Ask HN: Tips to get started on my own server
-----
Why: I've always wanted to. I read some HN posts this week that have inspired me to finally make the leap. For eg,
- I read this and realised I don't know what any of these commands are (I've always used Windows), and it's time to start. https://www.brendangregg.com/blog/2024-03-24/linux-crisis-tools.html
- The SingleFile post. I already built one with Supabase that I use now, but I want to do one with the CLI, my own DB etc.
-----
Where I'm at: I have quite a bit of experience building both FE and BE for applications, mostly utilizing cloud services (serverless, hosted DBs etc). I've also hosted a few applications locally for personal use but not open to the internet, like Postgres and Nginx (all windows). Some devOps experience. Serious about security but no hands on experience with networking, I want to actually understand and reduce the attack surface and so on without just flipping a switch.
-----
What I'm asking for: Any suggestions how to go about it, resources, links, advice - please feel free to share your experiences as well. Thanks!
108 comments
[ 11.6 ms ] story [ 164 ms ] threadhttps://sive.rs/ti
Also what’s kinda cool is he encourages e-mailing him / reaching out . He’s pretty great
Definitely e-mail him if you have questions —
think he really enjoys the Hacker News crowd & is always game to be of service
1) Keep notes as you set it up. Include problems you encountered and what the solution was, develop lists of how to install and configure the various services so you can refer to them should you need to reinstall things in the future.
2) Do it one service at a time and get each service completely running before starting on the next. Your server isn't a single thing, it's a home for multiple things. Do each of those one at a time.
This. I still have a 10 year old server setup file that I refer whenever I am setting up a new server.
I once joined a company after they ran out of backend engineers and had to restore a server from a backup. Figuring out how to bring all the services up based on history was a fun ride.
Later, when you upgrade or modify the service, you can keep adding to this notes.
Also, copy any configuration files OFF the server and into you notes when you are done editing them.
What do you think?
But never too late eh :P
What if you set a goal for yourself - that whenever someone clicks the user page for CXTC on HN, it contains a link to a web page on this server you have built.
Anything further (in terms of hardware, not-self hosting, etc) is incremental.
I came to suggest the same thing. Another comment raised a good point about rpi vs a tiny x86—ARM may introduce some extra hurdles.
At the end of the day, especially when dealing with network configuration and security, you're going to make mistakes and get locked out. Having physical keyboard access can be a lifesaver and is how many of us "retro" people got started with linux administration
When searching for cheap VPS, I usually peruse https://www.serverhunter.com/
Even accounting for the electricity and network I'm going to use anyways, it's quite cheap.
I've been burnt too many times (by myself), buying domain names and arduinos and cool things I never got around to using .-.
I've used AWS a lot for larger projects but they do a lot more to create vendor lock-in which breaks the idea of a "Linux server", i.e. it's easy to end up inadvertently depending on Amazon tools.
Running your own physical server is also a valuable experience, but it's a significantly larger commitment which is less reward-per-effort in my opinion.
Till a while back, ssh sounded scary though xD
From there try to play with a bunch of the following things: (OTOH, no particular order)
setup a domain name server like bind (<something>.localhost?), setting up an SMTP service, setup an IMAP/POP3 service, set up a http server like nginx, lighttp, apache, try communicating to the http service over telnet, setup a https certificate with lets encrypt, try doing the same telnet to https and get it piped through gnutls, setup nightly backups to an external HD (try rsync), setup a spam filter for your SMTP server, try to run excalidraw on your http service, build an api that sits behind your HTTP(s). use tcpdump and wireshark to inspect network traffic.
Most of that should be google-able :)
Edit: MOAR
fail2ban, ssh-server, iptables firewall, irc server, sftp host, kubernetes cluster of virtual machines, hadoop/spark for a map reduce workload, check out https://www.cncf.io/projects/ and start to learn to build with those projects/abstractions.
Django(Python) - gunicorn - nginx
You could run it on a raspberry pi for no ongoing cost
If you need a full server to do it - that's a toy that'll get in your way.
They also require their own 2fa app instead of other common apps e.g. Google authenticator. And when you delete it, after you've been banned for no reason, you can't use it to request deletion of your data.
Do not go there. Oracle "free" tier isn't free. It's a ploy to grab your data.
You have been warned.
If you're looking for a place to experiment I don't see any better deal.
Regarding performance, if you want to dig in that topic, don't wait for a crisis for using those tools, try to understand how the system run, even if not under high load. Gregg have more tools (https://www.brendangregg.com/linuxperf.html) and a few great books.
It can be cheaper to buy your own "mini" server (e.g. a small N100 ITX computer) to use on your home network. You'll get more RAM and more disk space (e.g. 16GB ram 512GB disk) to play with compared to datacenter rental prices cumulatively adding up over a year.[1]
Unless the specific aspect of renting a public-facing server is part of your self-learning curriculum and/or you also need to access it from outside your home without NAT port-forwarding or Cloudflare reverse-proxy tunneling, you can self-host your playground server at home.
[1] compare the rental costs and cross-reference GB of RAM and GB of disk they include for the monthly price range you want to pay.
https://www.digitalocean.com/pricing/droplets
https://www.linode.com/pricing/#compute-shared
the bash `history` command is your friend.
- move sshd to other than port 22, there will still be brute forcers but it will keep the spam down in the log. You can have .ssh/config with your hostname and that set port, so you don't always have to ssh hostname -p 23456.
- speaking of sshd, fail2ban is useful
- contabo.com has cheap vps
Apart from that, what's there to say. I can't think of anything right now.
I'm a great admirer of Brendan Gregg but I have to say that 1) that's trying to run before you can walk; those tools require fairly advanced Linux knowledge to operate properly and you say that you've only used Windows, and 2) if you're primarily interested in the performance analysis aspect, analogous performance measurement tools exist in Windows, like Windows' built in performance counters and PerfMon.
If you're unfamiliar with Linux and want to get to a point where you understand the tools Brendan Gregg mentioned, I'll say something similar to what others have said: get an inexpensive used 1-liter PC¹ at home, load Ubuntu or some other popular Linux distribution, and start with Nemeth's "UNIX and Linux System Administration Handbook" to learn your way around the system. That will give you the context you need to be able to start to understand how performance analysis tools are used. After that, you can move to the cloud whenever you feel you're ready.
¹ The description at https://www.servethehome.com/introducing-project-tinyminimic... explains what they are and why they are a good value. I wouldn't recommend the Raspberry Pi because not all diagnostic tools are available on ARM and a PC is no more difficult to re-image if you make a mistake than a Raspberry Pi.
Get used to your terminal, use SSH, understand how firewalls work and run a couple of services such as nginx, fail2ban etc.
Once you have a hand of it try to do it using Ansible. It will be a valuable skill if you decide to provision, for example, a swarm of servers for a cluster. And it will give you reproducibility and a trail of steps that you will ensure get executed for each server you deploy.
You really need to understand the basics of IP and networks though, so get that right first.
Stick to some LTS linux distribution so you don’t have to think about that stuff too much, it’s annoying otherwise.
When you’re ready for hard mode start doing it on a raspberry pi on like a 0.5MB/s link, and add random reboots by pulling the plug.
Once all that’s done you’re probably close enough to found a device management company.
But wait, how can you connect to Port 22 then? I use Tailscale as a VPN for this. I installed Tailscale on my local computer and my servers, so I can use the VPN to connect to this port. The less open ports, the better.
What else... Use fail2ban or CrowdSec for banning IPs that probe your server. Don't use passwords for authentication. Don't use root, use another user. ... stuff you maybe already heard of or know. Here is a link to get started: https://blog.codelitt.com/my-first-10-minutes-on-a-server-pr...
If you knew this already, sorry, I wasn't sure where to start.
Maybe use a Hoster that provides 'Snapshots'. So you can safely play around and if something happens, just revert to your last snapshot, so you don't loose your previous work.
If you spin up a server, maybe use cloud config. You can use it to 'bootstrap' your server and let it install your main tools while it gets provisioned.
It looks something like this (HackerNews removes my line breaks...): ####
#cloud-config for installing fail2ban
package_upgrade: true
packages:
runcmd: ####If you start and mess up something, it's handy if you have a cloud init to start a new server and don't have to install the basic stuff again ;-)
I also recommend finding an old laptop and installing Ubuntu on it, you would be surprised how often doing just this brings new life to an old laptop. I usually get it a new SSD for $50 and it feels like a brand new laptop whenever I do this.
If you really want a VPS then OVH, DigitalOcean or even BuyVM offer cheap options. BuyVM will get you a KVM slice for $24 per year.
Also some commands you want to always use:
man is #1 cause it will show you documentation on any other command and how to use them
almost every program has a -h or --help that tells you how to use them as well.
1. Digital Ocean offer small VPS for $5 per month. That's a 50% saving right away!
2. Stick with Ubuntu in the beginning. It's not the best, but it's 100% good enough and has so much support and tutorials out there.
3. If you have a small VPS with not much RAM, definitely set up a swapfile. It gives you virtual RAM for doing RAM heavy things on a small VPS.
4. Use the virtual firewalls offered by your host rather than the server firewalls in the beginning. If you mess up a server firewall you may have to get your host to reset it for you. If you mess up a virtual firewall you can amend it through a web UI and get back to doing things quickly.
5. Learn to read man pages and log files. Between the two you can figure out how to do stuff, and then figure out why it isn't working correctly.
6. In terms of security, use a recent distro, use a firewall close everything you don't need, use SSH keys, and set up secure passwords for everything else, and you will avoid a lot of problems.
7. Keep an eye on resources, programs like top, uptime, free, df, and du will allow you to see what's using up CPU, RAM, or disk space.
8. Learn a relational database. MySQL or Postgres are good choices. This skill will keep you employed for years, almost every business uses a relational database in one way or another!
9. Have fun :)
What may not be good about Ubuntu for some is that it's too bloated and not difficult to learn for someone who wants to hang their hat on that.
Moving from Ubuntu to another Debian installation, including debian is no big deal.
But for someone who might have some Ubuntu experience and little other Linux experience, running an Ubuntu server might lead to fewer surprises. Ubuntus do ship with things that Debians don't have. I can't name any, since I don't use Ubuntu, but they're the things about which you either say "how nice!" or "how dull!"
Debian is molded to the server domain pretty closely; Red Hat / Rocky is ideal in regulatory environments; Alpine when the priority is to be lightweight and reliable; I run Void on my personal machines because it's the most BSD of the Linuxes and stays out of my way when I need to do weird stuff.
If you're a beginner, you can append 'ubuntu' to your google searches instead of 'linux' and get an answer that makes sense. You'll know when to move on from ubuntu when you have to search 'foo bar linux' to get a usable answer.
P.s. as an alternative to ubuntu you could check Alpine Linux (for both root vps and containers)
Good luck!
https://aws.amazon.com/ec2/instance-types/t2/
the t2.large costs about $10 a month and is particularly good for the bursty loads you'd expect for a lab server. You can get a t2.micro on the free tier as well which is a pretty weak machine. I would watch out because I once ran OpenVPN on a t2 instance that had way too little RAM and it went swap crazy and ran up a $200/month I/O bill. (For the life of me I cannot understand why AMZN doesn't support a branded VPN server that "just works")
Note Azure has the B-series which is similar to the AMZN T-series
https://azure.microsoft.com/en-us/pricing/details/virtual-ma...
and my understanding is that this is about as good.