Difference between revisions of "Build your storage server"

From Shadow EN Community Wiki
(Connecting to our server)
(Connect from Windows)
 
Line 174: Line 174:
  
 
== Connect from Windows ==
 
== Connect from Windows ==
</br>
 
 
#) Open Explorer
 
#) Open Explorer
 
#) Map network drive.
 
#) Map network drive.
#) Enter the IP + share name, such as: \\12.12.12.12\data
+
#) Enter the IP + share name, such as: <code>\\12.12.12.12\data</code>
 
#) Tick "Use different..." and type in the user+pass you just gave before.
 
#) Tick "Use different..." and type in the user+pass you just gave before.
  

Latest revision as of 13:54, 9 June 2019

This is an advanced guide.

This is your last chance. After this, there is no turning back. You read the guide -the story ends, you wake up in your bed and use whatever storage you have. You keep on reading, and I show you how deep the rabbit hole goes. Remember: all I'm offering is storage. Nothing more.

Information, disclaimer


  • This guide is mainly for the PARIS Datacenter of Shadow. Because we will be using OneProvider, who is a reseller of Online, and basically has the data center is in Paris. Of course, you can use this guide for any Shadow datacenter, but you have to find a provider that has machines in the same city or same datacenter. Latency is very crucial for this to work.
  • I, the mods, the staff, Shadow, no one received any kind of compensation for this. Sadly. Very sadly. Please send food.
  • Me (Aa), the mods, Shadow, Blade Group - no one is or will be responsible for any damage, or liable in any rate or degree.
  • If you get stuck, you can nag me on Discord about it. Find Aa#2498. You can DM, tag me, whatever. But I can't guarantee anything. 0$ remote tech support is not something you can live off from sadly.
  • Parts that are OneProvider specific, will be mostly but not always marked with [OP].
  • Parts that are optional will be marked [OPTIONAL].
  • Follow the VHD guide in the Extra Storage guide to make the storage appear "local".


So, why we do this? Is it worth the bother?

  • It's storage. NOW.
  • It's fast. Not SSD, but fast.
  • It's cheap. 7 euro?
  • You may learn a thing or two.
  • It's there NOW, you can get storage NOW.

README

$ su
^ This means we go root. Root is like Administrator. With power comes responsibility.


You can quit from the "nano" text editor that we will use with CTRL+X, and then Y, then ENTER.


To change password for your user:
0) su
1) passwd username

To change password for your Windows Share password:
0) su
1) smbpasswd -a username

First step: Getting a server

>
Order a server you wish to use.
Simply head over to OneProvider's website, and pick one.
Link: https://oneprovider.com/dedicated-servers/paris-france

>
You will have to do a verification maybe, or whatever. Do it.
Server also takes some time to deliver.

>
Keep checking the site. Once the server is there, you can select it and pick "reinstall", to install the machine.

OS: I would go with Debian 8, it's much newer than their Ubuntu 14.04.
Yes, their images are awful old. Deal with it.
Partitions:
I simply have a /boot 1GB
and the rest goes to /.

>> but don't we need swap?!?!?!
> You can add a file based swap later on, anytime. In fact, we will add one later.
>> why no /home?!?!?!
> We are not trying to build an enterprise server here, but have a place for your data.
> A separate /home allows you to reinstall the server without losing all your data. But also, it will also take up space. Think of it as those 90s partitioned up Windows XP installations. With the C:, D:, E: drive. Yepp. Resizing these partitions are also no simple feat. So you either end up losing a chunk of storage space (the bite that / takes out), or ending up with not enough (so / grows out of it's given size.) 30GB is a good healthy / size, although, I just go with 50 if I got space to spare.
> If you want, you can make / 30GB for example, and let /home take up all the rest of the space.
> So an example setup of this would be:
/boot 1Gb ext4
/ 30GB ext4
/home ?GB ext4

Pick a username. You can only pick letters. Example: okbgjeeh
Password. Keep it simple. Example: DD30uBqDWFnHA00
Hostname. Whatever you want.


Connecting to our server

First, we will need an SSH utility which you will use to "command" your server.
Now, don't panic. The terminal with the black screen and white text may seem menacing at first, but it is a much easier way to input the right commands, without a room to do any mistake.

> So, the tool you will use is called "KiTTY". [ Download: http://www.9bis.net/kitty/?page=Download] You can grab the normal, the portable client. I prefer portable, and I usually put it in my OneDrive so it's backed up. If you are an advanced SSH user, use whatever you want.

> Now we connect to our server using KiTTY. Here are a few things I set, you can set them, you can opt not to set them. IDC.

What we set here:

PIC1

Host name: The IP address of your brand new server. Port: Leave it on default [22] for now. Saved Sessions/New folder: Type in a name you want. Like "my little server".

PIC2 Seconds between keepalives: [50] - it's there, so the connection never closes. 50 is like.. a value. You can set 69, yes. Reconnect options [OPTIONAL]: Tick both boxes. If your PC goes to sleep, loses internet, it will reconnect.

PIC3 Auto-login username: Use your username. Root login is not allowed by default. Auto-login password: What you specified earlier.

Updating to Debian 9

> Now we have to update to Debian 9. Such is life.
Steps are simple enough.

0) su
^ we go root, the God, the almighty. the admin.
1) apt update && apt install tmux screen
^ we need a few tools.
2) cp /etc/apt/sources.list /etc/apt/sources.list.original
^ we do a backup of the original
3) sed -i 's/stretch/jessie/g' /etc/apt/sources.list
^ this will make our system use the Debian 9 package lists
4) tmux
^ this will simply open tmux. tmux is a tool that lets you continue your work, even if you disconnect, your PC crashes, whatever happens.
^ to do so, simply reconnect and type "tmux attach". and voila'.
5) apt update && apt dist-upgrade
^ this will do a full system upgrade once you agree to it.
6) sync && reboot
^ sync writes out all the data from buffers, and reboot will... well, go guess.

Now we have Debian 9. You might be surprised, but there is really not much left to go.

Setting up our network share

0) su
^ we need dem' God powers
1) apt update && apt install fail2ban mc nano samba ufw
^ we need a few things
2) nano -w /etc/samba/smb.conf
^ now we edit the Windows Share

What we do here:

- First, just below [global] we add this:
hosts allow = 85.190.

This will ONLY allow BLADE/Shadow networks to even try to connect to our Share.

- Second, go down.
Comment out the [printers] and [print$] thing with the ";" symbol.

- Third, we add our new share.

[data]
  comment = Data share
  path = /home/username/0/
  valid users = username
  browseable = yes
  writeable = yes
  create mask = 0700
  directory mask = 0700
  guest ok = no


Make sure to replace "username" in 'path' here!
Make sure to replace "username" in 'valid users' here!
Yes, you can rename "data", it will be used for the share name. You can call it whatever.
Yes, it can be /home/username/xyz/ folder too. I don't care. 0 is 0 because it appears first in the folders later on.

Add a share user

1) smbpasswd -a username
^ We add a user to the share. YES, this could be different than the system user name, but then you have to use this in /etc/samba.conf as well. ^ Up to you. I don't care. This way, it was easier. Sue me.
2) service smbd restart
^ Restart Samba

Connect from Windows

  1. ) Open Explorer
  2. ) Map network drive.
  3. ) Enter the IP + share name, such as: \\12.12.12.12\data
  4. ) Tick "Use different..." and type in the user+pass you just gave before.

[OPTIONAL] Safeguard the server

Your Samba is pretty safe this way. Choose an obscure user and password, and no one will ever bruteforce you. I mean, they have to be from Shadow in the first place lol.

But, we have to protect SSH.< /br> 0) su
^ we need root
1) nano -w /etc/ssh/sshd_config
^ edit the config
2) find "#Port 22"
3) Edit to whatever port you want, like:
Port 2345
4) save & exit from nano


Let's configure fail2ban.
0) su
1) sed -i 's/= ssh/= 2345/g' /etc/fail2ban/jail.conf
^ change 2345 for the port you just used above
2) service fail2ban restart
^ let's restart/reload fail2ban

But Aa, can't we use key based auth?!

Of course you can. Just disable password auth in ssh.conf, and add your key.
This is not so simple, so for normal people I would not recommend this. Trust me. Custom port + fail2ban + strong password... you are SAFE.
- Get PUTTYGEN
- Make yourself a key (MAKE SURE TO SAVE IT SAFE LMAO)
- Export it to ppk, ssh, all kind of formats
- Copy up the pub format to your ~/.ssh/authorized_keys

-- chmod 700 ~/.ssh
-- chmod 600 ~/.ssh/authorized_keys


- Select the .ppk in KITTY, save it to your profile
- Done

NO it is not easy, NO it is not needed. Shoo, now!

[OPTIONAL] Auto fix permissions

0) su
^ need to be root
1) crontab -e
^ we gotta edit our 'cron'... don't ask.
2) pick /bin/nano (usually just have to press enter)
3) go down to the bottom of the file, in an empty line:
@hourly chown -R username:username /home/username/
^ this will change back ownership to your user each hour. usually you don't need this, but if something ever misses up permissions, this will fix it.

How to update your server

Very occasionally, you can update your server. It's very simple.
0) su
^ need root
1) apt update && apt dist-upgrade
^ at this step you just say yes unless you see some scary warning, whatever. but I assure you that you won't.
that's it. you can reboot the server IF you want, by:
2) sync && reboot


Extra notes of this extra guide

Remaining attack vectors

  • OpenSSH uses a password-based authentication. But that's still fairly secure. I included the main steps for key based, but that's tough for a newbie.
  • Samba can be bruteforced if someone uses Shadow. But they break TOS of Shadow and OneProvider both. In fact, they have to do a full wide port scan to even discover open samba shares on OneProvider. Too much risk. But, you can add samba to fail2ban. Mind you, this requires samba to have extensive logging which will slow down performance. I wouldn't bother.

Watching your RAID

  • If you pick a server with more than 1 HDD, you can use RAID.
  • Some servers have hardware raid inside. You can enable/set this in the control panel. IF you opt to use the hardware raid...
    • You will need to find .deb packages for the given RAID utility/tool.
    • You will need to figure out how to query the controller, what means OK and what means borked.
    • Then, you will need to write a script usually, that checks the output AND sends out an email if something goes bad. MAYBE some utilities have this functionality built in. The ones I have seen were very old, and very limited. I simply just write my own Python script for this job.
  • Or, you go with software RAID. Simply pick NO raid during control panel and then...
    • Set up MDRAID with the two or more disks.
    • Set up "ssmtp" or whatever mail server you prefer. You can use "mailgun", or Amazon SES to send out your mail.
    • Set up MDRAID's config with the proper recipient.


The choice is yours.

Guide was written by @Aa#2498 - Shadow EN Moderator