Home server - ESXi, paranoia
Good day, dear habrovchane!
On Habré many articles, about the configuration of certain pieces of the home server. I would like to share another option for building a home network aimed at a sysadmin or developer. This time based on ESXi.
Anyone interested - welcome under cat.
I will not talk about installing and configuring ESX and guest systems, because the network is full of articles on this topic, and the documentation on the official site is quite decent. And I will tell you some ideas that I implemented at home and some subtleties. But first things first.
')
Let's start with the server itself - IBM System X3200 M2 . I got it almost for nothing. I learned from a friend that his friend was selling some kind of server. Phoned, met, and - voila, the server after a small modding, took the place of honor of the old typewriter based on another Celeron'a 1.8. I should note, however, that the case was slightly dented, namely, the bottom of the front cover was missing, and there was no RAM inside. But these are trifles. It was more difficult to get 2 missing sleds to the basket. There is no direct sale in the city, in specialized stores under the order - to wait 1.5 months and the amount is 1.5k apiece ... abandoned this idea. I ordered from China for 500r with delivery, they came for the same 1.5 months.
So let's get down to the most interesting part. From this point on, we assume that the server is connected to the network, operates 24/7, there is unlimited internet, ESXi is installed, several guest systems are created (win2k8 - 1 pc, winxp - 1 pc, Fedora 14 - N pc in the minimum configuration, or any other distribution to taste and color), if something starts somewhere (mc, nano, sudo, etc.), it means that it is already installed.
What will we need?
And that's what we should have about:
I want to immediately warn the respected habrovchan from holivar on the organization of this network, it is dictated by some subjective requirements, and, so far, only its virtual part can change. Sorry, but "it happened so historically." However, constructive criticism is welcome. I will consider in the future.
As can be seen from the diagram, of all virtual machines, only one is connected to the physical network - GALAXY. This server will be the gateway to all virtual machines, will monitor access to important ports (SSH, RDP) and also keep a variety of logs.
Without further ado, I will lay out the firewall configuration file from my gateway, with a few changes. Of course, all interfaces are raised, static IPs are configured, DNSs, gateways are registered, and the necessary NAT is configured at the point. I am sorry, but all IP and ports are replaced or erased. In this regard, I am paranoid if that. :)
firewall.sh
By analogy with the VENERA server, we configure other servers, including excluding the necessary ports by the rules. Please note that the third line is commented out on the nat venera block.
It allows connections to SSH port 12121. It is commented out for the reason described below.
The culmination of this story is the implementation of the port knocking technique.
Perhaps one of you has come across this topic, but for one reason or another has rejected its implementation.
Who is lazy Who can not go on the link above, in a nutshell I will tell what it is and what they eat with. This technique allows you to open the desired port, only after knocking on a certain sequence of ports from the same IP. Moreover, the ports of this sequence may not even be open. A sufficient sign is the sending of a packet with a SYN flag to this port (well, or another, at your discretion). After the sequence is correctly activated, the command that opens the desired port in the firewall is executed. to close this port, it is necessary, according to the same technique, to knock in the same way on another sequence of ports.
It goes without saying that “everything is already stolen before us” (C). There is a daemon knockd and a client with it that implements this functionality.
Everything would be simple enough if I had not encountered a strange problem. There is no binary under the RPM system (poke your nose, please, if I was looking bad).
We download source codes, we unpack.
We arrived, the source code is not compiled with the gcc error "PATH_MAX - undeclared" ... what to do? :)
Right. Get into the source and see what's wrong there. Fortunately, in addition to the service files, there are only 4 files: the implementation of the client, the server and the implementation of its own list (.h + .c). After a brief reflection, I entered another one in the server file between the existing inclusions:
and it all worked :)
By the way, people write from forums that under FreeBSD they install without problems from ports, but I haven't tried my own (yes, I have such a virtual machine for tests). Please, unsubscribe about the objective results with the latest version.
The knockd documentation is not bad. The demon is simple, convenient, checked - it works. So, with your permission, I will not describe it, but I will give an approximate config for this case with a firewall to complete the picture:
At home I use several sequences to open different ports to different virtual machines. Unfortunately, ports have chosen only TCP, because they can be connected with a simple telnet. But as soon as I deal with the knockd mobile client for UDP, I will definitely do everything as needed.
On the rest of the virtual machines we start the necessary services, set up everything as we like. Do not forget to forward the necessary ports through the virtual gateway, and register something in /etc/knockd.conf, if necessary. We use.
This server I have since the end of January 2011. What I just did not try to do / try on it. And different services, and Gentoo, and FBSD, and GlassFish, and firewalls / nat, FireFox on a Windows machine via SSH + XMing, etc. And all this in one car. Now I can state with confidence that virtualization is awesome. Unfortunately, I haven’t managed to try KVM and XEN yet (live sit with XEN doesn’t count - you need to feel with the handles), but running another hypervisor on the virtual machine ... even for my perverted brain, this is too much. Apparently his time just did not come.
Soon the USB zvukovuha will come from another China , and I will have a heaped alarm clock with a managed production calendar from 1Skey. ^ _ ^
In general, who has the opportunity to put this miracle on a dedicated machine - dare. Perhaps this topic will help someone set up a server at work. Anyway, I will be glad that I helped.
Thanks for attention.
PS I do not claim 100% security of this scheme, but it is much better than open ports, it calms my paranoia and gives invaluable experience of long-term use. Of course, the standard ports on the end servers are changed where possible. There is a lack of a block by IP addresses of malicious brute force players, but this is still all ahead.
UPD: I apologize if I did not choose the right blog. Poke, please, nose better to put it?
On Habré many articles, about the configuration of certain pieces of the home server. I would like to share another option for building a home network aimed at a sysadmin or developer. This time based on ESXi.
Anyone interested - welcome under cat.
I will not talk about installing and configuring ESX and guest systems, because the network is full of articles on this topic, and the documentation on the official site is quite decent. And I will tell you some ideas that I implemented at home and some subtleties. But first things first.
')
Let's start with the server itself - IBM System X3200 M2 . I got it almost for nothing. I learned from a friend that his friend was selling some kind of server. Phoned, met, and - voila, the server after a small modding, took the place of honor of the old typewriter based on another Celeron'a 1.8. I should note, however, that the case was slightly dented, namely, the bottom of the front cover was missing, and there was no RAM inside. But these are trifles. It was more difficult to get 2 missing sleds to the basket. There is no direct sale in the city, in specialized stores under the order - to wait 1.5 months and the amount is 1.5k apiece ... abandoned this idea. I ordered from China for 500r with delivery, they came for the same 1.5 months.
Total we have:
- IBM System X3200 M2 Server
- Intel® Xeon® X3320 2.5GHz
- 4G DDR2 800MHz
- 5 hard drives with a total capacity of about 2TB (no raid)
- ESXi
- Asus F3SE laptop (replaces my computer with a stationary machine, except for the server I don’t have, in fact, this is my workplace and entertainment tool)
- LinkSys WRT54GS v7 access point (WAN, 4xLAN 100Mb, WiFi), flashed with dd-wrt micro (oh, how much we experienced with it :)),
- WiFi phone - Nokia E52.
Objectives of the final system:
- Maximum unload laptop software
- Provide a development platform and tests (the scheme is approximately as follows: installed, configured, tried, turned off; when needed, turned it on again)
- Together with network-facing services, provide a corporate level of server and data protection. In the case of a functional / security dilemma, choose security.
So let's get down to the most interesting part. From this point on, we assume that the server is connected to the network, operates 24/7, there is unlimited internet, ESXi is installed, several guest systems are created (win2k8 - 1 pc, winxp - 1 pc, Fedora 14 - N pc in the minimum configuration, or any other distribution to taste and color), if something starts somewhere (mc, nano, sudo, etc.), it means that it is already installed.
Step 1. Choosing a functional
What will we need?
- Web server (Apache, IIS, GlassFish / Tomcat),
- DBMS (MSSQL, MySQL, FireBird, PostgreSQL),
- Torrent client, FlyLinkDC client,
- SSH access to all linux servers, RDP to one of the Win servers,
- File storage
Step 2. Network Architecture
And that's what we should have about:
I want to immediately warn the respected habrovchan from holivar on the organization of this network, it is dictated by some subjective requirements, and, so far, only its virtual part can change. Sorry, but "it happened so historically." However, constructive criticism is welcome. I will consider in the future.
As can be seen from the diagram, of all virtual machines, only one is connected to the physical network - GALAXY. This server will be the gateway to all virtual machines, will monitor access to important ports (SSH, RDP) and also keep a variety of logs.
Step 3. Configure the gateway
Without further ado, I will lay out the firewall configuration file from my gateway, with a few changes. Of course, all interfaces are raised, static IPs are configured, DNSs, gateways are registered, and the necessary NAT is configured at the point. I am sorry, but all IP and ports are replaced or erased. In this regard, I am paranoid if that. :)
firewall.sh
#!/bin/sh
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe nf_conntrack_tftp
ipt='/sbin/iptables'
home='#.#.#.#/24'
vmnet='#.#.#.#/24'
mehome='#.#.#.#'
mevmnet='#.#.#.#'
venera='#.#.#.#'
${ipt} -F -t nat
${ipt} -F -t filter
${ipt} -F -t mangle
#established
${ipt} -t filter -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
${ipt} -t filter -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
${ipt} -t filter -P FORWARD DROP
#log some new connections
${ipt} -A INPUT -m state --state NEW -p tcp --dport 12121 -j LOG --log-level INFO --log-prefix "SSH-NEW : "
${ipt} -A FORWARD -m state --state NEW -d ${venera} -j LOG --log-level INFO --log-prefix "VENERA : "
#localhost
${ipt} -t filter -A INPUT -i lo -j ACCEPT
#icmp home
${ipt} -t filter -A FORWARD -p icmp -s ${home} -j ACCEPT
${ipt} -t filter -A FORWARD -p icmp -d ${home} -j ACCEPT
${ipt} -t filter -A INPUT -p icmp -s ${home} -j ACCEPT
${ipt} -t filter -A OUTPUT -p icmp -d ${home} -j ACCEPT
#icmp vmnet
${ipt} -t filter -A FORWARD -p icmp -s ${vmnet} -j ACCEPT
#dns tcp
${ipt} -t filter -A INPUT -p tcp --sport 53 -j ACCEPT
${ipt} -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
${ipt} -t filter -A FORWARD -p tcp --dport 53 -j ACCEPT
${ipt} -t filter -A FORWARD -p tcp --sport 53 -j ACCEPT
#dns udp
${ipt} -t filter -A INPUT -p udp --sport 53 -j ACCEPT
${ipt} -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
${ipt} -t filter -A FORWARD -p udp --dport 53 -j ACCEPT
${ipt} -t filter -A FORWARD -p udp --sport 53 -j ACCEPT
#ssh
${ipt} -t filter -A INPUT -p tcp --dport 12121 -j ACCEPT
#nat venera (GlassFish[80->8080], SSH[3333->12121])
${ipt} -t nat -A PREROUTING -d ${mehome} -p tcp --dport 3333 -j DNAT --to ${venera}:12121
${ipt} -t nat -A PREROUTING -d ${mehome} -p tcp --dport 80 -j DNAT --to ${venera}:8080
#${ipt} -t filter -A FORWARD -d ${venera} -p tcp --dport 8080 -j ACCEPT
${ipt} -t nat -A POSTROUTING -s ${venera} -j SNAT --to-source ${mehome}
#firwarding for venera
${ipt} -t filter -A FORWARD -s ${venera} -j ACCEPT
${ipt} -t filter -A FORWARD -d ${venera} -p tcp --dport 12121 -j ACCEPT
${ipt} -t filter -A FORWARD -d ${mehome} -p tcp --dport 80 -j ACCEPT
# .
${ipt} -t filter -A OUTPUT -p all -j ACCEPT
#
${ipt} -t filter -A INPUT -p all -j DROP
${ipt} -t filter -A OUTPUT -p all -j DROP
By analogy with the VENERA server, we configure other servers, including excluding the necessary ports by the rules. Please note that the third line is commented out on the nat venera block.
It allows connections to SSH port 12121. It is commented out for the reason described below.
Step 4. Paranoia
The culmination of this story is the implementation of the port knocking technique.
Perhaps one of you has come across this topic, but for one reason or another has rejected its implementation.
It goes without saying that “everything is already stolen before us” (C). There is a daemon knockd and a client with it that implements this functionality.
Everything would be simple enough if I had not encountered a strange problem. There is no binary under the RPM system (poke your nose, please, if I was looking bad).
We download source codes, we unpack.
./configure
make
We arrived, the source code is not compiled with the gcc error "PATH_MAX - undeclared" ... what to do? :)
Right. Get into the source and see what's wrong there. Fortunately, in addition to the service files, there are only 4 files: the implementation of the client, the server and the implementation of its own list (.h + .c). After a brief reflection, I entered another one in the server file between the existing inclusions:
#include <limits.h>
and it all worked :)
By the way, people write from forums that under FreeBSD they install without problems from ports, but I haven't tried my own (yes, I have such a virtual machine for tests). Please, unsubscribe about the objective results with the latest version.
The knockd documentation is not bad. The demon is simple, convenient, checked - it works. So, with your permission, I will not describe it, but I will give an approximate config for this case with a firewall to complete the picture:
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 1,2,3
seq_timeout = 5
command = /sbin/iptables -A FORWARD -s %IP% -p tcp --dport 8080 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 3,2,1
seq_timeout = 5
command = /sbin/iptables -D FORWARD -s %IP% -p tcp --dport 8080 -j ACCEPT
tcpflags = syn
At home I use several sequences to open different ports to different virtual machines. Unfortunately, ports have chosen only TCP, because they can be connected with a simple telnet. But as soon as I deal with the knockd mobile client for UDP, I will definitely do everything as needed.
On the rest of the virtual machines we start the necessary services, set up everything as we like. Do not forget to forward the necessary ports through the virtual gateway, and register something in /etc/knockd.conf, if necessary. We use.
findings
This server I have since the end of January 2011. What I just did not try to do / try on it. And different services, and Gentoo, and FBSD, and GlassFish, and firewalls / nat, FireFox on a Windows machine via SSH + XMing, etc. And all this in one car. Now I can state with confidence that virtualization is awesome. Unfortunately, I haven’t managed to try KVM and XEN yet (live sit with XEN doesn’t count - you need to feel with the handles), but running another hypervisor on the virtual machine ... even for my perverted brain, this is too much. Apparently his time just did not come.
Soon the USB zvukovuha will come from another China , and I will have a heaped alarm clock with a managed production calendar from 1Skey. ^ _ ^
In general, who has the opportunity to put this miracle on a dedicated machine - dare. Perhaps this topic will help someone set up a server at work. Anyway, I will be glad that I helped.
Thanks for attention.
PS I do not claim 100% security of this scheme, but it is much better than open ports, it calms my paranoia and gives invaluable experience of long-term use. Of course, the standard ports on the end servers are changed where possible. There is a lack of a block by IP addresses of malicious brute force players, but this is still all ahead.
UPD: I apologize if I did not choose the right blog. Poke, please, nose better to put it?
Source: https://habr.com/ru/post/118316/
All Articles