I NEED SOME ADVICE...

linuxtricks · Jun 19, 2000

I am looking to set up the following servers from my home: ----------------------- Firewall Internal DHCP Server Gateway Internal DNS Server External DNS Server Web Server (running Apache,MySQL,PHP4) qmail E-Mail Server Secure FTP Server (using ssh2) and Quake 3 Game Server ------------------------ I currently have 2 machines to split the server up on: 400Mhz Celeron, 256Megs Ram, 10Gig HD 233Mhz Pentium, 128Megs Ram, 2Gig HD. I would like to use OpenBSD for the Firewall, etc., and Redhat Linux 6.2 for the Web, Quake 3, etc. servers. Would anyone have any helpful (experienced) advice as to how I can break the services up between the two machines?  And, more or less, which machine would be best to use with what particular service? I am just a bit confused as to what direction I should persue. Thanks in advance for any help! <a href=mailto: > </a> <a href= > </a> try not! 
do... or do not. there is no try!

AndyBo · Jun 19, 2000

I'd say put the internal DNS, internal DHCP, and Q3 game server on the "internal" RH6.1 box.  Put everything else on the outward facing OpenBSD box.  This way, the common targets for abuse are on the internet facing firewall box.  If any vandals run a DOS attack on a box, it will be the one running WWW, FTP, etc.  If the box goes down, you lose your net connection, but keep your internal "mission critical" stuff safe and sound. As you want to run a Q3 server, use the 400Mhz/10Gb disk box for the internal box, as I'm guessing Q3 will eat up those CPU cycles...  Also, don't run any network servers such as web, FTP, telnet, email, etc on the internal box.  That way, if the "firewall" box is compromised by a cracker, you haven't got anything they can attack on your internal box. You should think about copying essential configuration files from the external box to the internal box for backup purposes.  Use something like Tripwire to get checksums of these files and save the checksums to a secure medium.  (CD-R, floppy disk, anything you can take out of the box and keep somewhere safe.) Hope this helps. <a href=mailto: > </a> <a href= > </a> -- 
0 1 - Just my two bits

AndyBo · Jun 19, 2000

Oops - I forgot to mention performance...  The 233 box, as it stands, should be able to handle all the various network services that it will be running.  If you start running into performance issues, see where the bottleneck is and upgrade it.  Memory may be the first casualty, with your network interface (10Mb/100Mb/ISDN/something else) being next.  Unless you're expecting to receive several thousand web page hits, emails, or FTP request each day, you should be fine. <a href=mailto: > </a> <a href= > </a> -- 
0 1 - Just my two bits

linuxtricks · Jun 19, 2000

Thanks AndyBo. Are you saying that the following should run on the OpenBSD/233Mhz machine with no problem? 1. Firewall 2. DNS Server 3. Web Server (apache,mySQL,php4,etc.) 4. qmail Server 5. FTP Server And, I should be able to patch holes in the Firewall to get to the 400Mhz Redhat Linux 6.2 machine located on my 192.168.0.1 LAN to run the following? 1. Q3 Server 2. DHCP Server Currently, all of the above is now running on the 400Mhz machine.  I have a spare 233Mhz machine that I'd like install OpenBSD on because I heard its the most secure OS in the universe.  I'm sure it can be a good replacement Firewall compared to the minimally configured scripts I use now. I am familiar with building the DNS and WEB Servers from scratch on the LINUX machine... but never attempted to install/configure it on OpenBSD.  Is there a difference? Am I getting closer to actually figuring out what the heck is going on yet?  =) Thanks for the help.  I really appreciate it! <a href=mailto: > </a> <a href= > </a> try not! 
do... or do not. there is no try!

AndyBo · Jun 20, 2000

Yep - I think the 233 machine should be able to handle the services listed without any problems.  However, it does, of course, all depend upon how much each service is going to be accessed.  For example, if you are expecting thousands of accesses a day to the FTP server, you should be looking at a bigger box. Just one thing - make sure X isn't running on the OpenBSD box.  X can eat system resources that are needed elsewhere. As to OpenBSD being the most secure...  Well, any box is only secure as you can make it.  I've not got much experience with any of the BSD (Open, Net, or Free), so I can't really comment too much on that.  However, I have heard similar things about the security of *BSD releases.  I think it's related to an exercise that the maintainers carried out a few years ago to go through the kernel code line by line to identify potential problem areas.  ie, parts of the kernel that might be subjected to buffer overflows, for example. As far as building the binaries from source on OpenBSD goes, there should be little difference.  At the end of the day, OpenBSD is, after all, just another version of Unix. When you're setting up the firewall side of things, you might want to take a look at Mason (<A HREF="

http://users.dhp.com/~whisper/mason/"

TARGET="_new">

http://users.dhp.com/~whisper/mason/</A>).  What

you do with Mason is install it onto the box you want to run the firewall on, and run it.  You then connect to the server network services you want to run on the firewall box.  When you've finished, you stop Mason and it generates a set of firewall rules for you.  Obviously, you still need to go over the rules manually to make sure they are OK, but it's a big help when setting up your firewall. Just one question - why do you want to run a DHCP server?  For two machines, one of which (the DHCP server) will have to have a static IP anyway, it doesn't seem to be worth the effort of setting it up and maintaining it... Anyway, glad to be of help

<a href=mailto: > </a> <a href= > </a> -- 
0 1 - Just my two bits

linuxtricks · Jun 20, 2000

AndyBo: The DHCP server helps me a great deal. Besides the (2)server machines, I have 3 more client machines.  (2) that I use, and (1) my girlfriend uses.  I find it a lot easier to configure (1) machine to hand out information... than to reconfigure all machines on my network each time I peform upgrades to the OS (or whatever type of system reconfiguration that goes on behind closed doors). Not only that... but an average of 5 to 6 friends bring their machines over for the Friday - Poker night (which now-a-days means... Quake 3 Lan party)... so it helps to have my network act as *plug and play* for all. ------------------------------------------- So... as you can probably tell... my little home network connected on cable... is pretty important to me. Thats why I want to have it protected as secure as possible... without limiting access to the external world.  OpenBSD has great functionality for this.  While I want to be invisible to the external world... I want my users to have carte blanc access out. Thanks. <a href=mailto: > </a> <a href= > </a> try not! 
do... or do not. there is no try!

AndyBo · Jun 20, 2000

Ah - OK - that makes sense, now, and it was kind of what I suspected when you said you wanted to set up a Q3 server. In that case, everything detailed above should be OK.  If the 233 box starts to groan a little under the strain, then you might want to move things onto the 400 box.  Email first, then www, then DNS (making sure you set up ACL entries for DNS), until the 233 box starts to cope a little better. Good luck with everything!

<a href=mailto: > </a> <a href= > </a> -- 
0 1 - Just my two bits

fenris · Jun 20, 2000

AndyBo, I have a guick question for you concerning the above recomendation, wouldn't he be able to move some of the services to the "big" box and just disable them while Q3 is running? I am assuming that the Q3 will not be running all the time. I am not sure how the email is setup, but could it be turned off for a few hours, then when it is turned back on, wouldn't it go and retrieve the waiting mail? fenris <a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a> <a href= > </a> I am interested in Mining Software, as well as Genetic Algorithms.

AndyBo · Jun 21, 2000

Yep.  That would definitely be possible.  However, I was thinking from a security angle.  The services that are likely to be attacked will be on the exposed Internet facing server.  If anything nasty happens, then it will (hopefully) happen on the smaller server, leaving the internal boxes still secure.  (Assuming that the firewall is set up correctly, and the nastiness on the internet server doesn't include the phrase "root account compromised"...) What I was thinking was that the less ports that were open to the internal network, the better.  ie, could you really trust the fact that you had FTP ports 20 and 21 leading in to your internal network?  What happens when someone discovers yet another buffer overflow root compromise in the FTP server?  Your internal network could be left wide open...  If you keep exposure to the outside world to a minimum, there's less things to go wrong. So, with the servers set up as above, the "mission critical" apps will be secure behind the firewall.  The network services will be running on a more exposed server that, if it goes down in a denial of service attack, won't leave the internal servers open to abuse. Hope this explains my thinking a little

<a href=mailto: > </a> <a href= > </a> -- 
0 1 - Just my two bits

fenris · Jun 21, 2000

Thanks for the info, it will certainly make me think about what is important when I set my system up onto the internet. fenris <a href=mailto:fenris@hotmail.com>fenris@hotmail.com</a> <a href= > </a>

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

I NEED SOME ADVICE...

linuxtricks

IS-IT--Management

AndyBo

MIS

AndyBo

MIS

linuxtricks

IS-IT--Management

AndyBo

MIS

linuxtricks

IS-IT--Management

AndyBo

MIS

fenris

Programmer

AndyBo

MIS

fenris

Programmer

Similar threads

Part and Inventory Search

Sponsor