| View previous topic :: View next topic |
| Author |
Message |
multipass
n00b
Joined: 09 Apr 2008
Posts: 11
|
 Posted: Wed Apr 09, 2008 7:09 pm Post subject: network design questions |
 |
|
hello, im currently building a network for me and some of my friends using some gentoo boxes, and i have several questions
basically i will be using it to host their websites n what not
now i have 2 really good servers and a really crappy one (the two good ones are dual core opteron 1u's) and the crappy one is a dual processor 800Mhz (x86)
one of the really good servers is already setup and running (i used a xen faq and was able to setup a mailserver, spam/virus check relay, secure-mail login (imap), database, DNS server i still have to setup, file (stores the virtual mail accounts), and webserver)
so far they are not yet secured (no firewall) and run bridged with a domU the server it self is now offically running out of memory and is maxed (i dont think i could possibly add anything more to it. and each xen only has 128mb max dedicated)
i have a dsl connection
what i was thinking of doing was running on the second really good opteron server a virtualized firewall either within vmware or inside of a domU as it has xen on it right now
now i still have to buy new network cards and cat 6 cables for everything (As the ones im using now are really old and pretty much broken)
but what should i consider ?
is it safe to use something like ldap or Nis for all the admin user accounts on the mail servers (i will only need admin really) and on the dom0 that is bridged to the server running all the xen boxes can i put in a proxy ? a packet sniffing firewall ? some type of scanner for virus or intrusion prevention (snort) etc etc.
the last x86 i will need for lan to use as a desktop computer its more the sufficient, and i have a switch also for lan computers (i have another laptop) i have never done this and dont know too much about lan/dmz type settings. what would be the best route to go about this for with low TCO but moderate security settings
thank you |
|
| Back to top |
|
 |
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Wed Apr 09, 2008 11:18 pm Post subject: |
|
|
You have posted a bit of a nightmare set of questions. What would you like help with exactly ?
For example:
>>is it safe to use something like ldap or Nis for all the admin user accounts on the mail servers (i will only need admin really) and on the dom0 that is bridged to the server running all the xen boxes can i put in a proxy ? a packet sniffing firewall ? some type of scanner for virus or intrusion prevention (snort) etc etc.
LDAP and NIS are both fine for authentication. You can put a proxy wherever you like. You can wedge in scanners anywhere you like.
Please have another go at posting (I notice this is your first) but this time confine the query to specifics. That way we can help you.
I don't want to put you off asking for help in any way but your post was a bit of a disasterous start 
Cheers
Jon |
|
| Back to top |
|
|
multipass
n00b
Joined: 09 Apr 2008
Posts: 11
|
| Posted: Wed Apr 09, 2008 11:33 pm Post subject: |
|
|
| gerdesj wrote: | You have posted a bit of a nightmare set of questions. What would you like help with exactly ?
I don't want to put you off asking for help in any way but your post was a bit of a disasterous start
Cheers
Jon |
terribly sorry im not the brightest person when it comes to expressing my self, but very good at following directions and making use of the instructions infront of me (thats why i was able to get gentoo up, and use the faq (for debian) and change it over to gentoo)
i guess my questions if split up would be
what do i do next with this setup before putting this system on the internet ?
what should i look out for when doing it, and proceedure wise what would be a good way of handing all these virutal boxes ?
as far as a multi user system goes (virtual mail hosting and virtual web hosting(postfix admin)) what should i do to make life simpler for me and my friends ?
security wise am i sitting good in how i designed the system ?
what are some open source applications i could emerge that would allow easier notification of logs ?
i read on the forums that DMZ and LAN should never have a direct route to each other. how should i go about this (for example vmware firewall ) -> (vmware network gateway) -> (separate server running DMZ )
my dom0s currently do not have a connection into them (because they are setup as bridges) what should i do inorder to have access into them ?
i dont want to have to create a admin account on each computer. is there a way to simplify this so the account is spread to all of them ? (that was my ldap question) - right now every system only has ROOT
hardening techniques i was thinking of doing was iptables managed by shorewall, following the gentoo security handbook, inside the domUs using a pax supported kernel with SELinux support, privoxy on the dom0(which now runs as a bridge) throw in snort and any others i can like clamav - but if its a bridge how will i not only connect but administrate the box remotely ?
and a follow up on that how would i get the logs into a place where i can see them ? if i put Intrusion prevent on the dom0 how would i send it over to some other place to be viewed ? (local mail isnt an option)
anything that i may have missed and the first question is the biggest what should i really be working on next and focusing on
ohh and the biggest question the one that is baffeling me since this mail server is setup and it does work ( i tested it with squirrel mail) how would i add in mail support for ALL the servers not just the mail servers (for example to send mail messages from my sql server or web server ) ?!?!? this one is getting me thinking - is there some type of relay i could setup somehow that all mail on it to root or postmaster would be sent to my virtual admin account on the mail server ??/ |
|
| Back to top |
|
|
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Thu Apr 10, 2008 9:06 am Post subject: |
|
|
I would suggest that you run your "crappy" box as a router and firewall only, probably using the SELinux profile (see he standard Gentoo docs on this).
Give it three NICs (Interweb, DMZ, LAN) and use FWBuilder, Shorewall or something to configure it as such.
You create specific rules for specific access to things. Eg run Squid as a web proxy on a box in your DMZ and allow clients on the LAN to access that on port 3128 only. You then allow the Squid box to the internet for only the ports that it needs. On that box with Squid, you could also put bind, ntpd, a mailer daemon and other services again with specific rules for access. Also look into Snort and Base for NIDs.
Finally once you are up and running you allow access from the Interweb to your web sites.
The above is a lot of work and may be a bit excessive for your requirements. On the other hand its a damn good learning exercise and will keep you noodling for some time.
However you do it the golden rule of firewalls is a default deny rule at the end. Its all too easy to put in an accept to get it working with the intention to sort it out later.
Logwatch is what you need for log notifications - many bits of Gentoo are already geared up for it. I was rather pleasantly surprised when it got installed as a dependency for something and all of a sudden I got a daily email from one of my systems telling me what it found in its logs. The rest of them have it now.
On the accounts side, an LDAP system would be a good idea but you will still need a root account on each box.
I've got to leg it now but I'll post back on mail. |
|
| Back to top |
|
|
multipass
n00b
Joined: 09 Apr 2008
Posts: 11
|
| Posted: Sun Apr 20, 2008 12:30 am Post subject: |
|
|
hello thanks for reply, im just wondering why would i run bind and squid on the same server ?
wouldnt it be much more secure to simply run those separate ?
and also i still have yet to figure out my self as what i should do with sending the mail from those servers. i found a good gentoo howto on setting up a mail relay, and im thinking about setting up an ldap server (scared because i never have before) and also using authentication to send mail from those into my mail server admin account
i cant seem to find any better of a way to do it then that. |
|
| Back to top |
|
|
Erulabs
n00b
Joined: 08 Mar 2006
Posts: 48
Location: erulabs.com
|
| Posted: Sun Apr 20, 2008 12:55 am Post subject: |
|
|
If you're using stable packages (you should be), BIND and Squid are nearly bullet proof.
Also, if you're running one box as a DNS server and a mail server, why not just give all the other domains MX records for mail?
Maybe I'm missing something.
_________________
No more things should be presumed to exist than are absolutely necessary. Or really cool. |
|
| Back to top |
|
|
multipass
n00b
Joined: 09 Apr 2008
Posts: 11
|
| Posted: Sun Apr 20, 2008 2:34 am Post subject: |
|
|
| Erulabs wrote: | If you're using stable packages (you should be), BIND and Squid are nearly bullet proof.
Also, if you're running one box as a DNS server and a mail server, why not just give all the other domains MX records for mail?
Maybe I'm missing something. |
no sorry i unno maybe i mucked that up but everything is seperated by use of xen (bind and mx server are different servers)
whay do u mean give them mx records ? for sending the mail off each one into a unified place (i was thinking virtual admin email account) ?
like for example i can use bind to give them each a hostname that the other can ping (mx.example.com web.example.com securemail.example.com etc etc) give each a mx record then on each box make it a relay ? and send mail via LMTP into the mx server to a admin account where i can view them (using logsentry) ? |
|
| Back to top |
|
|
|
Networking & Security
