[NCLUG] Network configuration

dobbster dobbster at frii.com
Wed Oct 25 22:30:52 MDT 2000


> Now here's my 2 cents worth. Others will probably give much better
> advice :-)

Actually, I am very grateful - Your advice is excellent.  I am hoping to
hear more from others about it, too.

> Since you don't have a large pipe to the Internet I don't think it makes
> sense to build a web farm.  Why not use virtual sites on one server? Why
> not build a faster machine, which could host multiple domains, and
> spend way less on electricity?

We currently have two WWW servers.  We run virtual sites on one of our
servers, which is expensively colocated at what was Verinet.  The other
one is hosted through Verio; on that one, I'd like more control over the
server configuration and security.  They run an ancient version of
Apache on an ancient version of FreeBSD, and there seem to be lots of
security holes.  Yuck.  This setup is a result of the unexpected growth
of our company and the fact that I was relatively clueless when we
started out.

> Besides, how much web traffic can a 256K line handle? Remember that you
> really only have 13Kbps of bandwidth and will pay extra money to FRII
> for any average utilization that goes above that.  So now you're talking
> about electricity, pain and hassle of multiple machines, ISP charges and
> extra bandwidth utilization charges.  If you've got a bunch of domains
> to web host, you might be better off going with a web hosting service
> or collocation deal. On the other hand, it might just be a fun thing
> to do! It all depends on what your goal is.

The "Fun" part definitely plays a role. :-)  I'd also like to make use
of all of these old pentiums stacked up in my living room.  However, I
see your point.  I have no clue how much bandwidth our servers currently
use.  Is there a simple traffic analysis tool I could use?

I get some info from analog on our colocated server, but the apache
logfiles at Verio are next to useless.

Again, one of my main goals is to get away from colocation and web
hosting services, assuming DSL can handle it.  I wish I could justify a
T1 into my house!

> The "how-to's" on firewalls and ipchains are pretty helpful.  Learn as
> much as you can!
> 
> I think I would put publicly accessible web servers on their own LAN
> (i.e. a DMZ) and not on the same side of the firewall as my private stuff.

Physical limitations might make that impossible, unless I keep the
servers in my living area.  Could I instead put everything behind the
firewall and just open up port 80?

> Make sure you have the latest DNS and don't run NFS or NIS on your
> firewall or other publicly accessible machines. You might think about
> using qmail or postfix instead of sendmail so you won't be caught by
> the next security hole that's found :-)  Be careful with ftp too.
> NIS gives me the willies.

Ok.  My main inclination for sendmail is that I am more familiar with
it.  NIS is more of a luxury, and I probably don't need it.  I don't
plan to use anonymous FTP.  

> A stock, non-firewalled, Redhat system is likely to be cracked within days
> of being connected to the Internet.
> 
> With a little effort and time spent learning, you can set up
> a good firewall and be pretty safe.

So far, I've been using Mandrake 6.x/7.x.  I use the stock "secure"
kernel, and I have the services protected by
tcpd/hosts.allow/hosts.deny.  I use ssh, and I also have some tools
(aide/hostsentry/portsentry) running, and it seems that they haven't
cracked my colocated server yet...  It's been up about six months.  Do
you think this is good enough for a non-firewalled server?

Thank you very much for your help...  Like I said, I seem to be alone in
the sysadmin world, and every bit of advice is invaluable.



More information about the NCLUG mailing list