linux server 1

MMacun · May 4, 2005

is this a problem if i run a linux box as a gateway, dhcp server, firewall, samba server, and a web, mail server all in one.
I run iptables.
eth1-dsl cable.
eth2- cable to switch.
Behind a swith i have 15 PC-s.

Or should i by a cisco router and put

http://www/mail

in to DMZ.

Chacalinc · May 4, 2005

Or should i by a cisco router and put
http://www/mail
in to DMZ.

you should... if this server will be seen by internet, I would not put my mail server, dhcp and samba available to the hackers.

http://WWW to

DMZ, the rest behind a firewall.

Cheers.

MMacun · May 4, 2005

But if i have a samba, mail installed on the firewall box is this an issue?
Is it possible to make a DMZ with linux box firewall

MMacun · May 4, 2005

Then i must by another machine for www.
And a good router 800USD.
UFF

Chacalinc · May 4, 2005

But if i have a samba, mail installed on the firewall box is this an issue?

not really, just be carefull.

Is it possible to make a DMZ with linux box firewall

never tried it. but i guess no (i can be wrong anyway)

Then i must by another machine for www.
And a good router 800USD.

good router: US$800.-
good mail/dhcp/samba server: US$1.000.-
good PC for firewall: US$500.-
good PC for www. U$800.-
A hacker breaking down all your servers, deleting you mail, stoling information, getting all passwords, stoling credit cards numbers, sending spam to other domains: US$priceless.-

danomac · May 4, 2005

If you do want to run a server with multiple NICs and multiple services, make sure you bind the ports correctly. (As an example, bind only services that are required to have external access on your public NIC - in your case eth1.)

If you are wondering how to tell what services are listening, use nmap:

Code:

nmap -sS <ip>

will tell you what services are listening on the IP provided. Use that with your external ip address and it will tell you.

For example, default installs of samba listen on all devices... you could add two lines to smb.conf to bind samba only to your internal NIC:

Code:

interfaces = eth2
bind interfaces only = yes

Of course you would have to set this for all your services. Don't forgot other services that might be enabled like sshd; you might not want to have that open to outside either.

jstreich · May 4, 2005

IPTables and handle most of the security... remember, that a hardware firewall is generally a better security solution.

[plug=shameless]

http://game-master.us/phpx-3.4.0/

[/plug]

danomac · May 4, 2005

jstreich: Yep, but why even bind services to external interfaces if it isn't needed? That's all I mentioned, considering that the firewall is going to be a part of this all-in-one server.

MMacun · May 4, 2005

Now i have celeron 1.7Ghz machine with two 60GB ide raid 1 disks and 256Mb Memory.
It runs.
-Apache
-samba
-mailserver
-iptables
-ftp server

Next week i will get 3Ghz pentium 4 with 1Gb Memory 2 SATA
200GB disk.

I will have two machies now to make something smart.
I was considering to buy a Cisco 368 router.
and put the old server (www, mail, ftp) to dmz
and the new one for file server behind the router.
But the new machine is to good for just file server.

the second option i was considering was, to leave the old server like it was, and just put the samba server behind the firewall with other PC-s.

I must realize somekind of HA too.
What would you guys recomend me.

ericbrunson · May 4, 2005

remember, that a hardware firewall is generally a better security solution.

I take a contradictory position to that statement. What makes a router's ssh any more secure than any other? I'd trust linux running openssh before I'd trust a closed source implementation.

Would you consider a Juniper M1 router to be a hardware solution? It runs BSD, and ours was hacked and had an IRC server running on it when we discovered it.

Would an F5 BigIP be a hardware solution? It also runs BSD.

Is a Linksys WRT54G a hardware solution? What if it's running OpenWRT, which is a linux kernel and IPTables.

More and more the distinction between hardware and software solutions is blurring and I think it does the community a disservice to perpetuate these little "axioms" which "everyone knows" but are, in fact, untrue.

Castor66 · May 5, 2005

Http://www.smoothwall.org

- Free, simple to configure and manage and has DMZ support.

I'm beginning to sound like a broken record on this but if you have an old machine lying around that you aren't using then reconfiguring it to run Smoothwall is a superb investment.

ericbrunson · May 5, 2005

I have heard good things about Smoothwall. Having a commercial version of their product lends credence to the idea that they have the funds and the inclination to keep on top of the latest patches and security notices.

It's good to remember that all of these Linux based firewall distributions are simply a collection of management tools for IPTables, Poptop and other features of linux that are in general release.

I've also heard good things about IPCops.

ericbrunson · May 5, 2005

Also, you can build a DMZ using IPTables. I'd recommend having 3 interfaces: internal, external and DMZ, but it's not actually necessary. My home firewall passes some traffic to an internal machine, that machine could easily be considered a DMZ host, but not really.

Most SOHO routers allow the definition of a "DMZ host", but it's more of what I describe my setup as being than what security professionals would consider a DMZ.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

linux server 1

MMacun

Technical User

Chacalinc

Vendor

MMacun

Technical User

MMacun

Technical User

Chacalinc

Vendor

danomac

IS-IT--Management

jstreich

Programmer

danomac

IS-IT--Management

MMacun

Technical User

ericbrunson

Technical User

Castor66

IS-IT--Management

ericbrunson

Technical User

ericbrunson

Technical User

Similar threads

Part and Inventory Search

Sponsor