The Perfect Arch Linux Server

Summary

The following is a list of software I would choose when looking to make a Arch Linux server to perform any task. Most of them I have already used or am currently using. Below are some quick command lines to install a select group of software given your needs.

Wow, this took a lot of work. It took 8 months and 79 revisions to put together. If you feel I missed anything, please leave a reply.

Server NecessitiesPerfect ServerEVERYTHING...

Commands to run

sudo pacman -S base-devel htop vim iotop nload

Installing yoaurt is more complicated, see https://wiki.archlinux.org/index.php/Yaourt

Commands to run

sudo pacman -S base-devel htop vim iotop apache php deluge nfs mariadb mongodb nodejs python2 python phpmyadmin samba postfix git dovecot

Installing yoaurt is more complicated, see https://wiki.archlinux.org/index.php/Yaourt

yoaurt plexmediaserver zfs-lts

Commands to run

you probably shouldn’t do this but…

sudo pacman -S base-devel htop vim iotop nload nethogs apache php deluge nfs nbd dovecot postfix mariadb mongodb nodejs python2 python ffmpeg apache roundcubemail phpmyadmin samba postfix git dovecot iptables clamav openssh openldap linux-grsec

Installing yoaurt is more complicated, see https://wiki.archlinux.org/index.php/Yaourt

yoaurt plexmediaserver zfs-lts pydio gitlab

Software

[su_box title=”Color Coding” box_color=”#EEEEEE” title_color=”#2f2f2f” radius=”0″]

Essential to running/maintaining an Arch Linux server

Should be installed if you need it and are ready to spend some time installing the basics

Aren’t necessary but are recommend if you are looking for something better than what you currently have

Ready to spend some serious time fine tuning and creating the perfect server (These are advanced pieces of software that take time to get working properly)

[/su_box]

Descriptions

 Ξ Administration

Vim (with Vundle) – I’m not going to tell you vim is the only good editor out there, but it’s one of the best, and the one I prefer. Yeah it doesn’t tell you how to exit the program on the main screen like nano does, but for those looking to quickly edit files and know what their doing, vim is the fastest (imho) editor you can have in a console. Vundle adds powerful plugins and the ability to easily change color themes. I use timss’s preset.

Screenshot
vim-vundle
Vim-Vundle

Htop – Htop is kind of like top but better. First of all we get superior color coding so you can quickly identify things like low priority vs kernel cpu usage. It also lets you move the gauges around to fit your liking. Yeah… I don’t really know how to explain how this just destroys top, try it for yourself.

Iotop – Kind of like top, iotop lets you watch your disk activity. If you start to notice things slowing down or locking up but have already ruled out cpu or memory as a bottleneck, you can quickly check iotop to see which application is eating your disk and causing io blocks for other applications.

nload – As another management app, nload allows you to monitor your bandwidth consumption. It gives you a visual representation of the total amount of traffic flowing across an interface.

NetHogs – Similar to nload, nethogs allows you see which process is using your bandwidth. It’s laid out in a way similar to top so you can see the process id and user that is running that process.

Yaourt – Yaourt is a god send to anyone trying to install AUR packages. It automates all the tedious tasks required to install an AUR packages while still allowing the level of customization you that might be required before installing the package. It also provides a useful search type interface, you may not be able to install multiple AUR packages at a time but you can enter a partial string and it will list anything close. Using Yaourt will require you to install the following base-devel package pack.

base-devel – This is actually a group of packages set forth by the Arch Linux community to be the essential packages required in a development environment. These are the most important packages required in order to compile your own packages.

 Ξ P2P

Deluge – A powerful torrent client/server model that allows you to both setup a server that can be accessed either through the client application (Win/Mac/Linux/BSD) or a web application. Deluge actually uses libtorrent according to libtorrent’s who’s using it page.

Libtorrent – Libtorrent is more for the people running seedboxes that want all the features and performance possible from a torrent server. If you don’t think libtorrent is one of the most advanced implimentations of the bittorrent protocol take a look at this screenshot:

Screenshot
Libtorrent client test

 Ξ Filesystem

Ext4 – Obviously most people already know what Ext4 is; it’s the premier linux file system that allows for all around capabilities. If you ever don’t know which filesystem to choose, Ext4 is the safest and maybe the most performant for your needs. (Note; use ext2 for boot partitions.)

ZFS – ZFS is the filesystem I currently use to store anything. It is more fault tolerant than any other filesystem (that I know of) and easy allows you to add combine drives together in order to make a pool. It also has both active and passive corruption detection and repair built in.

 Ξ File Sharing

Samba – Samba is one of the most well known file sharing protocols because it works with everything with seamless integration. If your using your sever in an environment with several different potential operating systems you need to have Samba.

NFS/NBD – NFS and NBD are protocols strictly developed for speed on a safe network (or for use with public files) and therefore have no authentication or encryption (unless your using Kerberos authentication and encryption).

 Ξ Mail

Postfix – Postfix is an extremely common mail MTA that comes with a large range of customization. I mainly use it because it’s very well documented and supported. If so far you’ve only used sendmail up to this point, you should move on to Postfix.

Dovecot – If you’re using postfix, you should also be using an IMAP/POP3 server. Dovecot is a good choice because it easily integrates into Postfix and is easily customized to use SSL out of the box.

 Ξ Databasing

MariaDB – For those that don’t already know, MariaDB and MySQL are pretty much the same thing. MariaDB was created by the original developers of MySQL after it was acquired by Oracle. Since MariaDB is a fork of MySQL, they can basically replace (unless your doing something very advanced) in any situation. MariaDB however gets cutting edge features that aren’t implemented in till a little while later in MySQL.

MongoDB – MongoDB was supposed to be the downfall of MySQL/relational database styles. Since there is no set structure for any of it’s documents it can be both easier to use and harder. Both have their purposes but if you really like javascript, I suggest you use MongoDB. Since everything from the client to the server uses javascript, why not use a database with a javascript style syntax. But keep in mind, you need to a lot more structuring yourself with MongoDB.

 Ξ Programming Languages

Python – Python is so incredibly useful because it is so quick and easy to use. If you need a quick little script to take care of a menial task that needs to be repeated daily, use python.

Node.js – Nodejs isn’t really a language, but you can use it to do things you would otherwise do with bash or python and it comes with a huge list of easily install able utilities that can be plugged almost instantly into your script. They can all be found at npm.

 Ξ Cloud

Pydio – I used to use owncloud because of its opensource nature and I could easily bring my team and their documents/projects together but it quickly got tiring. Owncloud just isn’t mature enough to be a “reliable” cloud platform. In comes Pydio. Pydio is much more aesthetically pleasing, faster, and light years more mature. Everything is broken down into modules that can quickly be added/removed and disabled/enabled to add more functionality. Pydio does have some ux issues (can’t use mouse wheel to scroll, clickable elements don’t use a mouse pointer cursor, ect.) and uploading doesn’t work with HHVM but it still a superior choice for a cloud platform. Btw, Pydio is open source too.

 Ξ Clustering

Torque – I imagine if you’re install clustering software in the first place, there must be doing something pretty crazy anyway. Torque allows for a ton of control and is heavily documented by several educational institutions, since they’re the only ones really using clusters anyway.

Note that torque is not on the new AUR. Thus you should clone the github aur3 mirror of torque and install it that way.

 Ξ Media

Plex Media Server – Perhaps my favorite piece of software on this list. I absolutely love movies, music, and TV. Plex Media Server lets you take all of your legally obtained movie/music files and create a beautiful web interface to watch/listen to them on. It grabs a bunch of metadata on your files and displays banners, background, and cover art as well as sorting everything so it is easily accessible. Although plex has recently enabled SSL support on your servers, you still have to use their plex.tv client. You can access your server directly with a built in web client but I never really messed with that and instead made a copy of the web client, uploaded it to a web server, and edited the source to access the server directly over SSL before it was officially supported, sooooooo idk :).

ffmpeg – The VLC of video encoding. If your working with videos or, heck, even images ffmpeg will do it. If I’m looking to do anything advanced with a video, whether that be taking subs from one and adding them to another, stitching together videos, or normalizing it’s audio, I’m gonna use ffmpeg. The biggest attribute of ffmpeg is that it will take literally any video or audio codec. I think it’s safe to say if ffmpeg doesn’t support it, nothing does. At one time I even pumped avisynth into ffmpeg, using avisynth for avisynth stuff and ffmpeg to encode the output.

 Ξ Web

Apache 2 – Now there are many web servers to chose from, but the only one I would ever use is Apache 2. The only thing other servers like Nginx can offer me is more speed or more requests per second. But by adding extensions and tweaking Apache you would be able to achieve the same result. On top of that, Apache is also by far the most compatible and documented web server there is. If anything is going to be written for a web server, it’s going to be written for Apache first.

Roundcube/RainLoop – I was looking for a good open source mail client when I found roundcube. It’s definately one of the best supported free mail clients and looks great if your willing to pay the $5 for the Googie Larry skin I use. It has a lot of support for features like different mailboxes, aliases, and SMTP/IMAP/POP3 configurations. On the other hand I’ve never tried RainLoop, but if I were looking for a new web email client, I’m sure I would give it a spin, it’s very aesthetically appealing.

Screenshot
Rainloop

Gitlab – Gitlab is absolutely the best private git repository and is a must have if your looking to host your own git repository. It has all the features you could ask for and is similar to Github so there isn’t this huge learning curve. Gitlab is an all in one git repository and there isn’t much more to be said, it does what it’s supposed to do and much more.

phpMyAdmin – I’ve tried using other SQL database management software before and the only other one I would even remotely recommend is MySQL workbench and only if your an enterprise would you need something like that. phpMyAdmin is the only software I rely on to work with any of my MySQL databases. It’s even better then most software you would pay for. I don’t know how to describe it any other way, it literally does everything I could possibly want and it has a great interface too. I suggest you download the Metro theme located here.

Deluge WebUI – As I’ve stated above, deluge is already an awesome torrent client. With the use of the label plus plugin’s regex matching, you can automatically add movies, music, and tv into specific directories. Using the webui you can add torrents from anywhere and have them ready when you get home. On top of that, you can use transdroid to add torrents from your android phone.

 Ξ Version Control

Git – I’m not gonna lie, if you do subversion control other then git you are either working for a large company where it would be to risky to switch to git or you are seriously behind the curve. I have watched group after group switch to git from other version control softwares like SVN and Mercurial. The amount of industry support and the ease of use of git is outstanding. If you don’t take my word for it, take a look at this comparison article: http://biz30.timedoctor.com/git-mecurial-and-cvs-comparison-of-svn-software/. The only real con is Windows support which has been addressed seriously with the introduction of Github for Windows.

 Ξ Security

Ah hardening, my old friend. Now this one is a real duezee, you have to put as many walls in the way as possible without limiting the usefulness of your systems.

Iptables – Everyone knows about Iptables but no one uses them. You don’t want traffic you don’t need, or even worse; didn’t authorize, coming and going from your server. What’s worse, if your server sits at the edge of a network and there is no kind of filtration system, you’re inviting trouble. Iptables allow you to set rules on how traffic is handled by filtering almost every aspect of a packet. The Iptables firewall provides the most basic and essential defense against any kind of unauthorized activity.

ClamAV – ~To be completely honest this isn’t necessary unless files from outside your network are being uploaded to the server~ ClamAV is the standard for linux antivirus solutions. If your server is going to handle any type of third party files you should always pass them through ClamAV. Using ClamAV to scan uploaded files not only protects the server but mainly the people that are going to access those files on more targeted Windows systems.

SSH/Mosh (private key only auth) – SSH stands for Secure Shell and is the de facto standard for accessing servers. Mosh stands for Mobile Shell. Together they provide a reliable and secure connection to any server. Mosh is a somewhat new implementation but takes security very seriously. See the two FAQ questions below as an example. While SSH provides the security, Mosh allows you to maintain a reliable connection to the server on a not so reliable network.

FAQ

Q: What is Mosh’s security track record so far?

Mosh 1.0 was released in March 2012. As of the release of Mosh 1.2.5 in July 2015, as far as the developers are aware:
In the last three years, no security vulnerabilities of any kind (major or minor) have been reported in Mosh.
No major security vulnerabilities have ever been reported in Mosh. We define major security vulnerabilities to include privilege escalation, remote code execution, denial-of-service by a third party, etc.
Two denial-of-service issues were discovered and fixed in releases in 2012. One issue allowed a mosh-server to cause the mosh-client to spend excess CPU (CVE-2012-2385, fixed in Mosh 1.2.1, released May 2012). Another issue allowed the server host to cause the mosh-client to send UDP datagrams to an incorrect address, foiling its attempt to connect (fixed in Mosh 1.2.2, released July 2012).

Q: How does Mosh’s security compare with SSH’s?

We think that Mosh’s conservative design means that its attack surface compares favorably with more-complicated systems like OpenSSL and OpenSSH. Mosh’s track record has so far borne this out. Ultimately, however, only time will tell when the first serious security vulnerability is discovered in Mosh—either because it was there all along or because it was added inadvertently in development. OpenSSH and OpenSSL have had more vulnerabilities, but they have also been released longer and are more prevalent.
In one concrete respect, the Mosh protocol is more secure than SSH’s: SSH relies on unauthenticated TCP to carry the contents of the secure stream. That means that an attacker can end an SSH connection with a single phony “RST” segment. By contrast, Mosh applies its security at a different layer (authenticating every datagram), so an attacker cannot end a Mosh session unless the attacker can continuously prevent packets from reaching the other side. A transient attacker can cause only a transient user-visible outage; once the attacker goes away, Mosh will resume the session.
However, in typical usage, Mosh relies on SSH to exchange keys at the beginning of a session, so Mosh will inherit the weaknesses of SSH—at least insofar as they affect the brief SSH session that is used to set up a long-running Mosh session.

Grsecurity – Now this is even beyond me, the kernel wasn’t something I ever really messed with, mostly cause I couldn’t afford down time that comes with messing with your kernel. But if your looking for an extremely secure system, you must install the Grsecurity kernel. I didn’t mention SELinux because Grsecurity and SELinux basically do the same thing and, according to a study at the University of Virgina and Grsecurity, Grsecurity both has many more features and a lower performance impact. Although I have never actually used Grsecurity, (Somehow I’ve used the nightmare that is SELinux but not this) it’s supposed to be a drop in replacement and the easiest to use of system hardeners.

LDAP – Oh almighty LDAP. If your going to have a lot of users logging into a lot of different services, use LDAP. It makes user and password management so much easier. Almost every service that might need it has the ability to use it. It allows you to have all your users and passwords in one location. It also has the added benefit of being forward compatible for anything you might want to use in the future without having to create profiles for everyone that is going to be using it.

  1 comment for “The Perfect Arch Linux Server

  1. Pingback: yasam ayavefe

Leave a Reply