Question about file permissions
in [Suse]
|
From: Will Honea on 13 Apr 2010 13:54 houghi wrote: .... snipped > So if I have it correctly, the setup is this: > > Internet - modem/router - PC01 > - PC02 > - PC03 > - ... > > Not sire where and if there is a firewall. You got it. The router has a decent firewall capability - runs BusyBox with iptables - but it is too small/slow for a really comprehensive setup - the 20mb DSL looks like about all it can handle. > And you need to conect to each to these machines to the Internet. So > what you do is `ssh example.com:2201` The portnumber 2201 I made up > where 22 stands for ssh and 01 for PC 01. > For PC2 you do `ssh example.com:2202` and so on. > The router forwards each port to the needed machine. Right? Now what can > BlockHosts do for you, as far as I know, is install it on each PC > and block the faulty access. That's my conclusion. I was trying to do too much at the router. > However some of the PCs are windows machines (e.g. PC03) and BlockHosts > does not work there, so you need to find another solution there. > > I would do the following. If this is possible or not depends highly on > the router. Many cheap routers will not be able to do this. Also it > asumes you have a domainname that you can use. I would then configure > the router that it will forward domains to certain IP adresses. So I > would do `ssh PC01.example.com` and `ssh PC02.example.com` and so on. > (Or use PC01.office.example.com and have *.office.example.com point to > the office) and the have that forwarded to each machine. > > The extra advantage is that you can now easily speak to each machine > between them. This is great if there are not that many (say 10 or so) > PC's in the office. And again it depends very much on the ability of the > router. > > Now if the router does not have the ability or if there are many more > PC's, it might be interesting to place a "real" router between the modem > and the computers. If you se a hardware router or a software router > (like Linux) depends on the needs. > > If you decide on a Linux machine dedicated to do this, you can put a > very good firewall/router/DHCP server combination up with any old > machine you have lying around. Depending on the machine and needs, you > could add a proxyserver and any other server. > Then the BlockHost could run on that machine. Not sure as I have never > tested it on a forwarding machine. > > On the same machine, although I would do it on a different machine in > the DMZ you could install a sFTP sever or a Web, an outgoing mailserver, > virusscanner, file server, print server, fax server, voicemail, .... I'm leaning that direction. If I go that route, I'll probably turn off the wireless on the DSL modem and put a dedicated AP unit that communicates with the internet through the additional box so that I can isolate the wireless connections from machines I don't control from the rest of the internal LAN. This one system has grown piecemeal but it's reached the point that there are too many people on the LAN now to live with anarchy. -- Will Honea
From: Moe Trin on 13 Apr 2010 21:29 On Mon, 12 Apr 2010, in the Usenet newsgroup alt.os.linux.suse, in article <slrnhs74ti.5jv.houghi(a)penne.houghi>, houghi wrote: >Moe Trin wrote: >> Block IP Addresses based on login or access information in system logs. > >> Or have you found some other application named 'BlockHosts'? >You must have missed the part where I told that the first run it would >look at the logs. After that it works with /etc/hosts.allow or >/etc/hosts.deny Just how do you think this application works? I'll admit that the documentation sucks, but there are enough details to tell you that it's reading logs. If you've stopped it from reading logs, where do you think it's getting the data to put into /etc/hosts.allow and/or /etc/hosts.deny. If it's not putting data in there, exactly what good is it? You could have manually entered the data, and be done with it. >> In the rare event that I need to connect from a non-pre-approved IP, >> I can use a variation of port knocking >And again you are looking at the issue as if you are the only person >connecting to only one SSH server. Nope - that is the way the division servers are set up. There are 4000 people in this facility - though not all of them have access. >Otherwise I could just drop ssh and use telnet on those ports in the >same way. Actually, that how it was set up back in the late 1980s and early 1990s. Old guy
From: Will Honea on 14 Apr 2010 03:29 houghi wrote: >> You got it. The router has a decent firewall capability - runs BusyBox >> with iptables - but it is too small/slow for a really comprehensive setup >> - the 20mb DSL looks like about all it can handle. > > Is that a 286? A 386 should be able to handle most connections with > ease. I wish! It's one of the small MIPS units - 16k ram and all. Serves me at home quite well but my firewall needs there are a lot simpler since I'm usually the only user. >> I'm leaning that direction. If I go that route, I'll probably turn off >> the wireless on the DSL modem and put a dedicated AP unit that >> communicates with the internet through the additional box so that I can >> isolate the wireless connections from machines I don't control from the >> rest of the internal LAN. This one system has grown piecemeal but it's >> reached the point that there are too many people on the LAN now to live >> with anarchy. > > That would be the best option. I've a good dozen Dell Optiplex 150s (900mhz, 512mb of ram) stacked up in the back room. I'm figuring that I can get 3-4 of those solid so that I have backup hardware when (not if) one goes titsup. I even have openSUSE 11.2 on one - I'd hate to do any serious work with KDE or Gnome but one of the light-weight WM - or just a terminal and no GUI - should run with no problems. Even with KDE it's surprisingly quick if I kill all the cruft on the desktop so XFCE would probably usable. I'll probably be back with more questions once I find time to set this up. -- Will Honea
From: JT on 14 Apr 2010 08:20 On 14/04/10 13:13, houghi wrote: > Will Honea wrote: > >> I've a good dozen Dell Optiplex 150s (900mhz, 512mb of ram) stacked up in >> the back room. I'm figuring that I can get 3-4 of those solid so that I >> have backup hardware when (not if) one goes titsup. I even have openSUSE >> 11.2 on one - I'd hate to do any serious work with KDE or Gnome but one of >> the light-weight WM - or just a terminal and no GUI - should run with no >> problems. Even with KDE it's surprisingly quick if I kill all the cruft on >> the desktop so XFCE would probably usable. >> > The machine should be good enough for a router. Some remarks of your > choice: > 1) No GUI. None. Do a minimal installation and look what software can > still be removed. A LOT is not needed and the less you need, the less > you need to update. There is no need for a GUI. YaST works well in CLI. > You can easily ssh to it and run YaST. > > 2) openSUSE is perhaps not the best choice for a business enviroment. > The lifespan is just too short, so go for SUSE. Even better, go for a > specialized distro. There are several out there that only do > router/firewall stuff > http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions > > I would probably go for http://coyotelinux.com/ (development is done op > SUSE Studio) or http://www.engardelinux.org > I would however also take a closer look at the rest and see which ones > are doing what I need. Some others look promising as well. I only looked > about 1 minute to each. Look at the date of the latest version and the > date of the latest updates. Some are from arount the middle ages. > > > > > houghi > I don't know if this serves your specific purpose, but from what I read 'http://tinylinux.sourceforge.net/' might also be an option. Good luck -- Kind regards, JT
From: JT on 14 Apr 2010 10:09
On 14/04/10 15:46, houghi wrote: > JT wrote: > >> I don't know if this serves your specific purpose, but from what I read >> 'http://tinylinux.sourceforge.net/' might also be an option. >> > The latest news is from 2001. That does not mean it isn't good. It just > means you should be aware of it. > > houghi > Saw that just after posting as well..... Wouldn't go for it after all, because they also state that 'some networking' is under development .... Not appropriate for this purpose . Sorry -- Kind regards, JT |