On Fri, 29 Feb 2008 10:35:08 +1300 Roger Searle <[EMAIL PROTECTED]> wrote:
> While I should wait till returning to work on Monday, this is a thread > of great relevance to either my current work and home setup or where I > intend taking it - and in some cases learning how! I have been very > interested in Chris and Steve's replies and as time allows over coming > weeks will be asking a question or 3 on the list! > > At work we have a similar number of users to John though all windows > users (apart from me). I don't currently have a complete set of answers > to what can be accomplished on SBS, but have made a start. This is what > I have so far. > > I have an ipcop firewall box, just a standard install plus the snort IDS > added. It just works. Sounds about right. I have one installation with an adsl router that dumps all traffic to the IPCop box to filter it, and a similar sort of thing at home, but with the luxury of a Cisco PIX ( thanks for fixing it Volker! ) firewall which came in as payment for decomissioning a site in a previous life. > > I have another box running linux functioning as both a file server and > running vmware server. Yes, I know this isn't ideal and they should be > separate boxes but with the limited resources available to me (like many > small businesses) is all I can do. It works. I do a similar thing. My 'infrastructure' server runs database services, and file shares, and also vmware clients running my mail and web servers ( primarily - I also play with an Oracle cluster using vmware too ). > > 3 hard drives in this box, one for the OS, the other 2 set up as raid1, > created 2 partitions for data and backups, then samba and a few chown + > chmod commands is all I needed. Cron runs bash scripts each night for > backups which also copy to another machine. Same script also burns some > backups to DVD. The only user data I don't currently have on this > server are some large Outlook pst files - given their size I prefer to > have them on the user's local machine. They are however backed up (with > a different script). Those using Thunderbird for email have those files > on the file server. Not mirroring your system disk is a bit dodgy. I'd've probably created a single raid 5 over all of the disks, then partitioned it up. Booting off a raid disk isn't too cumberome any more. > > I have VMWare Server running an XP guest so that (a) can continue to > make frequent use of a particular colour printer we have (no linux > support for this model) and (b) run the management console for Symantec > End Point Protection (is like the big brother to Norton Internet > Security). I could also either use RDP or VMWare Server console to > connect to it to use any windows-only software I need to use from time > to time. > > I can actually run a second VM at the same time and have no noticeable > (from user's perspective) performance hit - is a 64 bit dual core (I > forget the speed) and 4 gig of ram, vmware's really heavy on memory, as you can't share it between clients. But then it's only about $30/gig at the momeent... so not too onerous a cost for a small company. > > On my list to do or find out about or learn when the holiday is over: > - orange network on the ipcop box for the wireless network. Orange is usually set up as a dmz, and wireless blue. Also, is your ipcop installation up to date - I'm on 1.4.18. > - rsync script for off-machine backups of changed files through the day I find that a sata disk in a caddy is a really simple way of backing up - usb can be a bit slow if you're throwing large amounts of data around: firewire is better. These full-size external disk thingies ( eg from Western Digital ) seem to be good value. I'm one for simplicity in my backups. I prefer to tar all modified files, and dump databases. It makes for a simpler recovery if necessary. I also tend not to compress archives on busy machines: it takes a lot of cpu. When in a lan environment, it's no big deal ( and free ) to transfer lots of data at 2am. If, of course, you're backing up over the internet, then yes, things have to be more complex to save bandwidth and money. > - postfix / sendmail (I have no idea about specifics at this point) / I know I'm in a minority, but having spent 10+ years setting up sendmail, it's my choice. Also look into installing malware and spam filters at this level, rather than down the line. Most are pretty simple to integrate. > imap email (and remotely) I use courier and this works fine for me. Remote access is a bit of a challenge: not the server access and reading side of things, but sending emails from a remote site will require an extra level of security ( tls or more ) to ensure that you're not setting up an open mail relay. > - OpenVPN for remote access I find that ssh is usually enough, when tied down carefully. Openvpn takes a bit more setting up, but has tha added bonus of more reliable connectivity than raw ssh alone. I don't use the IPCop openvpn plugin, but pass traffic through to the 'infrastructure' server and route from there ( it didn't work when I tried it, and it made a real mess of my red interface configuration - although I'm sure it's improved now ). > - central management of users? IMO you need a lot of tens of users before this actually becomes worthwhile. Unless it's your intention to learn how to do it of course! > > Some of these things I would like to have working at home, and think > many others would too. In fact I may well test one or 2 of these out at > home first as it's less of a problem if I totally break something here! > Top of my list would be to modify your raid solution to protect all of your data first... > Cheers, > Roger Cheers, Steve Steve
pgpxPoUMhY4v2.pgp
Description: PGP signature
