Let's get one thing straight: I am no wizard on this topic, I am still learning, but I find it fascinating to find out how all these things work, and to configure my server as well as possible. These pages have two purposes: They serve as my own memory, and if you find them useful, I would of course like to share the information with you. So please be advised, that there are probably other places on the internet with more and better information than here, but perhaps you can find the basic pieces of information here at just this one place.
If you find errors on my pages, or if you have important supplementary information, please give me a mail.
Let me start by giving a description of the configuration of the internet server I have.
How come, I am not afraid of hackers, revealing this much detailed information about my setup?
Well, first of all, my site is not at all interesting to hack, and any exploitable information given here would be figured out eventually anyway, if a really good hacker wanted to. Besides, the real threat on the internet is not a single determined hacker. After all, that hacker would need to spend a lot of time trying out different approaches to get into any single machine. The real threat are all the "script-kiddies" using a huge suite of commonly known hacker tools! A single person rarely has the luck to win a million in a lottery, no matter how many tickets he buys, still every day, someone IS winning a million, somewhere. In the same way, a hacker studying this page still has little chance to break in, but if it is at all possible, some kid will do it some day - without having read this page... So, I believe sharing this information could be more valuable to others, than dangerous to myself.
My domain is mdjnet.dk - you already know that since you are here! You will need to buy your domain through a domain registrar, it is usually quite cheap, and then you can have the domain maintained through the registrar, or you can take over administration of it yourself. This is possible thanks to various services providing free DNS.
To serve my domain, I have my own server set up with www, ftp, mail and some other things. The server is a Windows 2000 box, but next to that the rest of the programs installed are freeware programs. In fact, at first even the box itself I hade got for free as it was an old discarded PC (thanks to Lej en IT-chef, pages in danish), I just had to fit it with an old 6GB hard disk, which is plenty for this purpose.
Besides being an internet server, it is also the gateway to the internet from my internal network. That way, my internal clients can have privileged ip addresses, and thus be a little more protected from the storm on the internet.
The machine is at the moment a 900MHz Pentium with 512MB RAM, 13GB hard disk, and three network adapters, one connected to my internal (coax) ethernet, the other connected to my internet router having a 512/128 Mb/s ADSL connection, and a third as a backup so the box can go directly onto the internet, if the router fails, I just have to move a single cable.
However, for a long time, it only had 64MB RAM and a 3GB hard disk, and it was actually sufficient.
The Windows 2000 itself is only being operating system, the rest of the services are provided by free third-party programs:
Tiny Personal Firewall
version 2.0.15, which is free for home use (the newer versions of
Tiny Personal Firewall, have a small
price).
This firewall is continued as
Kerio Personal Firewall
and Sunbelt Kerio Personal Firewall, but version 2 has a tendency to crash
my Windows 2000 once a day, and version 4 sometimes goes into BSOD too, so I
will stick to the older Tiny version 2 for now.
BIND, which is a
DNS server, serving the internal network as well as
being DNS master for my domains,
VNC, a program enabling me
to remotely control the desktop.
ProxyPlus, a combined proxy and mail
server.
Apache 2.2, the most popular web server
in the world!
Whenever a security hole is discovered, a new version is available within a
few days.
For sure, Internet Information Server is not gonna run on any of MY computers
if I can help it!
XMail, a really powerful mail server, yet
minimalistic when it comes to resource consumption.
Cerberus, a simple to use and very
well working FTP server. See also how to configure FTP
on a firewall.
I have done a few things to Windows 2000 to squeeze it down to what it consumes of memory now, I opened the Services applet in the control panel, and then I sort of went berserk. During that process, I have made some experiences the hard way regarding what services to stop, and what services NOT to stop. See my notes on how services on this server are configured.
Regarding all the different things installed, a few things should be noted:
Be carefull with Windows 2000 itself, it opens a lot of ports by default. Make sure, that you have ONLY the TCP/IP protocol enabled for the internet connection, do NOT enable Client for Microsoft Networks or File and Printer Sharing. Also, remember to disable NetBios over TCP/IP. For a more elaborate discussion on various ports, see my Ports page.
Firewall: Don't go with the default settings, they are way too weak. What I did was to more or less shut down everything towards the internet, and then afterwards only open for what was necessary to make the various things work. When you think you are done, you might want to try out Steve's home page (find his "Shield's Up" and "NanoProbe" services), he might be able to change your mind. (Did you get a "Stealth!" status on all your ports, except for what is supposed to be open?)
VNC: This one is actually a bit nasty, it takes a lot of memory when I am connected, and it also takes a lot of CPU power on the server, but I could not do without it. At one point, my server started after a boot with both mouse and keyboard failing! How do you do a graceful shutdown without the use of mouse or keyboard? Luckily VNC was installed and running, so I was able to connect and remotely do a graceful shutdown. Actually, with VNC you can even connect from a client not having the VNC software installed, simply by connecting using a Java enabled browser (if you have remembered to configure that on the server).
ProxyPlus: I was very pleased, when I found this piece of software! It has a very well working proxy server, and a simple but adequate mail server. It also has some firewall abilities, but I would never trust a non-primarily firewall product alone. It also has a few other shortcomings, but the back sides are very minor, and it is a product still under development, so I will recommend it warmly. I have since I started with ProxyPlus tried out other more advanced mail servers, MailEnable, and latest XMail. Both are freeware and very recommendable, I have decided to stick with XMail myself, mostly because it is open source, and does not rely on odd Windows components.
One VERY important thing to remember to configure when setting up a mail server though is relaying. You do NOT want just anybody to use your mail server to send spam mails out, that will just make you very unpopular, and get your connection cut, when your ISP gets tired of complaints about your server. My ISP has decided to shield off the SMTP port (25) entirely, which essentially makes it impossible to have a receiving mail server at all, but they have also set up a "forwarding mail server" which is allowed to connect to my port 25, and using that server as my backup mail server, it all works like a charm. BUT if your ISP hasn't shut off port 25, it is YOUR responsibility to configure your mail server correctly. You cannot just disable port 25 in the firewall, or you will not be able to receive mail, it has to be done in the mail server software! An alternative is to use your ISP's or domain registrar's mail server (they usually offer a number of free e-mail boxes as part of the deal), and forget about the mail server all together. At least, you will probably have to use your ISP's SMTP server for sending mails out, ProxyPlus require such a server for all sending of mails.
Using a proxy server on the internal network is not all that hard, but it does require some configuring. For special connection types, ProxyPlus can be set up to route a connection request to a specified service address on the internet, but only using TCP and UDP. This is bad news for Microsoft's built in VPN, which is using the GRE 47 protocol when connecting using PPTP (when using L2TP instead, this is not a problem, but perhaps the server you are to connect to only allows PPTP). However, using a Windows 2000 Server, it is still possible to configure it to route a VPN connection out on the internet.
Last revised: 2008-03-08
·