The Ubuntu home server

So far, the installation of the Linux (Ubuntu) server is progressing very slowly. The first thing I did, after the initial install, was set up the DHCP and DNS servers. The DHCP server was to be set up to add DNS records whenever a client received an IP address. The clients would not be allowed to update DNS records.

I’ve installed both services before but this time I wanted to set it up as if it were in an enterprise environment. It took many Google searches and about three hours of time to make it work properly. Why did it take me that long? I wanted to implement some security on BIND. No reason to get sloppy just because it’s a home system.

The instructions found here are what I used to install and run BIND chrooted. Running BIND in a chroot jail prevents the BIND process from accessing files outside of it’s own directory. That narrows the damage done if the DNS server was compromised to just having to fix the BIND installation.

Next, I set up the dynamic DNS updates to use TSIG. This will help to prevent unauthenticated DNS updates. Bind9.net has a BIND 9 manual that is full of useful information. I followed the instructions for creating and implementing TSIG keys here to create a 256 bit TSIG key. The key was used in both the named.conf.local (BIND9 config) and the dhcpd.conf (DHCP3 config) files. The name of the key is used in the allow-updates directives for the forward and reverse zones.

Dynamic DNS updates are now working properly. The forward and reverse zones are being populated with the host information every time a new client connects. The next service I’m going to set up is Samba. Hopefully it won’t take as long as the DHCP/DNS set up did.

Happy new year!

Be always at war with your vices, at peace with your neighbors, and let each new year find you a better man. – Benjamin Franklin

01.Jan.08 Linux

You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.

One Response to “The Ubuntu home server”

1. Rollie | January 1st, 2008 at 7:26 pm

   Kudos for actually keeping security in mind for even a simple service. Things like BIND will always be tricky ones since, by their very nature, they have to accept traffic from many, many places.

   I’m not sure from what you wrote if you are protecting from unauthorized DNS updates from the outside network or the inside. If you meant inside as well, that would be interesting to examine your setup given that you are using DHCP.

   As to Samba, I imagine it will take at least that long! hehe I can tell you this much though: do yourself a favor and compile it from source. If you don’t, sure as the world you’ll find you are missing some feture later.

Leave a Reply

Name

Mail (will not be published)

Website