you can enable them but you will have to reboot to do kernel updates (and you do need to do this.. prob monthly at least)

 

Limit access:

SSH should be set to not allow root login and use key based authentication only.

Apache's (or other httpd's) configuration should be limited as well. Make sure file browsing is off. You can setup Let's Encrypt fairly easily for TLS.

And that should be all you need to open on the firewall. You do not want to expose Samba or Syslogd to the internet (Jarsky you maybe want to check those rules? I trust you have reasons..)

 

You might look into Nextcloud for photo sync.. It has a security check feature. Idk how much I trust it but it's better than nothing..

 

Docker on Ubuntu has some out of the box security problems. (a guest in a container can map root) You'll want to take care of that.. It's pretty dumb they ship like that but that is Linux for you..

(Ahh... I'm already missing the simplicity of FreeBSD's PF and Jails.. oh well onward with Ubuntu )

 

[Jarsky]

9 hours ago, jde3 said:

You do not want to expose Samba or Syslogd to the internet (Jarsky you maybe want to check those rules? I trust you have reasons..)

 

Mine are fine because the server has no public interface, its behind my UniFi firewall which doesnt allow samba outside of my network.

Theres also no Samba shares on that particular server anyway. 

 

I was fine with posting that as an example, because I doubt he has a subnet assigned to his home connection and is binding public IP addresses.