Home servers and network security

[id3nt1ty]

I'm planning on setting up a little home server to perform a few tasks at some point in the future and I'm looking for some advice from people who have been there and done that.

I'm thinking of buying some hardware (mini-ITX form factor, LGA1155 socket) and using VMware vSphere Hypervizor to run a few virtual machines for different purposes. This might sound like overkill for home use, but I'm just looking for an interesting project. Plus, if it doesn't work I can use the hardware for something else anyway. I'm planning on making use of a selection of Linux distros (TBC) and perhaps some version of Windows Home Server if required as virtual machines. I only want to run one machine for these tasks to reduce the cost of having these services available 24/7.

The functions I want to to perform are as follows:
Domain controller;NAShome theatre PC (HTPC);firewall/proxy server for controlling access to my network;SSH/ VPN service/TOR node;web/db/version control server for potential future development projects.

Domain Controller
This isn't 100% necessary, but as I understand it these are useful for controlling permissions throughout a network. I don't know a whole lot about this and was wondering what the advantages/disadvantages of this might be. I've never used one before - but then I've never administrated my own network before.

NAS
The advantages are obvious to me - I was planning to get a USB 3 1TB external HDD. A) I've found external ones are cheaper these days. It provides me with some seperation of my file storage and the HDD's the VM's are running on. That way, if I ruin a VM I don't lose any data.

HTPC
Part of the reason I'm looking at LGA 1155 chips is that I can make use of the built in graphics, which will be more than sufficient to play HD video. I plan to have the box it's self in my lounge with the TV so I can use it as a Blu-ray player as well. Planing on making use of XBMC for this as I've had good experiences with this before.

Firewall/proxy server
What I mainly want here is to be able to control access to different parts of the network. I want some seperation between my home users/NAS/HTPC and the SSH/VPN/TOR/Webserver side of thing. I really have no idea where to start with this, and this is one of the main area's I'd like some help with. What OS should I look to use? As I understand it vSphere will allow me to make use of virtual routers to ensure that all network traffic will pass through this and be routed to the appropriate virtual machine.

SSH/VPN/TOR
I like having a external access to my existing set up, and I also use SSH to encrypt my internet activities whilst on holdiay and tunnel stuff like spotify at work. I was thinking of setting up a VPN service for ease of use but also as an experiment. I'll be setting up a TOR node so that the one I run at the moment can be taken off my friend server - where I'm not paying electricity or internet bills.

Web/db server
I'll be planning on adding the odd website to my server and was thinking a VM for this might be a good idea.

What are your thoughts on my (provisional) solution to my problem. Am I over-complicating things, or just some crazy noob who has no idea what I'm doing?

All criticism/advice welcome - this is really just in the planning stages.

[FreeBeer]

I run a home server. I use it primarily as a test bed web server and off-site backup. I don't stream videos. A plain-jane Linux box has worked well for me, and I've never saw the need for VMs. Obviously if you want to tinker with that technology, then that's a different story.

I'd probably suggest you not go with a domain controller - especially if any of your other devices are running a basic version of Windows (ie XP Home). MS has disabled their ability to connect to a domain (forcing you to go to Professional or Enterprise editions for that feature). It'll probably only complicate things anyway. Baby steps. You can always add that later.

Just a few notes from my experience. YMMV.

[fwiffo]

if ur planning to run mulitiple vms at the same time you need lots of memory and a fairly beefy server. u can give more cpu priority to specific vms like your media streaming but keep in mind they are all sharing a finite set of resources.

pm me for specifc questions on vmware, been using/maintaining this for the last 3years

[dusanc]

I would go with Linux+KVM and scrap the domain controller

I would make diskless/fanless silent HTPC (XBMC) and different machine for the NAS+rest

[fuzzylunkin1]

QUOTE (id3nt1ty @ Feb 18 2012, 03:19 PM) I'm planning on setting up a little home server to perform a few tasks at some point in the future and I'm looking for some advice from people who have been there and done that.

I'm thinking of buying some hardware (mini-ITX form factor, LGA1155 socket) and using VMware vSphere Hypervizor to run a few virtual machines for different purposes. This might sound like overkill for home use, but I'm just looking for an interesting project. Plus, if it doesn't work I can use the hardware for something else anyway. I'm planning on making use of a selection of Linux distros (TBC) and perhaps some version of Windows Home Server if required as virtual machines. I only want to run one machine for these tasks to reduce the cost of having these services available 24/7.

The functions I want to to perform are as follows:
Domain controller;NAShome theatre PC (HTPC);firewall/proxy server for controlling access to my network;SSH/ VPN service/TOR node;web/db/version control server for potential future development projects.

Domain Controller
This isn't 100% necessary, but as I understand it these are useful for controlling permissions throughout a network. I don't know a whole lot about this and was wondering what the advantages/disadvantages of this might be. I've never used one before - but then I've never administrated my own network before.

NAS
The advantages are obvious to me - I was planning to get a USB 3 1TB external HDD. A) I've found external ones are cheaper these days. It provides me with some seperation of my file storage and the HDD's the VM's are running on. That way, if I ruin a VM I don't lose any data.

HTPC
Part of the reason I'm looking at LGA 1155 chips is that I can make use of the built in graphics, which will be more than sufficient to play HD video. I plan to have the box it's self in my lounge with the TV so I can use it as a Blu-ray player as well. Planing on making use of XBMC for this as I've had good experiences with this before.

Firewall/proxy server
What I mainly want here is to be able to control access to different parts of the network. I want some seperation between my home users/NAS/HTPC and the SSH/VPN/TOR/Webserver side of thing. I really have no idea where to start with this, and this is one of the main area's I'd like some help with. What OS should I look to use? As I understand it vSphere will allow me to make use of virtual routers to ensure that all network traffic will pass through this and be routed to the appropriate virtual machine.

SSH/VPN/TOR
I like having a external access to my existing set up, and I also use SSH to encrypt my internet activities whilst on holdiay and tunnel stuff like spotify at work. I was thinking of setting up a VPN service for ease of use but also as an experiment. I'll be setting up a TOR node so that the one I run at the moment can be taken off my friend server - where I'm not paying electricity or internet bills.

Web/db server
I'll be planning on adding the odd website to my server and was thinking a VM for this might be a good idea.

What are your thoughts on my (provisional) solution to my problem. Am I over-complicating things, or just some crazy noob who has no idea what I'm doing?

All criticism/advice welcome - this is really just in the planning stages.

Ignore the domain controller, unless you just want to do it for curiosity/experience, IMO.

Usually NAS means something specifically built for storage, but you said you want to just use one computer? If you want to export your external harddrive on an NFS server, go for it. Note, NFS support on Windows is horrible (but FTP works fine).

I love love love love my XBMC media center. I run XBMC on Gentoo with a cheap NVIDIA graphics card + proprietary drivers. I would highly recommend going this route (nvidia graphics card), as VDPAU is a great option for HD video. You don't need anything expensive. I use a Geforce 210, which is about the lowest I would go. If you want to want to use a blu-ray drive on linux, there is little to no encryption/DRM support. However, there are backup/rip/encoding tools as a "workaround."

As for network separation, I've done this thing with a custom linux router and subnets (iptables, dhcp server, etc). Don't have much experience outside that.

For a TOR node, possibly look into something with hardware encryption and/or random number generation.


Not necessarily overcomplicating things, just do it one at a time. A lot of chances to learn!

[id3nt1ty]

Cheers for the tips all

I'm quite happy to ditch the DC idea. FreeBeer makes a good point about the Windows versions - my fiancee's laptop and PC are both running home versions of Windows 7. Plus, seeing as there will be only two of us using the network it seemed like overkill.

I'm aware that virtualisation is limited by resources, but I've been told that RAM is the most important resource to have. As I understand it CPU power can be assigned on the fly but vRAM must be assigned specifically to each guest. Cheers for the offer of help fwiffo - I'll keep it it mind when I get around to actually building my system.

fuzzy, I wasn't aware of the Linux/Blu-ray limitation you mentioned so thanks for the heads up! It wouldn't be too much trouble for me to use a Windows guest with XMBC for that. In the mean time I'm planning on getting a RaspberryPi as soon as they're released. These little beauties are fully capabale of running XBMC, whilst being about the size of a pack of cards and costing $35 - for the "top end" version.

With regards to the NAS this would literally be used to store/stream my media to the rest of the network. I wasn't planning on having a huge RAID array (yet). Previous experience sharing an external hard drive has been fine for my needs as they stand.

[pkk]

QUOTE (id3nt1ty @ Feb 18 2012, 09:19 PM) Firewall/proxy server
What I mainly want here is to be able to control access to different parts of the network. I want some seperation between my home users/NAS/HTPC and the SSH/VPN/TOR/Webserver side of thing. I really have no idea where to start with this, and this is one of the main area's I'd like some help with. What OS should I look to use? As I understand it vSphere will allow me to make use of virtual routers to ensure that all network traffic will pass through this and be routed to the appropriate virtual machine.

SSH/VPN/TOR
I like having a external access to my existing set up, and I also use SSH to encrypt my internet activities whilst on holdiay and tunnel stuff like spotify at work. I was thinking of setting up a VPN service for ease of use but also as an experiment. I'll be setting up a TOR node so that the one I run at the moment can be taken off my friend server - where I'm not paying electricity or internet bills.

There is a free all-in-one solution of these problems:
http://www.astaro.com/landingpages/en-worldwide-homeuse

[peet]

QUOTE ... I'll be setting up a TOR node so that the one ...[/quote]


FYI. Setting up a TOR node nowadays might give you unwanted attention. It will not be the first time TOR is abused to exchange child porn. Also TOR is abused by spammers and hackers.

If you want to have a TOR node for e.g. the repressed citizens in <insert evil country>, I sggest you take extra precautions. Also it might be wise to seek legal advise when you run into "issues".

[BlackViper]

NAS: I use a WD 2TB, "My Book Live™". It only comes in a hardwired configuration. Careful with some of the USB systems. Known issues working with some hubs/routers. Plus it comes with Twonky Media Server.

[Bard]

Okay!
/me dives in

QUOTE (id3nt1ty @ Feb 18 2012, 02:19 PM) Domain Controller
This isn't 100% necessary, but as I understand it these are useful for controlling permissions throughout a network. I don't know a whole lot about this and was wondering what the advantages/disadvantages of this might be. I've never used one before - but then I've never administrated my own network before.

This may very well be where you have the most fun. Quite honestly, playing with Active Directory can be a blast and it's a highly useful skill to have but if you're running home versions of the OS it's useless.
The other thing to note is that there's a whole bunch of free software "for personal use" out there that IMMEDIATELY stops working when you try to run it on a computer that's joined to a domain.
It's a bull@#(! archaic way of limiting "commercial use" of software, but a whole ton of programmers out there still use it so be prepared for any "free for personal use - buy license for corporate use" software you have to up and die if you *do* eventually decide to run a domain.

QUOTE (id3nt1ty @ Feb 18 2012, 02:19 PM) NAS
The advantages are obvious to me - I was planning to get a USB 3 1TB external HDD. A) I've found external ones are cheaper these days. It provides me with some seperation of my file storage and the HDD's the VM's are running on. That way, if I ruin a VM I don't lose any data.

HTPC
Part of the reason I'm looking at LGA 1155 chips is that I can make use of the built in graphics, which will be more than sufficient to play HD video. I plan to have the box it's self in my lounge with the TV so I can use it as a Blu-ray player as well. Planing on making use of XBMC for this as I've had good experiences with this before.

This sounds good.
I haven't used XBMC but I just recently set up Serviio on a GUI-free Ubuntu Server here at home and set it so that my main windows box runs the console and the Ubuntu server has access to all of the network shares via windows folder sharing and extensive use of the linux "mount" command. I chose Serviio because it works with the brand of networked blu-ray player I have, but the end result is the same - I'm streaming from a variety of drives on the network over to my dvd player and therefore my television.

The one thing I'm not sure about here is the sharing if you're using a home version of a windows client OS and plan to stream things that are, say, in a folder on your main gaming machine.
Fuh-zz is partially right - Network File Sharing on windows HOME editions of non-server OS's blows goats. On Pro/server editions it's a piece of cake and works flawlessly. If you're just going to plug the external drive into the server box you should have no trouble once you turn off that damnable "only allow Guest access to shares" option and go with full-blown "credentials required" share access. (make sure to give the windows user account access to both the share AND the NTFS folder)
For ease of use, though, I'd suggest just copying all the media you want to stream over to the external drive.

QUOTE (id3nt1ty @ Feb 18 2012, 02:19 PM) Firewall/proxy server
What I mainly want here is to be able to control access to different parts of the network. I want some seperation between my home users/NAS/HTPC and the SSH/VPN/TOR/Webserver side of thing. I really have no idea where to start with this, and this is one of the main area's I'd like some help with. What OS should I look to use? As I understand it vSphere will allow me to make use of virtual routers to ensure that all network traffic will pass through this and be routed to the appropriate virtual machine.

You're really going to want your main router on a separate physical box with two NICs and nothing else installed on it if at all possible. This should be on and accessible before you boot up any other machines.

I'm using an old microtower that uses very little power (CPU power saving feature) and pfSense, which is a fork of m0n0wall. You could probably get away with a p2 or p3, honestly. Even with a metric butt-ton of rules/filters/forwards on this thing I barely use any CPU and it handles simultaneous internet access for anywhere from 3 to 8 devices at a time. I finally resorted to this because even the supposedly robust small-business class routers I was buying for the house had so little internal memory that more than 3 computers on and using the internet at once necessitated regular router restarts. With a whopping 256mb of RAM in my current box (as opposed to the 4 to 16mb in most home routers), I almost never have to restart it. It also has the handy side-effect of informing me when we last had a power outage.
# uptime
7:46AM up 431 days, 18:43, 2 users, load averages: 0.02, 0.11, 0.09

/me swings his e-peen around for fun

QUOTE (id3nt1ty @ Feb 18 2012, 02:19 PM) SSH/VPN/TOR
I like having a external access to my existing set up, and I also use SSH to encrypt my internet activities whilst on holdiay and tunnel stuff like spotify at work. I was thinking of setting up a VPN service for ease of use but also as an experiment. I'll be setting up a TOR node so that the one I run at the moment can be taken off my friend server - where I'm not paying electricity or internet bills.

Web/db server
I'll be planning on adding the odd website to my server and was thinking a VM for this might be a good idea.

Okay - one major note here. Make absolutely sure that your apache/IIS and Database instances are not running on the same virtual machine as your domain controller if/when you eventually set one up. That's a huge security hole.
I'd also say, for security purposes, it's a good idea to keep your web server and your db server on separate vm's. Both of these can be set up so that very little in the way of hardware resources is allowed them and they shouldn't experience much in the way of slowdown unless you start getting dozens of simultaneous hits or end up running cpu-intensive queries regularly.

QUOTE (id3nt1ty @ Feb 18 2012, 02:19 PM) What are your thoughts on my (provisional) solution to my problem. Am I over-complicating things, or just some crazy noob who has no idea what I'm doing?

All criticism/advice welcome - this is really just in the planning stages.

The solution looks good, honestly.
You can run a webserver/db/domain controller/version control/ssh tunnel/vpn software for a home network on one box with several virtual machines with almost no trouble assuming you configure well.

None of them are very CPU/RAM intensive and you should be able to configure each VM to only use what it's allowed and so as long as the box you're using is beefy enough to play modern games on high graphics settings, you should be alright most of the time, really. Your websites might serve up a little slow, your db queries might take a little extra time, and I wouldn't use roaming profiles on a domain controller, but I briefly ran a 400 machine domain off of a crap single core p3 with 512mb of ram when my moron coworker $#@!ed up the network's DNS and made the primary/secondary/and tertiary domain controllers inaccessible for logins so that everything failed over to the itty bitty "why is this even plugged in" box and it never peaked CPU usage from logins so it's not particularly intensive.

Since each VM is essentially a software-emulated time slice of hardware access, you can give each VM or a subset of VM's a "pool" and set limits on those pools. That is, you can individually limit the MHz available to a given vm or set of vm's with multiple vCPU's. You could, say, put your webserver, db server, and version control server in a pool where they have access to a set number of resources. This means if one of those three starts bogarting all of the resources in the shared pool it can't spill over and suck resources out of another pool, say the one your vpn/ssh tunnel is running in.

The real problem is going to be throwing XBMC in with all of that.
Transcoding is a RESOURCE HOG and while you're using it to do so it's going to take a hefty, hefty chunk of virtual resources, severely limiting what you can allocate to the other vm's if you use limiting like I described above. If not, almost everything else on all of the other virtual machines on that box will probably grind to a halt whenever you stream to the tv or watch a blu-ray disc. Now, that can be okay if you're not planning to use the other portions of the box while watching an HD movie, but may not be what you're after.

Hope this helps somewhat -- Good Luck!