⬅ Previous Post: 2020 Summer Project #1: ‘Webtrees’ on a Home Server
My server computer • The Gentoo Linux operating system • Installing Gentoo • Hardening Gentoo with SELinux • Hardening other Linux distros • Next on the agenda
Of course the first step in running Webtrees on a home server is to choose the machine and operating system. While it is certainly possible to launch a web server from my regular desktop (and I have in fact done this), a better idea is to set up a machine dedicated to this purpose.
I don’t know about yours, but my desktop computer is a bit of a beast, or at least is was when I built it some four years ago. With an 8-core AMD processor and a GeForce GTX 960 graphics card, the machine draws a lot of power and its fans make a lot of noise. I don’t want that thing running all the time. Moreover, from a security perspective, exposing my main desktop to Internet traffic is unwise. If I’m intentionally inviting strangers into a computer that I own, it’s better that it be a computer (a) that has no personally sensitive information on it, and (b) that I don’t rely on for other purposes in the event of a security attack that breaks functionality. Setting up a dedicated server machine is the wise thing to do.
A 15-year-old HP Compaq nc6230 will host my Webtrees website.
The machine I have chosen for this project is one of my old HP Compaq nc6230 laptops. These machines were quite the portable work horses when they were introduced in 2005. I purchased several of some six or seven years ago for about 40 bucks apiece in around 2013, when I sought to expand my side hustle of computer tutoring and consulting. I even used one of them as my primary computer until I built my current desktop in about 2016. The nc6230 has shown an impressive longevity, so I’m pressing it into service once again.
What computer should you use to build your server? Well, professional server administrators build server racks and fill them with machines that run from several hundred to several thousand to tens of thousands of dollars apiece. These systems are designed to serve multiple thousands of website users quickly and reliably, and are optimized to minimize power consumption at the expense of user-friendliness. Many computer end users aren’t aware, however, that pretty much any internet-connected computer can run a light web server to host a web page. Even the famous $40 single-board Raspberry Pi computer can do it, and the Raspberry Pi Foundation’s website offers instructions on how.
Since serving text and light graphics requires relatively few computational resources, pretty much any internet-ready computer would work for this hobby project—even an old laptop with a broken screen! I recommend that you use a computer that you wouldn’t mind running 24/7, so namely one that is quiet and unobtrusive, and also one with enough storage to accommodate your voluminous family history data. ?
My server’s operating system is Gentoo Linux, with an SELinux profile.
Most computers on the market come pre-installed with either Windows or OSX. When I bought my computer used on eBay, it came without a hard drive. I was therefore free then to install any operating system I wanted for it, so I habitually install any of the myriad of free Linux operating systems.
If your old computer has Windows pre-installed, you might look up the IIS server software for your computer. If your old computer is a Mac, it should come equipped with the Apache web server software that I’ll be using on Linux. If you’re a geek like I am, it doesn’t matter what operating system your computer came with or whether it came with any at all. You’re going to install Linux no matter what, and that’s exactly what I have done. ?
I had planned to experiment with a linux server distribution for the first time with this project, and had narrowed the field to three choices: Oracle Linux, Fedora Server, and Ubuntu Server. I immediately noticed difficulty in locating the requisite 32-bit variants of these operating systems. You see, the nc6230’s 32-bit Pentium M 760 processor is becoming obsolete. Name-brand Linux distributions like Fedora and Ubuntu have dropped official 32-bit support over the past few years.
Hence a return to Gentoo, which has been my go-to Linux distribution for over 5 years. Gentoo is a source-based distribution that compiles all software from source code by default to optimize it to your computer’s hardware. I returned to Gentoo on a wager that, as a source-based distribution, it will likely be one of the longest holdouts to maintain support for 32-bit processors. For my server, I downloaded the 32-bit (x86) minimal installation medium available here.
As awesome as Gentoo is for a variety of processors, it is NOT a distribution that I would recommend to Linux beginners, nor is Gentoo known for being a particularly convenient server choice. If you are a Linux beginner and your hobby computer is rocking a 64-bit processor, I would recommend an established server distribution like either Ubuntu Server or Fedora Server for the Webtrees project. If you are a Linux beginner looking to turn your older 32-bit hardware into a server, I would recommend giving Debian a spin, as it’s a storied and well-respected distribution whose 32-bit installation media are not yet showing signs of the end of life.
Installing Gentoo is a project in itself.
Difficulty of installation is only the first caution I have for those who are new to Linux and attempting to run Gentoo. That said, Gentoo happens to give a seasoned user like myself exactly what I want in a server operating system: a minimal, headless working environment. Headless means that ideally the server laptop should run quietly on it’s own, tucked away, without my ever having to physically open the laptop lid to interact with it. Maintenance on the server would be achieved over the network, from my main desktop computer, through a text-only, command-line, SSH (secure shell) connection. The Gentoo operating system by default does not ship with any kind of graphical user interface (GUI). This is great for headless servers that require no GUI. The absence of a GUI means that more of the computer’s scarce, aging processing power will be available to serve my website’s visitors.
Although, the Gentoo installation process is a long and daunting one, the Gentoo Handbook explains the necessary steps in sufficient detail. I followed the steps in the handbook to customize my system. Rather than configuring the Linux kernel manually, I opted for the simpler genkernel method. Genkernel configures the Linux kernel automatically with options that will get most machines up and running with less fuss, but will also compile a lot of kernel drivers that will ultimately be unnecessary. Compiling such a complete kernel takes the old nc6230 all night and the better part of the next day. Be ready for that process to take while. If you aren’t sure what I mean by all this “compiling the kernel” stuff, Gentoo might not be for you. In fact, the remainder of this blog post is pretty nerdy from here on out. If you have chosen a more ready-to-go distro for your server, like Ubuntu Server or Debian, feel free to skip to the final section of this post for some lingering thoughts on that.
Acquiring internet connection on Gentoo is also a troublesome side quest. The easiest strategy is to clear a spot for your server computer next to your router so you can rely on an Ethernet cable for the connection. Setting up the Ethernet connection is relatively straightforward, but since it was impractical for me, living-space-wise, I proceeded with wireless setup. The Gentoo Wiki’s WiFi and wpa_supplicant pages, as well as the Handbook’s Wireless page, have proven helpful to that end.
If I could offer two pieces of advice for setting up a wireless connection on Gentoo, they would be:
- You’ll need to enable correct kernel modules and install the correct drivers. In the case of the nc6230, the kernel driver to install is the Intel Pro/Wireless 2200 (ipw2200) driver, and the firmware package is similarly titles ipw2200-firmware. Your computer may obviously use a different driver. If you are having trouble finding the right driver for older hardware, the legacy Wireless Extensions (Wext) driver is worth a look. In fact, I seem to be invoking the Wext driver in my /etc/conf.d/wpa_supplicant file. It works. Go figure. ??♂️
- I had a Dickens of a time trying to bring up both the Ethernet and wireless interfaces at the same time. Obviously there must be a way to do it, but it is beyond me, and since it is not necessary for me to have both interfaces up at once, I’m satisfied to leave well enough alone. If you are having trouble bringing up your wireless interface, try bringing down your Ethernet interface and deleting the Ethernet service from your init system. Then bring up your wireless and add it to your init.
Hardening Gentoo with the SELinux profile.
Exposing a system to strangers on the Internet presents your machine with a consistent security threat. Since I know very little about computer security, this home server project offers a great opportunity for personal growth in this area of web server administration.
My initial explorations into setting up a Gentoo web server led me to this Tecmint tutorial on the subject, which I will be exploring in the next installment of this series. One of it’s suggestions is that:
For an Internet-facing server with security patches you will probably want to use a Hardened profile which changes package settings for your entire system (masks, USE flags, etc).
Gentoo system profiles are chosen easily during the installation process, but may be altered later with some additional effort. For this project I have chosen not only a hardened profile, but the hardened/selinux profile. I was drawn to this profile after encountering SELinux systems in my recent past that have inspired my curiosity. The Fedora distribution that I installed on my first GPD Pocket, for example, was apparently SELinux-enforcing, although it was configured to be hardly noticeable to the end user. If not for my need to set an SELinux boolean to allow Samba connections through, I might not ever have known SELinux was enforcing heightened security on that machine.
With this home server project, I’m finally getting my hands dirty with SELinux. starting with enabling the hardened/selinux profile, and then by manually installing SELinux, following the installation instructions available on the Gentoo Wiki. If you choose to go the SELinux route on Gentoo, I can offer the following warnings ahead of time:
- Once you set the SELinux mode to enforcing using the instructions on the Wiki, the non-privileged staff user you have created for yourself does not have permission to even read system administrative files or directories, much less update the system through Portage’s emerge command. Performing common administrative functions requires that you give yourself the necessary privileges by “switching to the system administrator role”. This is accomplished by issuing the newrole command as detailed in the Wiki’s instructions. The instructions do not make clear that the newrole command actually starts a new shell in which you have the requisite privileges to administer the system. To return again to the non-privileged staff user, simply type exit to exit the shell created by the newrole command. You do not issue another newrole command to return yourself to the staff role. Doing this creates an unnecessary shell-within-a-shell, and you’ll be confused later when you type exit to exit the terminal and it does not leave the terminal as you would expect it to. It confused me, anyway, for a while. ? This confusion might be alleviated entirely by setting yourself up as a system administrator by default in the first place, rather than as a staff user, but I suspect doing so would bypass a layer of SELinux security that I would like to keep intact for now.
- After I installed SELinux and set its mode to enforcing, and after I assumed the system administrator role using the newrole command, I found ton the wikihat Portage still did not have the proper permissions to either sync or update the system, although it did strangely have the permissions to re-install packages already on the system. ? The Gentoo Wiki has an SELinux/portage page that helped me diagnose the problem:
What had happened was that the Gentoo developers have become creative in recent years, moving Portage’s repos and distfiles folders to different locations within the Gentoo system. When I installed my first Gentoo system some five years ago, the default location for Portage’s repos folder was /usr/portage, and the default location for Portage’s distfiles folder was /usr/portage/distfiles. This has changed, but for some reason or other, the SELinux policies for Portage have not been apprised of the changes. The current default locations for the repos and distfiles folders are /var/db/repos and /var/cache/distfiles, respectively. When SELinux labels the system directories and files with security contexts, it does not recognize the new default locations as locations that Portage needs to access, and so it labels them incorrectly.
The SELinux/portage page contains a table that shows what the correct security contexts ought to be for these locations. For example, the PORTDIR folder, formerly at /usr/portage, but now at /var/db/repos, should have been labeled with the security context system_u:object_r:portage_ebuild_t. In my case, the /var/db/repos directory was labeled system_u:object_r:var_t, which I assume is standard for whatever SELINUX finds in the /var directory. To get Portage the right permissions to sync and update, that security context must be changed to system_u:object_r:portage_ebuild_t. The SELinux/portage page gives a sample set of commands to alter security contexts, which upon adapting for my needs became:
root# semanage fcontext -a -t portage_ebuild_t /var/db/reposUnfortunately, as of this writing, the commands do not solve the problem. They change the context of the /var/db/repos directory alone, but not those of the files and subdirectories it contains. Fortunately, the semanage-fcontext man page provides a sample of the commands that correctly relabels the files and folders under /var/db/repos recursively. Those commands, adapted for my needs, became:
root# restorecon -R /var/db/repos
root# semanage fcontext -a -t portage_ebuild_t "/var/db/repos(/.*)?"After I issued these commands, Portage received the correct permissions to sync. Although this was good progress, Portage still did not have the permissions to update. To finish the job, I had to alter the contexts of the /var/cache/distfiles folder similarly. As of this writing, the SELinux/portage page suggests that the proper security context for the DISTDIR folder, formerly at /usr/portage/distfiles but now at /var/cache/distfiles, should be system_u:object_r:portage_srcrepo_t. I found this not to be the case, and Portage still continues to fail updates when this context is applied to the distfiles folder. Changing the security type to portage_ebuild_t, rather than portage_srcrepo_t, did the job:
root# restorecon -R /var/db/repos
root# semanage fcontext -a -t portage_ebuild_t "/var/cache/distfiles(/.*)?"If I recall correctly, I may have had a problem with the -a flag of the semanage command the second time around. According to the man page, the -a flag adds a record. If a records that has already been added now needs to be modified, the -m flag will do the modification. I believe substituting -m for -a the second time around help me to apply the proper security contexts to /var/cache/distfiles, and with that Portage had the permissions that it needed to update my system. ?
root# restorecon -R /var/cache/distfiles
- I did have trouble finding the right permissions to run the restorecon command. What finally worked for me was switching to the sysadm role, but NOT using sudo to issue the command.
Hardening other Linux distributions.
Those of you who are joining me in my server building adventures may have already wisely opted for another distribution instead of Gentoo. If you’ve chosen another distribution, you’ll want to secure, or “harden”, your system by some other method. Since I do not have the experience of hardening other systems, I can not give specific advice on how to do that. I can, however offer these vague impressions:
- I would expect any brand name Linux server distribution to come with an impressive array of security features out-of-the-box. I would especially expect this of Fedora Server, since it’s regular desktop distribution is already impressively secure. Having the foresight to choose a server distro to run your server is probably half the battle as far as securing your server is concerned. The other half would be learning the various configuration options of the server distro’s security software. The only reason I did not opt for a server distribution is that the best ones seem to have dropped support for my 32-bit processor. If your server computer is rocking a 64-bit processor, then by all means go for a server distro. A list of good ones is available here.
- If you are running a Debian server due to its continued support for 32-bit processors, advice for hardening the system for heightened security begins here. With any other Linux distribution, Google is your friend. Just go ahead and Google “Hardening [distro name]” to find the best practices for securing your system.