[TriLUG] Server Maintenance

Magnus Hedemark chrish at trilug.org
Fri Aug 1 14:19:00 EDT 2003


On Fri, 2003-08-01 at 13:34, Hite, Danny wrote:

> This will fall in line with NetBackup below I hope. My reason for asking
> this was due to the fact that Server 1 is in a DMZ/SSN. I don't want to open
> anything (ports) from DMZ to internal if I can avoid it.

Actually you probably want to run NBU on the Linux box and do some
careful firewalling to make sure that only your master NBU box can
connect to it on that port.

> My initial thought was that the DMZ/SSN would isolate it enough, but Jon
> mentions:

That's a fatal flaw that many system administrators have,
unfortunately.  Most of the really damaging breakins that I'm aware of,
that we done maliciously and not by some script kiddy attacking machines
en masse, have been done by exploiting flaws in your interior network.

Most sysadmins harden the hell out of their firewalls, closing services
that shouldn't even be closed (like some types of ICMP), but leave their
interior network wide open.  One misplaced Wireless Access Point or
curious employee on the inside can do tremendous damage.

> How far should I take this in a DMZ/SSN part of my network with only 1 port
> being forwarded inbound?

Linux has a decent firewall service built in (iptables).  You'll
probably want to harden your servers so that only the permitted services
from the permitted source IP's are allowed in, etc.  Like harden both
sides of your NBU port so that each machine (client & server) can only
communicate with one another via NBU but no one else.

That's just one small example of what should be done on interior
networks (but usually isn't).

> Interesting, so Postfix is much more...what? Faster, Reliable, Ease of
> Setup, etc...???

All of the above.  Some may argue on the first two points, because
Sendmail *can* be fast if you know how to tune it and it *can* be
reliable.  Postfix is, hands down, much easier to set up.  The config
file reads like English and is liberally commented.  It's also very
modular and thus the failure of one component of the MTA doesn't crash
your whole MTA.  Though I can't say I've ever seen any of the components
failing.

Postfix is also one of the core components of what has been touted as an
open source "Exchange Killer".  Check out the Kroupware project for more
on that.

> Yes, we had deep pockets about 2 years ago, but now I am having to
> (Thankfully *grin*) consider open source solutions for future projects due
> to budget restrictions.

Better to tighten the purse strings than go under (been there, done
that).

What sort of work does your employer do?  There may be specific open
source software recommendations that can be made by folks here that
would apply to common needs in your industry.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 192 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030801/c4473f7a/attachment.pgp>


More information about the TriLUG mailing list