[LUNI] Making a private network somewhat public.

Wed Dec 12 10:12:14 CST 2007

inline comments:

On 12/12/07, Richard Reina <gatorreina at gmail.com> wrote:
>
> I appreciate the responses.  To make sure I understand correctly.
>
> 1) If I replace my old SMC barricade with a new router like a 50.00linksys
> I will hopefully gain a measure of security.  Is there a more expensive
> router that I can buy that will give me even greater security?

Sure.  You can buy a $500 cisco PIX, and then spend another 6 months trying
to figure how to freaking configure it.  (Actually, I'd say cisco shines on
their higher end product line more then their "small office" items)  Your
linksys should be more then enough for what you need.

2) If behind this router I connect one of the machines that is connected to
> the internet to my LAN via a second NIC card and merely use this machine
> as
> an SMPT  gateway that only accesses the MySQL server to generate data to
> be
> sent via email, would this would be the most secure way to provide the
> sort
> of limited access I need?

You need access to an smtp server, you don't need to run one.  Your standard
ISP SMTP server would work fine.  If you want to run your own SMTP, you
can.  This is a more complicated setup then I intended, you'd have to only
allow traffic from port 25 on the second nic, and disallow forwarding. (both
in sysctl.conf and via iptables rules)

3) I further understand that I would need to run IP tables on this SMTP
> gateway machine and I should build it with a striped down OS. Perhaps just
> MySQL client perl DBI.  No Xwindows, no ssh, no anyhing that is not
> absolutely necessary for the machine to complete it's limited tasks.

Yes.  Actually servers overall shouldn't have X, it's a waste of space and
resources, especially if the server doesn't use X (which 99.9999% of them
dont need for the services they provide

4) Of the seven pcs on the linux LAN some are very old running distros as
> old as RH 7.2.  IPtables is not running on any of them and some are have
> ftp
> server running so that new program files can be swapped about
> regularly.  Is
> this a problem?  Does it significantly increase the networks risk?

They're not exposed to the net so it should be fine, but updating to a quasi
recent distro wouldn't be a bad idea.  Fedora Core or CentOS if you want to
keep with Red Hat.  Running software that's over 4 years old makes nervous.

5) If I waat to go a step further.  When I get it all set up I should hire
> someone to try and hack in to see just how secure my network is?  Is this
> a
> good idea? If so does anyone know where I could hire someone relatively
> skillful for a reasonable price for this assignment?

Uhmm.. you're buy a $50 linksys from Best Buy.... any hacker wort his salt
should be able to get past it.  You're keeping script kiddies and bots out
and your lame hax0r wannabe.  You'll be safe for what you're doing, I
wouldn't waste the money on it.  If you're THAT paranoid about this, just
hire a security firm, give them 5-10K and they'll secure the hell out of
it.  I wouldn't bother, but that's just me.

Thank so much for the help.  I really appreciate the responses hopefully
> they can serve as a useful primer to basic linux security for others as
> well.
>
> Richard
>
> On Dec 11, 2007 5:04 PM, Tom Printy <tprinty at mail.edisonave.net> wrote:
>
> > It is possible but if you were to use some type of firewall then this
> > helps reduce the likely hood of that happening. A 50.00 linksys firewall
> > should offer you decent protection.
> >
> > -Tom
> >
> >
> > On Tue, 2007-12-11 at 16:19 -0600, Richard Reina wrote:
> > > If I allow one machine that is already connected to the internet (
> > behind a
> > > router of course) to stay connected to my LAN.  Couldn't my LAN still
> be
> > > hacked through that machine (the one that is connected through the
> > > internet).  Is this likely?
> > >
> > > On Dec 11, 2007 1:47 PM, Tom Printy <tprinty at mail.edisonave.net>
> wrote:
> > >
> > > > What about using anther system that has internet access to generate
> > the
> > > > report. You can setup MySQL to only allow this system and the 7
> others
> > > > to access the DB. The report system would hit the MySQL instance and
> > > > then be allowed to send out the email reports. You should still
> > consider
> > > > some type of hardware based firewall or turning ip an iptables based
> > > > firewall on the box that will connect to the Internet.
> > > >
> > > >
> > > > On Tue, 2007-12-11 at 13:26 -0600, Richard Reina wrote:
> > > > > I have a small linux LAN (7 pcs) that runs a homemade database
> > > > application
> > > > > (perl mysql).  They've had little if any reason to need to be
> > connected
> > > > to
> > > > > the internet and due to my lack of prowess as a system admin and
> to
> > the
> > > > fact
> > > > > that any loss of data or interuption would be very disruptive, I
> > have
> > > > > elected to keep it that way.  However, there is an increasing need
> > for
> > > > me to
> > > > > be able to send reports that are generated by the application via
> > email
> > > > --
> > > > > without me having to go to another computer that is connected to
> the
> > > > > internet and retype the report.
> > > > >
> > > > > Can anyone give me some suggestions on the most secure way to
> allow
> > > > access
> > > > > to sending emails and the level of risk associated with doing so.
> > > > >
> > > > > Thanks for any ideas.
> > > > >
> > > > > Richard
> > > >
> > > > --
> > > > Linux Users Of Northern Illinois - Technical Discussion
> > > > http://luni.org/mailman/listinfo/luni
> > > >
> >
> > --
> > Linux Users Of Northern Illinois - Technical Discussion
> > http://luni.org/mailman/listinfo/luni
> >
> --
> Linux Users Of Northern Illinois - Technical Discussion
> http://luni.org/mailman/listinfo/luni
>