8

I've built a home server (pretty much just a basic PC with a couple of big HDDs) which I would like to use as an FTP server and a minecraft server. Both would be for members of my gaming community. I would also like to access my home server's terminal while not at home (SSH).

I'm currently unsure of how I'd give out access to the FTP server, but I'd like it to be available to whoever in the community wants access, so it could potentially be somebody hostile, but it wouldn't be random attack-bots. Chances are I'll either send them the login details of a shared 'guest' account or I'd give individual members separate accounts.

I don't plan to host any important or personal data on the server, but I'd like to secure it as much as possible without making it a pain for people to use. It is connected as a node in my home network, and has nothing special about it (other than currently being port forwarded in router for minecraft server).

It is running Ubuntu server 15.10, and is connected to the Sky Hub router via a 5-port unmanaged switch (which my personal desktop PC is also connected to). It has a static internal IP.

Is what I'm planning a terrible idea, and how would I mitigate against potential attacks?

BenAdamson
  • 235
  • 1
  • 4
  • 1
    I would urge caution with respect to the FTP server functionality...you could end up with anything on there, including illegal stuff that has the potential to lead law enforcement to your door. – R15 Nov 30 '15 at 07:15
  • Use SFTP instead of FTP. – André Borie Nov 30 '15 at 20:58

3 Answers3

6

First things first, assume that your server will be under attack as soon as you put it online. Operate under that assumption and you'll avoid a lot of mistakes that people normally make.

I would start off by putting your server in a DMZ so that in the event that it does get compromised, the attack surface is limited in terms of what it can get to. If this is not possible, it's not the end of the world but it does help keep things separated.

Next, and probably more importantly, absolutely nothing that does not need to be running should be running. Turn off all unnecessary features (do you really need a GUI environment?) and block any ports that are not specifically required to function. I like iptables myself, but the important thing is that something is used.

There are some tools you can use to detect malicious activity, such as scanning, brute-forcing, exploits attempts, etc. I won't go over each in detail, but here are a few I have used over the years:

  • tripwire is somewhat outdated but not terribly so
  • ossec serves a similar role, but is more reactive
  • snort is very popular, has a lot of rules

More important than any specific tool is that you configure and use it correctly. Make sure you understand what all the tool covers, what it doesn't, and what happens when it fails.

You can definitely run a home server, and it can be a good learning experience to do so, but you'll want to make sure your system is updated and kept under watch. Don't neglect to check in on it occasionally just because it seems to be running fine.

Community
  • 1
TactiFail
  • 76
  • 2
2

My primary advice to you would be to ensure that you lock it down as much as possible.

Begin at the transport-level. There's a bunch of linux routes to do this, personally, I find ufw to be a reasonably easy-to-use one. If there's a port that doesn't need to be open (i.e. there is not a specific reason for it to be open to the internet), then it shouldn't be. If it needs local access, only open it to addresses on your local network. You've listed 3 services (FTP, SSH, Minecraft) which need to be open, so limit your config to only allowing those outside of your network.

Then look at authentication. For SSH, as it allows execution, I would recommend NOT opening this up for general access. Select your own user account, and give it permissions for SSH, and block all others. I'd personally recommend using keys for authentication and not allowing passwords at all, but that's just me.

You want the FTP to be open, so the solution is to restrict it's access. Give it a generic account, and make it so that it can only access a specific, non-important directory. Run nothing from here, and have nothing pointed to it as a save directory.

I'd guess that you want minecraft to be relatively open, which is fine, but that takes more management to tackle griefing (world backups, etc.).

There are a few HIDS (Host-based Intrusion Detection Systems) which will help to mitigate the effects of anyone trying to attack your server.

Jozef Woods
  • 1,247
  • 8
  • 7
1

I agree with the answers from @Jozef Woods and @TactiFail about locking down the server etc.

I would also add that you should make sure you apply patches regularly, and this applies not only to the OS. If you want it to be a Minecraft server, then it will be running Java I presume? That will be a key component to patch. For example, this update from Java fixed 8 vulnerabilities rated as critical severity as well as a bunch of other less severe items:

https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/version_id-168994/Oracle-JRE-1.7.0.html

I would also apply industry standard hardening to the server. You can download and excellent guide for various flavours of Linux, for free from CIS:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.linux

These guides cover:

  • Locking down the file system
  • Hardening of the process execution context
  • Removal of services that are not required
  • Network configuration
  • Logging and auditing
  • User account management
Mike Goodwin
  • 2,161
  • 1
  • 12
  • 13