Howto set up your perfectly silent home server [Ubuntu Server 14.04 LTS]

Welcome.

This guide will walk you through setting up a dead-silent Linux home server with Ubuntu Server 14.04.2 LTS that you can have running twenty-four-seven-365 in your living room without getting annoyed by any fan or hard-drive noise. This server has no moving parts in it except for the AC/DC-current running through the electronics. Let’s dig in!

First let’s get some appropriate hardware. After doing some research I went for the Shuttle DS57U barebone which is a fanless Slim-PC. You can find a great review of it here: Shuttle DS57U Review

This barebone comes with everything except hard-drive, memory modules and operating system. The barebone alone will set you down at around $230 (1900 SEK), sales tax excluded, price as of june 2015.

Since the focus of this project is not to get away cheap but to have a stable, dead-silent server, I went on the prowl for a suitable SSD and then of course a pair of SO-DIMMs. Also, I will have a lot of writes to this machine so I went for a more expensive datacenter ssd, the Samsung 845DC Pro-series that will stand the test of time. You may want to go for a cheaper alternative here, this Samsung-drive however, will also have protection from exposure to data corruption or loss caused by unexpected power outages.

Procurement-list (prices as of June 2015 in Sweden, VAT excl.):

  • 1 x Shuttle DS57U – Celeron 3205U 1.5 GHz, $230 (1900 SEK)
  • 2 x Kingston Valueram/8GB, KVR16LS11/8, $110 (2x$55) (880 SEK)
  • 1 x Samsung 845DC Pro 400GB SSD Data Center, $315 (2560 SEK)

Ok, so lets install the hardware…this is pretty straight forward. Flip the case and unscrew the two screws holding each lid. Slide forward and open.

shuttle_open_case

Now, unscrew the drive-guide and fixate it to the ssd, use the two black screws coming with the shuttle case.

ssd_mounted_in_guide

Plug the ssd into the hard-drive slot and fixate it by putting the screw back in place. Put the two SO-DIMMs in the memory slots, be gentle and don’t touch the memory modules more than necessary holding only on the edges, make sure they snap in-place correctly. The result will look like this.

shuttle_ssd_and_memory_installed

Now, put the covers back on, and connect all the wires and fire up the machine. Hit Del or Esc to enter Bios-setup.

bios_setup_hit_del_or_esc

Ok, so because this machine is a server and we want it to always be ON we change the setting “Power-On after Power-Fail” to [Power On]. Disable EuP Function to enable this alternative.

bios4

Now, save and exit. Having downloaded and burnt the Ubunto-iso-image before, now is the time to plug in an external usb-dvd-drive into the Shuttle and load it with the Ubuntu-dvd-media. You can of course use a prepared, with Ubuntu, usb-stick if you rather use that for installation. Reboot and start the installation.

external_dvd_usb_drive

When asked about partitioning, I chose to use all available space on the ssd to be used for the Ubuntu-installation, but you can of course choose to partition your drive in any way you prefer. When asked which software to install I selected OpenSSH-server and LAMP-server since I will later install and run wordpress on this box using LAMP (Linux, Apache, MySQL, PHP).

software_installation

Now point your ssh-client to the ip-address of your Shuttle-server. If you use dhcp, you can find out what ip-address the machine got after bootup by typing the command ifconfig from a terminal. I get up to five public ip-addresses (dhcp-assigned) from my ISP so I will use one dedicated to this machine. I will later blog about how to configure automatic dynamic-dns updates should the ip-address change. Edit! Now available here howto-set-up-automatic-dynamic-dns-update-using-ddclient

The DS57U comes with two built-in NICs so you might want to use one for your home internal network (192.168.X.X) plugged into your broadband router and one plugged into a (dumb) switch sitting first in line with the connection toward your ISP. Or maybe you prefer to team the NICs for redundancy, I will however start with using just one NIC with a public IP-address. Let’s start to secure and configure this beast.

Log in with SSH and become root with “sudo -s”, the -s option gives you a root-shell. Just type exit and hit return whenever you want to exit from this shell.

jbilander@ubuntu01:~$ sudo -s
[sudo] password for jbilander:
root@ubuntu01:~#

putty

Run these two commands as root to get the latest updates installed

root@ubuntu01:~# apt-get update
root@ubuntu01:~# apt-get upgrade

Let’s start by disabling ipv6. I know some people say this is not conforming to best practice but I don’t care 🙂 I’m not going to run ipv6 on this machine so I want to get rid of it. To disable ipv6, you have to open /etc/sysctl.conf using any text editor (I use VIM) and insert the following lines:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Comment out anything related to ipv6 in /etc/hosts

# The following lines are desirable for IPv6 capable hosts
#::1     localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters

Change sshd to only listen to ipv4, in file /etc/ssh/sshd_config change to:

AddressFamily inet

In /etc/dhcp/dhclient.conf delete the entries below…

dhcp6.name-servers, dhcp6.domain-search,
dhcp6.fqdn, dhcp6.sntp-servers;

…and put in the semi-colon after the last entry (ntp-servers). It should now look like this:

request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, domain-search, host-name, netbios-name-servers, netbios-scope, interface-mtu, rfc3442-classless-static-routes, ntp-servers;

Now, after a reboot we should be all set, and no more using of tcp6 or udp6, right?. Running the command netstat -nap however shows this:

udp        0 0.0.0.0:3704                           739/dhclient
udp        0 0.0.0.0:68                             739/dhclient
udp6       0 :::52382                               739/dhclient

Why the udp6-entry when we have deleted all the dhcp6-entries in dhclient.conf? It appears to be a bug, read here, I guess I’ll have to live with it for the time being.

Lets set up a firewalling using iptables:

Iptables comes with Ubuntu by default but does not have any rules added to it by default, hence no blocking of traffic by default. I’m going to configure the machine to listen to port 22 and 80 only, allowing ssh and http incoming traffic from any source, and block all other incoming traffic. There is one accept-rule that we need to ensure so that our server can function correctly. The loopback device. Services on the computer need to be able to communicate with each other by sending network packets to each other through the loopback device. Add these rules one-by-one from the command-line for a basic configuration:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP

You can double check the entries with command iptables -S to verify.

Now, persist the change with these two commands:

apt-get update
apt-get install iptables-persistent

Should you need to delete a rule you can do it by this command giving the -D option and row number, in this case input-rule number four will be deleted: iptables -D INPUT 4

If you need to add a new rule at a certain row i.e. 5, maybe open up for incoming https traffic (port 443) then use this command

iptables -I INPUT 5 -p tcp --dport 443 -j ACCEPT

Line numbers and rules will be shown by this command:

iptables -L --line-numbers

If you do any changes to iptables from now on, persist the change with this command before rebooting:

iptables-save > /etc/iptables/rules.v4

Reboot machine!

That’s all for now, in the next blog we will look at howto configure LAMP-server and setup wordpress on this server. Edit! Now available here: howto_set_up_wordpress_on_ubuntu_lamp_server

Leave a Reply

Your email address will not be published. Required fields are marked *