Have an office in this WiFi network, 4 computer developers, one of them VirtualBox from SVN server.
Is there a server in the data center, it, nginx, MySQL and other adjacent services.
The task was — to the max (almost in a paranoid mode) to limit the access of developers to the project database and in General to any confidential data and maximum protection against penetration into a network\\on the server.
My thoughts on the matter:
1) Disable WiFi broadcast — it will be difficult to find the net. (It is assumed that the attacker is sitting at the office with a laptop and bruta password).
2) Change the network key, the key will be to know just me and the boss (to enter keys on their own).
1) Using iptables to do the protection scan ports + change SSH port — complicate the detection of SSH port
2) to Restrict IP access to SSH, to make the authorization keys (again, the keys have two people — me and the chef)
3) the Script casting project from a local SVN to a test or production Virt.hosts — was the idea of replacing the config on the fly (ie insert in it the correct values of login\\password from DB)...
4) Disable root login to root via sudo or su
5) MySQL — to restrict IP access to localhost and monitoring server.
Obvious disadvantages (for me):
1) a Draft pour from the SVN server, only I have an extra headache if I'm not then no one will fill...
2) it can be difficult to work with the database, will have to have two copies (ie, dev-database in the office and product, and then apply all changes to product-e)
Question: Who thinks about this? Suggestions, comments? Criticism is welcome. =)