This guide will walk you through setting up a dead-silent Linux home server with Ubuntu Server 14.04.2 LTS that you can have running twenty-four-seven-365 in your living room without getting annoyed by any fan or hard-drive noise. This server has no moving parts in it except for the AC/DC-current running through the electronics. Let’s dig in!
First let’s get some appropriate hardware. After doing some research I went for the Shuttle DS57U barebone which is a fanless Slim-PC. You can find a great review of it here: Shuttle DS57U Review
This barebone comes with everything except hard-drive, memory modules and operating system. The barebone alone will set you down at around $230 (1900 SEK), sales tax excluded, price as of june 2015.
Since the focus of this project is not to get away cheap but to have a stable, dead-silent server, I went on the prowl for a suitable SSD and then of course a pair of SO-DIMMs. Also, I will have a lot of writes to this machine so I went for a more expensive datacenter ssd, the Samsung 845DC Pro-series that will stand the test of time. You may want to go for a cheaper alternative here, this Samsung-drive however, will also have protection from exposure to data corruption or loss caused by unexpected power outages.
Procurement-list (prices as of June 2015 in Sweden, VAT excl.):
- 1 x Shuttle DS57U – Celeron 3205U 1.5 GHz, $230 (1900 SEK)
- 2 x Kingston Valueram/8GB, KVR16LS11/8, $110 (2x$55) (880 SEK)
- 1 x Samsung 845DC Pro 400GB SSD Data Center, $315 (2560 SEK)
Ok, so lets install the hardware…this is pretty straight forward. Flip the case and unscrew the two screws holding each lid. Slide forward and open.
Now, unscrew the drive-guide and fixate it to the ssd, use the two black screws coming with the shuttle case.
Plug the ssd into the hard-drive slot and fixate it by putting the screw back in place. Put the two SO-DIMMs in the memory slots, be gentle and don’t touch the memory modules more than necessary holding only on the edges, make sure they snap in-place correctly. The result will look like this.
Now, put the covers back on, and connect all the wires and fire up the machine. Hit Del or Esc to enter Bios-setup.
Ok, so because this machine is a server and we want it to always be ON we change the setting “Power-On after Power-Fail” to [Power On]. Disable EuP Function to enable this alternative.
Now, save and exit. Having downloaded and burnt the Ubunto-iso-image before, now is the time to plug in an external usb-dvd-drive into the Shuttle and load it with the Ubuntu-dvd-media. You can of course use a prepared, with Ubuntu, usb-stick if you rather use that for installation. Reboot and start the installation.
When asked about partitioning, I chose to use all available space on the ssd to be used for the Ubuntu-installation, but you can of course choose to partition your drive in any way you prefer. When asked which software to install I selected OpenSSH-server and LAMP-server since I will later install and run wordpress on this box using LAMP (Linux, Apache, MySQL, PHP).
Now point your ssh-client to the ip-address of your Shuttle-server. If you use dhcp, you can find out what ip-address the machine got after bootup by typing the command ifconfig from a terminal. I get up to five public ip-addresses (dhcp-assigned) from my ISP so I will use one dedicated to this machine. I will later blog about how to configure automatic dynamic-dns updates should the ip-address change. Edit! Now available here howto-set-up-automatic-dynamic-dns-update-using-ddclient
The DS57U comes with two built-in NICs so you might want to use one for your home internal network (192.168.X.X) plugged into your broadband router and one plugged into a (dumb) switch sitting first in line with the connection toward your ISP. Or maybe you prefer to team the NICs for redundancy, I will however start with using just one NIC with a public IP-address. Let’s start to secure and configure this beast.
Log in with SSH and become root with “sudo -s”, the -s option gives you a root-shell. Just type exit and hit return whenever you want to exit from this shell.
jbilander@ubuntu01:~$ sudo -s [sudo] password for jbilander: root@ubuntu01:~#
Run these two commands as root to get the latest updates installed
root@ubuntu01:~# apt-get update root@ubuntu01:~# apt-get upgrade
Let’s start by disabling ipv6. I know some people say this is not conforming to best practice but I don’t care 🙂 I’m not going to run ipv6 on this machine so I want to get rid of it. To disable ipv6, you have to open /etc/sysctl.conf using any text editor (I use VIM) and insert the following lines:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
Comment out anything related to ipv6 in /etc/hosts
# The following lines are desirable for IPv6 capable hosts #::1 localhost ip6-localhost ip6-loopback #ff02::1 ip6-allnodes #ff02::2 ip6-allrouters
Change sshd to only listen to ipv4, in file /etc/ssh/sshd_config change to:
In /etc/dhcp/dhclient.conf delete the entries below…
dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers;
…and put in the semi-colon after the last entry (ntp-servers). It should now look like this:
request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, domain-search, host-name, netbios-name-servers, netbios-scope, interface-mtu, rfc3442-classless-static-routes, ntp-servers;
Now, after a reboot we should be all set, and no more using of tcp6 or udp6, right?. Running the command netstat -nap however shows this:
udp 0 0.0.0.0:3704 739/dhclient udp 0 0.0.0.0:68 739/dhclient udp6 0 :::52382 739/dhclient
Why the udp6-entry when we have deleted all the dhcp6-entries in dhclient.conf? It appears to be a bug, read here, I guess I’ll have to live with it for the time being.
Lets set up a firewalling using iptables:
Iptables comes with Ubuntu by default but does not have any rules added to it by default, hence no blocking of traffic by default. I’m going to configure the machine to listen to port 22 and 80 only, allowing ssh and http incoming traffic from any source, and block all other incoming traffic. There is one accept-rule that we need to ensure so that our server can function correctly. The loopback device. Services on the computer need to be able to communicate with each other by sending network packets to each other through the loopback device. Add these rules one-by-one from the command-line for a basic configuration:
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -j DROP
You can double check the entries with command iptables -S to verify.
Now, persist the change with these two commands:
apt-get update apt-get install iptables-persistent
Should you need to delete a rule you can do it by this command giving the -D option and row number, in this case input-rule number four will be deleted: iptables -D INPUT 4
If you need to add a new rule at a certain row i.e. 5, maybe open up for incoming https traffic (port 443) then use this command
iptables -I INPUT 5 -p tcp --dport 443 -j ACCEPT
Line numbers and rules will be shown by this command:
iptables -L --line-numbers
If you do any changes to iptables from now on, persist the change with this command before rebooting:
iptables-save > /etc/iptables/rules.v4
That’s all for now, in the next blog we will look at howto configure LAMP-server and setup wordpress on this server. Edit! Now available here: howto_set_up_wordpress_on_ubuntu_lamp_server