[NCLUG] Network configuration

J. Paul Reed preed at sigkill.com
Wed Oct 25 23:07:23 MDT 2000 

On 26 Oct 2000 at 04:30:52, dobbster modified my mailspool to say:

> Again, one of my main goals is to get away from colocation and web
> hosting services, assuming DSL can handle it.  

I suppose it depends on how much web traffic your company gets and how many
current web hits you get; 256 K up is not all *that* much... you could use
a 486 w/ 16 megs of RAM and saturate your DSL line (I've seen this done,
BTW), so your Pentium with 96 megs will be more than adaquate. 

> I wish I could justify a T1 into my house!

Don't we all... ;-)

> Physical limitations might make that impossible, unless I keep the
> servers in my living area.  Could I instead put everything behind the
> firewall and just open up port 80?

If I understand you correctly, this could get pretty messy... if you open
up port 80 on the firewall, you can forward that port to one of internal
machines... only one of them. Unless, of coures, you're running Apache on
the firewall, but that kinda defeats the purpose of the firewall.

> > Make sure you have the latest DNS and don't run NFS or NIS on your
> > firewall or other publicly accessible machines. You might think about
> > using qmail or postfix instead of sendmail so you won't be caught by
> > the next security hole that's found :-)  Be careful with ftp too.
> > NIS gives me the willies.
> 
> Ok.  My main inclination for sendmail is that I am more familiar with
> it.  

You can usually tell a "secure" environment from a non-secure one because
they have ports that aren't in use firewalled, they're running a later
version of Apache, and they're NOT running sendmail.

Qmail and Postfix rule the arena of secure MTAs, and you really are taking
a hit security-wise if you run sendmail on your firewall... as long as
you're learning about Linux, why not do some reading on Postfix/Qmail;
they're not all that hard to configure, and I know for sure that Qmail has
never been hacked (with some caveats).

> NIS is more of a luxury, and I probably don't need it.  

NIS outside of firewall == just asking for it.

> I don't plan to use anonymous FTP.  

You still want to be careful w/ picking your ftp server... some 'sploits
lately don't require anonymous FTP to allowed, just FTP to be open.

> So far, I've been using Mandrake 6.x/7.x.  I use the stock "secure"
> kernel, and I have the services protected by

What is secure about the "secure kernel"?

Too bad you're not in SLO... you'd probably be interested in
http://www.lug.calpoly.edu/sym/ ;-)

Later,
Paul
  -----------------------------------------------------------------------
  J. Paul Reed                 preed at sigkill.com || web.sigkill.com/preed
  We're living in a world that's blowing itself to hell as fast as every-
  one can arrange it.       -- First Sgt. Edward Welsh, The Thin Red Line

More information about the NCLUG mailing list