ThaddaeusThis was my initial synopsis of the desired server
Server Design Plan
Overview/Scope
The Server should serve as a multifunctional in house hub which is capable of, but not limited to, Network Traffic Management, Firewall/Proxy Services, Web Services, VPN Services, IP Camera Management, Media Streaming, Multi Client Backup, Virtual Machine Hosting, and Mass Storage of Client Data.
As it will only be expected to serve 3 primary workstations and as many as 8 secondary clients, being an in-home server, the overall requirements should remain relatively low in comparison to most enterprise servers.
Hardware
Motherboard/Processor/Memory Reqs.
64-bit X4 Processor >= 3.2GHz
>= 16 Gb DDR 3 1600
PCIe 3.0
USB 3.0 / eSATA
SATA III
AMD-V / Intel VT (Virtualization Capability)
Networking Reqs.
>= X2 Gigabit Ethernet Adapters
Storage Reqs.
>= 1 128GB SATA III SSD
>= 3 1TB SATA III HDD*
1 3.5” Multi-Drive RAID Enclosure (must correspond to HDDs)
*These disks may be greater in size than 1TB and greater in number than 3, and may or may not be SSD’s, but they should ideally be identical
Power Reqs.
>= 400 watt PSU (main unit)
Cooling Reqs.
>= 2 250mm Fans
>= 2 120mm Fans
Software
Operating System
Slackware 64-bit Linux Server
Services
dhcp-3 (Network Management)
iptables (Firewall)
Tor (Proxy)
Kippo (SSH Honeypot)
LAMP Server (Web)
OpenVPN (VPN)
ZoneMinder (IP Camera Management)
Plex (Media Server)
rsync (Backup)
KVM (Virtual Machine Hosting)
NFS (Mass Storage)
SSH (Administration)
SFTP (Administration)
Other Packages
/Slackware-64/D Package (Compilers & Dev Tools)
/Slackware-64/K Package (Linux Kernel Source)
multilib gcc & glibc (multi library support for 32-bit & 64-bit programs)
Implementation
Arrangement/Configuration
The main board, components, & primary SSD will reside in a single chassis/rack enclosure. The secondary network storage/backup hard disk array will be in a separately powered and cooled enclosure and connect with either an eSATA or USB 3.0 Depending on RAID hardware election. We will also mount/arrange various network devices and provide a system for surge protection and eventually temperature and voltage monitoring as well as a battery backup for the entire system.
Network Configuration
The major network components consist of the Cable Modem, one or more Gigabit Switch(es), one or more Wireless Access Point(s), CAT6e Ethernet Cables, several RJ45 Wall Plates, the Server, and multiple Client Devices.
The Physical Arrangement will bring the internet connection through a wired connection from the Cable Modem into the servers 1st NIC Device and out from the 2nd NIC Device into the switch, the switch will in turn be wired to the WAPs and Wall plates where it will subsequently provide access to the Client Devices through both wired and wireless connections. The use of CAT6e and Gigabit devices will ensure maximum internet throughput and LAN connection speed.
The Logical Arrangement of the network will have the server’s 1st NIC Device Acquire the external IP Address from the Cable Modem and Create one or more Domain(s) (DHCP) which will allow for the routing of traffic to multiple devices through the use of a static gateway IP assigned to the 2nd NIC Device and the assignment of internal IP Addresses of downstream devices. All traffic routed through the Server (In & Out) will be filtered through the Firewall, and depending on the connection, a proxy service.
Services
| DHCP | The Domain Host Controller Protocol provides a service which can create any number of domains and subdomains for the sake of routing internet signal and creating LAN structure. |
| iptable | Provides specific instructions as to what traffic is allowed or disallowed based on address, port, authentication, and/or traffic pattern based rules. |
| TOR | The Onion Router Proxy will allow any clients connecting through it to appear to be connected from the location of the remote node server rather than their own MAC & IP Address and provide user with a level of anonymity. |
| Kippo | Kippo SSH Honeypot, is a primarily outward facing SSH Service which will appear legitimate while log attempts at connection/intrusion and providing no real access to internal resources. |
| LAMP | Linux Apache MySQL PHP is a common web server suite using Apache Server as its base and providing Database (MySQL) and Server Side Scripting (PHP) services to a configurable HTML directory. |
| OpenVPN | An SSH Virtual Private Network which allows for select network access from a remote location, and can be configured for group policies and to use various industry standard advanced authentication measures. |
| ZoneMinder | A feature rich Video Camera Security and Surveillance Solution that provides a LAN (and optionally an internet) web interface for viewing/recording network connected cameras and can be configured to notify users and carry out predefined actions when user set alarms are triggered. |
| Plex | A Media Server Backend which can be configured to stream multimedia across internal (or optionally external) networks to Plex Clients, XBMC Devices, and Web Browsers. |
| rsync | A File Synchronization Service through which selected directories may be synced across the LAN in order to backup files at set intervals and/or on demand. |
| KVM | Kernel Virtual Machine, is a hypervisor service which allows the netboot of an instance of a stored virtual machine across the network on a thin client. |
| NFS | Network File System is a partition type that can be configured to user and group permissions to make easily accessible network drives which can be used for storage by remote users on various platforms. |
| SSH | Secure Shell is a cryptographic network protocol with dual factor authentication which allows for remote server access/management. |
| SFTP | SSH File Transfer Protocol allows secure file upload and download to and from the server by authenticated users. |
Users & Groups
| Groups | Users |
| root | root |
| admin | thacious, quintor, ashizzle |
| proxy | torT, torQ, torA |
| vpn | vpnT, vpnQ, vpnA |
| video | mcenter, camT, camQ, camA |
| media | mcenter, medT, medQ, medA |
| vm | virtT, virtQ, virtA |
| desktop | ts, qs, ag |
| guest | guest |
these are obviously not absolute usernames but represent a typical group/user setup, by having accounts for each task and varying permissions based on group, it reduces the likelihood of messing anything up while doing what should otherwise be a normal task and provides better security by limiting the resources available in the case of a compromised login.