[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Open-mosix question



Daniel,
	i think i am beginning to get it: you don't run 2 separete
networks on 1 physical segment, you run several and you have no control
over this. fine, we can deal with it. decision 1: can yoy really separate
ltsp network from the rest of the u. if you can, firewall. my assumption
is:  you can't. now we have to deal with it. the switches are doing a
great job separating networks (you actually get terminals booted). i will
make another assumption: you have no control over setting vlans on the
switches. yo HAVE to lock down the servers. make absolutely positevely
sure that NO unnnecessary service is active, especially telnet. disable
ssh protocol 1, disable password lookup for ssh, disable root login
altogeather. you get the drift ... all this will not hinder terminal boot
up and access.
	keep looking at scan logs, gzip 'em and keep going. you wouldn't
believe the logs i get from being connectet on the cable modem. i look at
them, and just shrug. it took me 6 years to get to the point of a shrug
without looking for a handgun.
	i think you are in a great situation: you get to see the nimda
without being infected by it. appreciate your foresight and luck. julius

p.s. Soi Cowboy, you say? I was thinking of an exotic trip for a 25th
wedding anniversay. On secnd thought, "Churches of England" might be more
conducive to get another 25 years.

On Thu, 18 Apr 2002, Daniel Bodanske wrote:

> Julius Szelagiewicz wrote:
>
> >Daniel,
> >	exposure of the network on the switch doesn't have to be a
> >problem. make sure you don't allow telnet into the servers, only ssh. this
> >hides the passwords. being on the 10.x.x.x network is just fine, since you
> >can put bootable stations anywhere threr is a network connect.
> >	route add in fine, even if it feels like a hack. if you decide to
> >firewall your setup, you'd need route delete default ...., route add
> >default .... to access outside world, but from your letter i gather it
> >would be asier to keep everything on the same 10.x network. you are
> >not running 2 different networks on the common physical segment, right?
> >julius
> >
> Julius,
> Some background: the university sets the IP protocol like this --
> 10.{building#}.{floor}.{machine}, which is nice.  I don't understand,
> however, why they insist on having the gateway, dns, and proxy on the
> true IPs (202.29.26.1-5 are the proxies), and won't alias them or
> something.  I also don't understand why windows doesn't have a problem
> with this, even though the IP is 10.2.2.1 netmask 255.0.0.0.  If anyone
> can answer that one for me...
> I'm the one that has a real problem with the lack of something between
> us and the rest of the university.  If I'm feeling generous, I say I
> don't want to pollute the netwok with our Xserver traffic, although
> netbooting from downstairs  or the listening lab is nice for me.  If I'm
> in a bad mood, however, it is because the entire university is
> unlicensed Win98 machines rife with Nimbda et.al.  It's like Soi Cowboy*
> out there, and I don't need the lists of banned IPs every day in my
> server logs. We get about 10kb/sec of portscans right now, per machine.
>  I don't want that pollution in my lab, either.
> I take it, then, that route is my friend, and not my ignorant hack?  I
> was going to use BBIagent as the router, but I don't think I can use
> route with it now.  Any suggestions for the  4 year newbies out here?
> Dan
>
> * Upon rereading my email before sending (you believe that's a second
> draft?) I realize you won't understand this == the most infamous
> prostitution spot in Bangkok
>
>
>





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]