[NCLUG] Network configuration
Quent
quent at pobox.com
Wed Oct 25 23:44:02 MDT 2000
There are *lots* of web-colo companies out there. I share a box on
rackspace.com with a friend and another friend runs dynodns.net on
another. You get root and total control of the box; nobody else is on
it. You can install whatever you want. (I get absolutely nothing by
saying their name; I'm not promoting them). I'm sure there are other
similar deals out there -- maybe even better ones.
Well, if your telco wire handles it, you could always increase your DSL
speed for more $$$.
I think this list is filled with sysadmin types. It's great to be
able to bounce ideas off others and to be able to ask questions.
Lone-sysadmining is no fun.
On the DMZ thing, I was thinking of a layout like this, in
an ASCII art kind of nightmare:
<----{dsl}---------[ hub ]
| |
| |
^ ============|=|=======================
| | |
| | +------+
DMZ | |
| [firewall] [web server]
| |
v ============|=========================
^ |
| [ hub ]
Private | |
| | +-----+
v | |
[workstation] |
|
[workstation]
If you used port redirection, or NAT, to have a web server where I've
shown workstations, that would work but there's a risk. If the web
server was cracked, they would be on a machine on your private network.
If a DMZ web server is cracked, and the firewall doesn't permit incoming
connections to itself from the web server, they would be restricted. It
would still suck, but it would suck less. Hubs are cheap.
Given that even sites like Slashdot have been broken into, it seems like
a good idea to isolate public web servers.
This is all assuming a business needs to minimize risk. For a home
setup I bet most people are just fine with running a single box with
everything on it and a combo of ipchains and tcpd.
The main problem with tcpd is that it's only for handling TCP. Firewall
software lets you control *all* the packets and deal with bad things like
TCP packets with weird bits set, ICMP redirects and strange fragmented
badness :-)
Quent
On Thu, Oct 26, 2000 at 04:30:52AM +0000, dobbster wrote:
> > Now here's my 2 cents worth. Others will probably give much better
> > advice :-)
>
> Actually, I am very grateful - Your advice is excellent. I am hoping to
> hear more from others about it, too.
>
> > Since you don't have a large pipe to the Internet I don't think it makes
> > sense to build a web farm. Why not use virtual sites on one server? Why
> > not build a faster machine, which could host multiple domains, and
> > spend way less on electricity?
>
> We currently have two WWW servers. We run virtual sites on one of our
> servers, which is expensively colocated at what was Verinet. The other
> one is hosted through Verio; on that one, I'd like more control over the
> server configuration and security. They run an ancient version of
> Apache on an ancient version of FreeBSD, and there seem to be lots of
> security holes. Yuck. This setup is a result of the unexpected growth
> of our company and the fact that I was relatively clueless when we
> started out.
>
> > Besides, how much web traffic can a 256K line handle? Remember that you
> > really only have 13Kbps of bandwidth and will pay extra money to FRII
> > for any average utilization that goes above that. So now you're talking
> > about electricity, pain and hassle of multiple machines, ISP charges and
> > extra bandwidth utilization charges. If you've got a bunch of domains
> > to web host, you might be better off going with a web hosting service
> > or collocation deal. On the other hand, it might just be a fun thing
> > to do! It all depends on what your goal is.
>
> The "Fun" part definitely plays a role. :-) I'd also like to make use
> of all of these old pentiums stacked up in my living room. However, I
> see your point. I have no clue how much bandwidth our servers currently
> use. Is there a simple traffic analysis tool I could use?
>
> I get some info from analog on our colocated server, but the apache
> logfiles at Verio are next to useless.
>
> Again, one of my main goals is to get away from colocation and web
> hosting services, assuming DSL can handle it. I wish I could justify a
> T1 into my house!
>
> > The "how-to's" on firewalls and ipchains are pretty helpful. Learn as
> > much as you can!
> >
> > I think I would put publicly accessible web servers on their own LAN
> > (i.e. a DMZ) and not on the same side of the firewall as my private stuff.
>
> Physical limitations might make that impossible, unless I keep the
> servers in my living area. Could I instead put everything behind the
> firewall and just open up port 80?
>
> > Make sure you have the latest DNS and don't run NFS or NIS on your
> > firewall or other publicly accessible machines. You might think about
> > using qmail or postfix instead of sendmail so you won't be caught by
> > the next security hole that's found :-) Be careful with ftp too.
> > NIS gives me the willies.
>
> Ok. My main inclination for sendmail is that I am more familiar with
> it. NIS is more of a luxury, and I probably don't need it. I don't
> plan to use anonymous FTP.
>
> > A stock, non-firewalled, Redhat system is likely to be cracked within days
> > of being connected to the Internet.
> >
> > With a little effort and time spent learning, you can set up
> > a good firewall and be pretty safe.
>
> So far, I've been using Mandrake 6.x/7.x. I use the stock "secure"
> kernel, and I have the services protected by
> tcpd/hosts.allow/hosts.deny. I use ssh, and I also have some tools
> (aide/hostsentry/portsentry) running, and it seems that they haven't
> cracked my colocated server yet... It's been up about six months. Do
> you think this is good enough for a non-firewalled server?
>
> Thank you very much for your help... Like I said, I seem to be alone in
> the sysadmin world, and every bit of advice is invaluable.
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
>
>
More information about the NCLUG
mailing list