|
Home > Archive > Red Hat General > April 2004 > Newbie Question about setting up a server
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Newbie Question about setting up a server
|
|
|
| I've messed around with Redhat Linux before and have a question about
setting up a server. Can I set up a web/ftp/email server and also use the
same box to route packets to a private network. if I can, are there any
internet sites with this information? links would be helpful.
I'm more of a programmer than a systems administrator.
Thanks in advance
David
| |
| Alexander Dalloz 2004-04-06, 2:34 pm |
| On Tue, 06 Apr 2004 17:24:39 +0000 David wrote:
> I've messed around with Redhat Linux before and have a question about
> setting up a server. Can I set up a web/ftp/email server and also use the
> same box to route packets to a private network. if I can, are there any
> internet sites with this information? links would be helpful.
Sure, it is possible. If it is a good practice is a different question.
For router/firewall/portforwarding/NAT questions see www.netfilter.org.
> I'm more of a programmer than a systems administrator.
>
> Thanks in advance
> David
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
|
| That's a great resource. Thanks.
But why wouldn't it be a good idea? I have no clue as to why.
David
"Alexander Dalloz" <alexander.dalloz@uni-bielefeld.de> wrote in message
news:pan.2004.04.06.18.30.59.948041@uni-bielefeld.de...
> On Tue, 06 Apr 2004 17:24:39 +0000 David wrote:
>
the[color=darkred]
>
> Sure, it is possible. If it is a good practice is a different question.
> For router/firewall/portforwarding/NAT questions see www.netfilter.org.
>
>
> Alexander
>
>
> --
> Alexander Dalloz | Enger, Germany
> PGP key valid: made 13.07.1999
> PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
>
| |
| rfi@usa.com 2004-04-06, 4:40 pm |
| The reason is most services are seen as insecure to one extent or
another. You need to weigh security against services. For the
highest degree of security, your servers are outside of your private
network. They are ofen refered to as sacrificial, as in if someone
comprimises them, they still have not penetrated your inside network.
Typically you use ssh to connect to the boxes on the outside providing
services from the inside, never the other way around, so there is no
way to get from the outside to the inside by knocking over the box on
the outside.
As far as services go, it a quite arguable as to what is inswcure and
what is secute if you ant your firewall to also provide outside
services.
For me....
In the order of distrust...
I would not run an ftp server and if I really had to, I would run
proftpd.
Sometimes I wonder if email is worth it. The S/N ratio is so low, but
I do run Sendmail. In it's full metal paranoid mode.
I like my dorkey web pages, and I trust apache - without a ton of
modules and serving only static web pages.
I let ssh in, and keep it patched and only use key based
authentication.
I let ntp in.
I keep everything patched, and I keep an eye on the logs.
I also use proxies and not nat. nat creeps me out too much.
Look at any given service and ask, where would it likley leak. This
logic makes me paranoid about a lot of things, but I have often been
proven right to be paranoid.
On Tue, 06 Apr 2004 18:48:05 GMT, "David" <whitewater33@earthlink.net>
wrote:
>That's a great resource. Thanks.
>
>But why wouldn't it be a good idea? I have no clue as to why.
>
>David
>
>
>"Alexander Dalloz" <alexander.dalloz@uni-bielefeld.de> wrote in message
>news:pan.2004.04.06.18.30.59.948041@uni-bielefeld.de...
>the
>
| |
| m.marien 2004-04-06, 7:34 pm |
|
<rfi@usa.com> wrote in message
news:80d062eb0cfdceef3e9648b8e51436b0@ne
ws.teranews.com...
> The reason is most services are seen as insecure to one extent or
> another. You need to weigh security against services. For the
> highest degree of security, your servers are outside of your private
> network. They are ofen refered to as sacrificial, as in if someone
> comprimises them, they still have not penetrated your inside network.
>
> Typically you use ssh to connect to the boxes on the outside providing
> services from the inside, never the other way around, so there is no
> way to get from the outside to the inside by knocking over the box on
> the outside.
>
> As far as services go, it a quite arguable as to what is inswcure and
> what is secute if you ant your firewall to also provide outside
> services.
>
> For me....
> In the order of distrust...
>
> I would not run an ftp server and if I really had to, I would run
> proftpd.
>
> Sometimes I wonder if email is worth it. The S/N ratio is so low, but
> I do run Sendmail. In it's full metal paranoid mode.
>
> I like my dorkey web pages, and I trust apache - without a ton of
> modules and serving only static web pages.
>
> I let ssh in, and keep it patched and only use key based
> authentication.
>
> I let ntp in.
>
> I keep everything patched, and I keep an eye on the logs.
>
> I also use proxies and not nat. nat creeps me out too much.
>
> Look at any given service and ask, where would it likley leak. This
> logic makes me paranoid about a lot of things, but I have often been
> proven right to be paranoid.
>
That'a a lot more paranoid then I am. I run a few servers inside, outside
and on the wall. I think it all depends on what you have to protect. If
you're just doing it for the fun of it, then what the heck, put it on the
wall and use it as your gateway. I have a Linux box that serves email, name
services and some others to the outside and all that plus smb to the inside.
The good advise is to keep you eye on it. If you do get an intrusion or
something funny in the logs, it just gives you something to do - right.
Otherwise what are computers for ? work - bah !
> On Tue, 06 Apr 2004 18:48:05 GMT, "David" <whitewater33@earthlink.net>
> wrote:
>
any[color=darkred]
>
| |
|
| Well, I'm not really worried about that stuff. I know services can be
insecure, but if I keep backups of my system, I should be OK. Plus, I'm not
going to publicize my site too much...I just want my own server that I can
put my PHP, PERL programming on. I have a limited income, and can only
afford one IP address.
Thanks for the responses! I really appreciate it.
David (whitewater_3@hotmail.com)
<rfi@usa.com> wrote in message
news:80d062eb0cfdceef3e9648b8e51436b0@ne
ws.teranews.com...
> The reason is most services are seen as insecure to one extent or
> another. You need to weigh security against services. For the
> highest degree of security, your servers are outside of your private
> network. They are ofen refered to as sacrificial, as in if someone
> comprimises them, they still have not penetrated your inside network.
>
> Typically you use ssh to connect to the boxes on the outside providing
> services from the inside, never the other way around, so there is no
> way to get from the outside to the inside by knocking over the box on
> the outside.
>
> As far as services go, it a quite arguable as to what is inswcure and
> what is secute if you ant your firewall to also provide outside
> services.
>
> For me....
> In the order of distrust...
>
> I would not run an ftp server and if I really had to, I would run
> proftpd.
>
> Sometimes I wonder if email is worth it. The S/N ratio is so low, but
> I do run Sendmail. In it's full metal paranoid mode.
>
> I like my dorkey web pages, and I trust apache - without a ton of
> modules and serving only static web pages.
>
> I let ssh in, and keep it patched and only use key based
> authentication.
>
> I let ntp in.
>
> I keep everything patched, and I keep an eye on the logs.
>
> I also use proxies and not nat. nat creeps me out too much.
>
> Look at any given service and ask, where would it likley leak. This
> logic makes me paranoid about a lot of things, but I have often been
> proven right to be paranoid.
>
> On Tue, 06 Apr 2004 18:48:05 GMT, "David" <whitewater33@earthlink.net>
> wrote:
>
any[color=darkred]
>
|
|
|
|
|