-----Original Message----- From: shrike-list-admin@xxxxxxxxxx [mailto:shrike-list-admin@xxxxxxxxxx] On Behalf Of Robert L Cochran Sent: Monday, September 29, 2003 12:19 AM To: shrike-list@xxxxxxxxxx Subject: Re: File Server irritants (newbie) Buck wrote: > 1) Prevent users from logging in at the keyboard of the server. > The users buck, root and net manager will need permission to log from > the keyboard but I don't want ANYONE in the company to have access to > the server directly from the keyboard. > Quote I think that idea is most unwise. What will happen if you die suddenly? Or travel somewhere and are stuck there (...or any number of other life situations...) and there is an emergency at the office involving your server? If you keep such a tight policy on a server such that there is no one else who knows how to rescue the machines or get at them, you will look really bad and have a lot of explaining to do. End quote I have a logbook in case someone else needs it. I know it sounds terrible, but I couldn't successfully teach these people how to remove a backup tape once a day and change it. The only user that appeared teachable thought it was cute to set everyone's computers up with Gator, Weatherbug, Kazaa, and tons of spyware. About the same time I found log records where someone regularly tried to log in or guess the password to the server. Cleaning up after the power-user that was being so cute, I removed nearly 50 spyware products per computer, Trojan programs on four machines and more than a dozen viruses on her computer. Reduced all user's rights to "user". I forced all users to change their passwords and in less than a week all the employees without computers had the passwords again, porn was on almost every computer and we caught the culprit trying to break into the server. During this 8 months of "uncontrolled" users, I was steadily working to restore drivers and keep everything up and running and active and old accounts mysteriously disappeared. Since I locked down the systems and the simultaneous firing of the would-be server-cracker, the system has had one day of trouble in 2.5 years. I am only a contractor, but I keep two journals with all the passwords and procedures in both of them. I alternate using them when I make service calls to record what I do, but if something happens to me, they will get the books. I do have a friend I am hoping to train to back me up. On two separate occasions I tried hiring someone to back me up if there were problems. Both times my "backup" went behind my back and talked the managers into believing I knew nothing about what I was doing and they could set it up "right". The management listened and the goons wrecked their network and quit when they discovered they couldn't get it to work again. Between the two, they spend $3000 just to get their systems in disarray. I recovered their network and told the manager to either let me turn the system over to whomever they want to pass it onto, or if I had to repair it again I would charge $2000 just to walk in the door and then begin the clock on my hourly. They listened to a computer training shop that moved in next door one more time. That shop had them down for three days before they called me. I kept my promise and they got them up that weekend. I had to re-wire the networking in the wall plates and reconfigure all the software. I have serviced these guys since 1994. They are friends of the family now and we scratch each other's back. I offered to train a friend of mine with a CS degree to take over when I can't be there. I am expecting an answer this week sometime. quote You really must train at least 3-4 other people in how to use the machine you set up. And give them the root password. End quote The manager's only trust one employee and her job doesn't leave her that luxury. The managers/owners keep their computers turned on all day and night because they can't figure out how to get back to where they were. Yes, unbelievable but true. Quote Removing the keyboard and mouse and locking the box into a cabinet is not a security solution, anyhow, as it is possible to ssh login into the machine remotely. This is called a headless machine. Set up the 3-4 trainees with public key ssh access to the server so they can administer it. But they still need complete physical access in case a drive crashes or some other unexpected thing happens. End Quote Until recently the server was left on a desk in the open. All employees have keys to the office door as a lot of their work is done outside of business hours. Some bring their kids over to do their homework while they are doing whatever they do at night. (I have been there at all hours of the day and night even on weekends. The office receives calls every hour! The company is moving the network group to a their other location. I have a desk there and now I am planning to put the two servers (mine and the company's) under each wing of the desk. My work station will be on my desk and if it is the console for the servers, they won't be bothered. As for service, they won't be locked in a vault, just out of site. > 2) Each user's private directory has Linux OS (I guess) related > files. Since they won't be using Linux, I would like to either delete > them or create empty directories like the groups create. > Quote You mean the home directories? Why bother "cleaning them up"? There is no percentage in it. When you think about it, you don't want to waste the time writing scripts that you don't know how to code yet and then running them at great risk of creating a mess. End quote Yes, the home directories... All workstations are Windows 2000 or later. The only use for the home directories on the network is for their My Documents folder. Since that is all that ever needs to be backed up on all but one of the workstations, I found the easy solution was to move the folder. It comes in especially handy when the users change computers. It will be years before they can even consider having a Linux workstation. Their business depends on a software package that costs tens of times more for UNIX than for windows. > 3) Somewhere in the mix I setup a public directory. Users have > browse access and nothing else. I think I know how to remove it > though. > > > 4) I have a folder and account setup called pcguest. "bad-user" > defaults to that folder but has not access in it. I am wondering if I > can remove that account and folder as I see no need to have guest > accounts at this time. Guest accounts need to be on the workstations > and guests have no reason to access my server, at least not in the > business model I am using. Quote: You might want to read the Samba book published by O'Reilly. End quote: I already have my eye on it as soon as I can get it into my budget. > > 5) What am I not thinking of? > > > I have learned that initially setting up Linux as a firewall is a > PITA, lots of work, I can save the necessary config files to make next > time quick and easy. > Quote: The book Linux Firewalls by Robert Ziegler can help you a lot, if you are truly running a firewall (a machine dedicated to filtering incoming ethernet packets to help prevent network-based intrusion attempts) instead of a file server (a machine that stores files for some purpose.) End quote: I have a hardware firewall on the network, but I want to learn how to set additional firewall on the server just in case someone gets through it. Someone got thru the NAT router (not a packet inspection firewall) and its the only time that the server was down in 2.5 years. I am not sure I need a firewall on the server just for the server, but I don't mind learning it and if it doesn't stop it from serving files, I don't see any harm in it being there. Buck -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
