A
A
AusTiN2010-12-27 14:29:41
Information Security
AusTiN, 2010-12-27 14:29:41

How to secure the network and server?

Hey Habr.
Situation:
There is an office with a WiFi network, 4 development computers, one of them has VirtualBox with an SVN server.
There is a server in the data center with nginx, MySQL and other related services on it.
The task was set - to the maximum (almost in a paranoid mode) to restrict developers' access to the project database and, in general, to any confidential data, and to protect as much as possible from penetration into the network / server.
My thoughts on this:
Office:
1) Turn off WiFi broadcast - it will be more difficult to find a network. (It is assumed that the attacker is sitting under the office with a laptop and brutes the password).
2) Change the network key, only the boss and I will know the key (Employees enter the keys themselves).
3) ???
Server:
1) Through iptables, protect against a port scan + change the SSH port - we complicate the detection of the SSH port
2) Restrict access to SSH by IP, make authorization by keys (again, two people have the keys - me and the boss)
3) The script for uploading the project from local SVN to test or production virt.hosts - there was an idea to replace the config on the fly (i.e. insert the correct login / password values ​​from the database into it) ...
4) Turn off root login, get root rights via sudo or su
5) MySQL - restrict access by IP to localhost and monitoring server.
6) ???
Obvious disadvantages (for me):
1) Only I can upload the project from SVN to the server - it’s an extra headache for me, if I’m not there, then no one will upload it ...
2) Working with the database becomes more complicated, you will have to have two copies (i.e. a dev-base in the office and a product, and then apply all changes to the product)
3) ????
Question: What do you think about this? Suggestions, wishes? Criticism is welcome. =)
Thank you!

Answer the question

In order to leave comments, you need to log in

9 answer(s)
B
Bodik, 2010-12-27
@Bodik

As for the firewall, and monitoring connections - blocking IPs (if a port scan is detected) - set CSF (LFD comes with it) www.configserver.com/cp/csf.html . Worked very well and setup is easy.

C
charon, 2010-12-27
@charon

> 2) Change the network key, only the boss and I will know the key (Employees enter the keys themselves).
This will not help, picking out the password for Wi-Fi from any OS is quite simple and does not require a lot of knowledge

N
NanoDragon, 2010-12-27
@NanoDragon

I don’t understand what the problem is with the Wi-Fi network, I don’t set a password on Wifi at all, why? Why bother with keys and something else there.
There is OpenVpn and we use it. Let them sniff OpenVpn traffic, I don’t feel sorry for it.

N
nill, 2010-12-28
@nill

There are two solutions here. The first is a complete rejection of wi-fi. The second one is much more complicated, it's a wonderful wi-fi setup with modification of wep itself (stuffing left packets), PEAP authorization and fully encrypted traffic (openVPN). Naturally, it will be impossible to connect from the phone.
ps and remember absolutely any wi-fi breaks with skillful hands with a good card, preferably on prism2 =)

P
perl_demon, 2010-12-27
@perl_demon

I think that the main problem is the availability of Wi-Fi. Is there an option to opt out?

M
mikes, 2010-12-27
@mikes

abandon wpa-eap wpa2-psk and switch to wpa2-eap with authorization through radius in AD or (and) based on certificates,
take the server to the DMZ, protecting it with something like a cisco ASA or PIX thread, again with authorization and rules

M
mikes, 2010-12-27
@mikes

I pressed send early… between cisco and the vpn office to access the server from the office and “on the road” clients, if any… well, a portmap to access it from the Internet for ordinary users.
it is clear that the server itself cannot initiate any connections in such a scheme

A
Alexander, 2010-12-29
@akalend

Org measures:
access to the "clearing" (production) - only the admin (duplicate passwords in the safe at the Head)
Responsible for the deployment of one person (or two) - the admin (and the team leader).
I worked in one paranoid office - there development and the Internet were physically separated - different networks. (there are two computers at the workplace - development and the Internet). Downloaded files from the Internet via samba were uploaded to a shared folder, from there to the development computer. From the developer network - RO access, so the system is a nipple: "blow here - back x * d" The
minus of this approach: an extra computer for the developer, plus - horseradish soproesh the source code, the database ... You can only print (the printer is in the office at the head of the department) or film it.
Tech measures:
if you can not refuse WiFi
then strict IP routing and mac binding
or any DHCP! only static allowed IPs.
configuring production SSH access to a specific IP. Take one more IP from the provider (usually they give three pieces at least for a company). One will be strictly admin, one for the router for the entire office. If an attacker gets into the network, he will not be able to get into production.

N
NanoDragon, 2010-12-29
@NanoDragon

You shouldn't change the SSH port, it won't be broken anyway. What if people can break SSH? then it will not be difficult for them to find the SSH port. So I think it will only hurt.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question