Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Home server/router pointers needed
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
foobar.bernie
n00b
n00b


Joined: 11 Jul 2012
Posts: 5

PostPosted: Fri Jun 06, 2014 11:07 am    Post subject: Home server/router pointers needed Reply with quote

The story

Up until now my home router has been a very simple configuration for NAT and 4to6. It's a very minimalist Intel XEON E3-1220L based box with an average power consumption of 14.6 Watts (solar powered).

Current setup:
Code:
net-firewall/shorewall (NAT and firewall)
net-firewall/shorewall6 (IPv6 firewall)
net-misc/radvd (IPv6 router advertisement)
net-dns/dnsmasq (forwarding DNS server, DHCP
net-misc/openssh (secure shell, only accessible from LAN)


The server was almost undetectable from the outside and has been doing its job for a while now. I am now required to add several functionalities that increase the vulnerability significantly.

New requirements:
Code:
VPN gateway
SSH access from the outside (probably through VPN)
Mail server
Backup server (LAN, VPN)
LDAP (LAN, VPN)

My plan is to use qemu-kvm based virtualisation to isolate publicly accessible services, which has me quite worried since I want to keep it as easy to maintain as possible. I have had a look at several virtual machine management applictations and all of them look quite complex. The one I liked the most was libvirt.

The question
I would be more than happy for some pointers from users with experiences in VM management and maybe monitoring before I go down the road of no return.
Would libvirt be the right choice?

Thanks a lot in advance
Bernie


Last edited by foobar.bernie on Fri Jun 06, 2014 9:15 pm; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Fri Jun 06, 2014 4:34 pm    Post subject: Reply with quote

libvirt+qemu is a perfectly reasonable choice here. You also get a nice GUI admin tool with built in remote viewers and sane VM defaults for free.

Xen is good too if you can spare the effort, but it's a lot of effort, whereas libvirt can be dropped in a running system with no disruption.
Back to top
View user's profile Send private message
kikko
Apprentice
Apprentice


Joined: 29 Apr 2014
Posts: 256
Location: Milan, IT

PostPosted: Fri Jun 06, 2014 4:38 pm    Post subject: Reply with quote

Do you mean KVM (with qemu and libvirt I suppose)?
Since you only have to run services in a separate way, instead of set up and run different Vmachines, have you checked out Linux Containers (https://wiki.gentoo.org/wiki/LXC) instead?

Libvirtd is a good choice for managing and monitoring VMs. It's quite easy to set up and maintain (BTW, it manages LXC as well, but I haven't tried that...)
Back to top
View user's profile Send private message
Pearlseattle
Tux's lil' helper
Tux's lil' helper


Joined: 04 Oct 2007
Posts: 138
Location: Switzerland

PostPosted: Fri Jun 06, 2014 8:15 pm    Post subject: Reply with quote

What is "KML"?

On my side, I am using purely qemu-kvm to run VMs which group services based more or less on their type (e.g. public web, public mail or very private services) and risk/needed awareness/maintenance criteria (public web is medium, public mail is high, private services is low).
- I don't use "libvirt" - startup/shutdown of the VMs is done using custom scripts.
- I used Xen for a while (and I subjectively think that it gives the best performance) and I honestly don't know if nowadays you need a custom kernel to run it or not (can I use "gentoo-sources" to run a Xen-kernel?).
Stability of qemu seems to be good - all really bad problems I had so far (a VM totally stuck because of a low-level script I wrote + the whole system going offline because of a power surge on both power plugs) could be recovered without complications.

My recommandation is therefore as follows:
- Use VMs in any case, as a base. Use qemu-kvm or Xen (doesn't matter which one - you just have to feel comfortable with whatever you choose)
- On the host keep only the ssh port open, on an unusual custom port. When using VMs you're relying on the host to be untouched and if you add any additional services you just raise the chances that somebody will break into it and in such a case you'll have to assume that all VMs are corrupted (basically just because the host has read/write access to the VMs filesystem).
- Run the services grouped by VM depending on what you think about which service could run together with another (e.g. if you put the accent on security/needed focus then a public ftp might be coupled with the mail service, but if you give priority towards the type of data that is served then you would keep them separated).
- As kikko wrote, you might want to use "Containers" within a host or VM to put additional barriers => the above example of public ftp and email server might be such an example where both are high-risk (high-visibility + high-desirability by crackers)

Additional notes:
- the mailserver will be the trigger to attract A LOT of attention towards your server. At the beginning nothing will happen, but as soon as one of your hosted domains will show up in some list then expect at least ~200 daily attempts of email redirection through your domain and peaks of 1000 password-guessing client connections per day => I'm using "fail2ban" (bans a source IP after X attempts for Y many minutes) but you should ideally find a solution which is more intelligent (many attacks are distributed over many source IPs and they adapt to the ban-time you set).
- strictly monitor logfiles.
- stuff like "suhosin" for apache is mandatory.
- you'll need to keep an eye on the used ram/cpu/disk/network that the host and your VMs and containers are using (using whatever you choose being le.g. nagios, munin, observium, netxms). You might notice problems and/or organized attacks only if you keep distance from the details.

It will be an interesting experience - hope that you will enjoy it!!!
I did and still am :D
Back to top
View user's profile Send private message
foobar.bernie
n00b
n00b


Joined: 11 Jul 2012
Posts: 5

PostPosted: Fri Jun 06, 2014 10:25 pm    Post subject: Reply with quote

When I wrote KML I meant KVM. Sorry for that brain fart.

Regarding LXC
I have had a look at lxc and felt like the containers were better suited for less exposed scenarios. I know they provide quite good isolation and have not really considered running LXC on a VM for added security. I have to think about this. It kind of makes sense. Especially for the mail server. Virtualization is the closest I can get to hardware separation, which I cannot afford since I live off the grid and have no job.

Host configuration
My plans are to have the host run no public service at all besides the sshd which I want to be accessible through VPN only. It would seem logical to group VMs for LAN, VPN and public services. The last time I ran a public FTP server was back in 2005 and I have no intention of ever doing it again. I wish I could ditch the mail service as well but I cannot do without it. The safest thing would be to relay only messages coming from localhost and within the VPN. My smtpd of choice will probably be postfix, since I have used it before.

Monitoring
It seems prudent to implement the whole thing with monitoring in mind. I have not decided between nagios/icinga and munin yet but am opting for the latter.

My guess is that it will take me two to three months to implement the system. Would it be ok to regularly post my progress here?

I am really grateful for all the input so far
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum