Wodehouse - SheevaPlug Server
- Name: Wodehouse
- Function: Server
- Specs:
- SheevaPlug
- Marvell Kirkwood 1.2Ghz ARM CPU
- 512MB RAM/512MB Flash
- 8GB SDHC Card
I've had the idea floating around in my head for a while to run my own server, mainly for email but heck why not stuff a web server on while we're at it. And as we've done that it makes sense to run my website off of it! So finally in September 2010 I decided to get off my lazy ass and do it!
I had heard some time ago about these wee little low power headless computers, specifically the SheevaPlug This little fellow is about the size of a normal power supply for an external drive, but it contains a whole computer :0. Unfortunately squeezing this much tech inside such a little box has its issues. Primarily the internal PSU can blow". You can buy replacement PSUs but they seem to be just as vulnerable. As size isn't really an issue for me (it's more the low power for me) if and when I experience this issue I'll probably just replace the internal PSU with an external one (apparently a 5V 2A one will do the trick).
So, on with the nitty gritty then. I didn't want to run a full external hard drive on this as the point was for it to be a low power always on server, so I opted for an 8GB SD card, although am kind of thinking I should have gone for 16GB as this server will have my whole mail archive on it, but this should do me for a while. With that done I followed the instructions for installing Debian testing on the box (it actually ships with Ubuntu but I preferred a fresh install of Debian). I decided to run this server directly on the scary interwebs, so bought a /29 of IP addresses from my ISP, Zen, and decided I would run an SMTP server, IMAP server and Web server, leaving EasySpace to host my DNS, which I would just set to point www and mail to wodehouse.
I opted for Exim 4 for the SMTP server (it's the default on Debian and is quite easy to configure). I set this up to only allow relaying for authenticated users, and to use a self signed SSL cert to encrypt the sessions; this would allow me to send mail from my phone for example. I had planned on using Dovecot as the IMAP server but this seemed to want to install MySQL as a requirement! And with space being constrained I couldn't afford that wasted space, so instead I went with Courier which does the job adequately although seems to lack some features that Dovecot sports, not least of which is the ability to handle very large mail files. Oh and Courier only supports Maildir, although on reflection I've decided I prefer that anyway ;). Finally I opted (of course) for Apache as the webserver with PHP to make these here pretty interweb pages.
After a while I decided a webmail interface would be pretty handy as I don't always have an IMAP client available (although it is working nicely on my HTC Hero already). So I had a look a SquirrelMail which was a little, hmm how to put this... old fashioned ;). I then found RoundCube which is a webmail interface that is a little more up to date and supports lots of sparkly JavaScript stuff like dragging mail, and all manner of other things. With that installed I felt a little extra security was in order so I installed a self signed SSL cert in Apache for using with Roundcube. It's all working quite nicely now thankyouverymuch :D. Although I need to just knock up a quick perl script at some point for backing up all my mail, especially with that flakey PSU :0.
Just a couple of other little things gone on the server since. I put SSH on of course for remote admin, and as is my first action disabled root logins but after not very long I noticed out of the corner of my eye the NIC activity going crazy. Curious I checked the logs and quickly found that some naughty fellow was trying to bruteforce my SSH server with random usernames! So I tightened up security by switching to certificate based authentication, then disabling all users but myself and finally installed DenyHosts which is a simple little log scraper that just puts anyone who tries to bruteforce my SSH into /etc/hosts.deny so they can't even talk to the server any more. Of course I made sure to add my own IP addresses to /etc/hosts.allow else I know I would one day end up locking myself out of my own server. I also monitor my Apache logs (I've been getting quite a few attempts at finding PHPMyAdmin, of course that'll never work because I'm a real man and we real men hand configure our apps with vi... JK ;). Still it never ceases to amaze me how quickly these naughty little tinkers find new IP addresses to try, my server had only been up for a couple of days when I noticed the SSH attempts!