Best practices for private server deployment on LAN
Leonard Isham
leonard.isham at gmail.com
Wed Mar 23 23:55:19 UTC 2005
On Wed, 23 Mar 2005 15:56:59 -0700, dan <info at hostinthebox.net> wrote:
> Hello, all -
>
> I'm trying to do some research on some of the best practices to
> deploying a server that would be on a private LAN. This server would
> not have any Internet connectivity - it would be used to facilitate the
> workings of a proprietary client program that would contact this server
> for specific information.
>
> I have managed to bring down the install of a FC3 release to just under
> 500M. Although I am not satisfied with this yet, that is pretty small
> compared to what I've done and seen in the past. I'll keep working on
> that one.
>
> The problem that I'm faced with is that no one should be allowed to
> tamper with this server. No one should be able to log in, change
> settings, or anything of the like.
>
Let's start with the basics:
1. How valuable is the information and how much can be spent protecting it?
2. Physical security have it locked in a room secure room or get/build
a secure locked enclosure. Don't have any ports exposed so nothing can
get connected to it.
3. Disable all that is not necessary including removing the keyboard,
mouse and display.
4. Use iptables to lock down remote connections. ! would use ssh for
remote administration. lock down ssh (this has been covered many
times search the archives).
Remember if any physically steals the computer that have all the time
in the world to crack any encryption, physically remove the hard drive
and put it in another machine...
--
Leonard Isham, CISSP
Ostendo non ostento.
More information about the fedora-list
mailing list