How to protect the network and the server?


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/public_html/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
7 views
Hi, Habr.

Situation:

Have an office in this WiFi network, 4 computer developers, one of them VirtualBox from SVN server.

Is there a server in the data center, it, nginx, MySQL and other adjacent services.

The task was — to the max (almost in a paranoid mode) to limit the access of developers to the project database and in General to any confidential data and maximum protection against penetration into a network\\on the server.


My thoughts on the matter:


Office:

1) Disable WiFi broadcast — it will be difficult to find the net. (It is assumed that the attacker is sitting at the office with a laptop and bruta password).

2) Change the network key, the key will be to know just me and the boss (to enter keys on their own).

3) ???


Server:

1) Using iptables to do the protection scan ports + change SSH port — complicate the detection of SSH port

2) to Restrict IP access to SSH, to make the authorization keys (again, the keys have two people — me and the chef)

3) the Script casting project from a local SVN to a test or production Virt.hosts — was the idea of replacing the config on the fly (ie insert in it the correct values of login\\password from DB)...

4) Disable root login to root via sudo or su

5) MySQL — to restrict IP access to localhost and monitoring server.

6) ???


Obvious disadvantages (for me):

1) a Draft pour from the SVN server, only I have an extra headache if I'm not then no one will fill...

2) it can be difficult to work with the database, will have to have two copies (ie, dev-database in the office and product, and then apply all changes to product-e)

3) ????


Question: Who thinks about this? Suggestions, comments? Criticism is welcome. =)

Thank you!
by | 7 views

7 Answers

0 like 0 dislike
As for the firewall, and monitoring connections — lock AIESEC (when the detected scan ports) — set CSF ( LFD goes with it) www.configserver.com/cp/csf.html. Very well established and setup is easy.
by
0 like 0 dislike
> 2) Change the network key, the key will be to know just me and the boss (to enter keys on their own).
\r
This does not help, to dig out the password on the Wi-Fi of any OS simply and do not require a lot of knowledge
by
0 like 0 dislike
Not understanding what the problem is Wi-Fi network, I'm on Wifi generally password is not set, why? Why bother with keys and more than there.
OpenVpn has it and yuzaem. Let snipet OpenVpn traffic I do not mind.
by
0 like 0 dislike
There are two solutions. The first is a complete rejection of wi-fi. The second is much harder, it is a wonderful setting wi-fi c a modification of the wep(stuffing packets left), PEAP authorization and fully encrypted traffic(openVPN). Naturally connect with the phone will be impossible.
ps and remember any wi-fi breaks down the skillful hands with a good map, preferably on prism2 =)
by
0 like 0 dislike
"1) a Draft pour from the SVN server, only I have an extra headache if I'm not then no one will fill..."
\r
I started to think about the script... let's say via a web page SSL for rpc
stupid button to fill, the script svn co...
by
0 like 0 dislike
I think that the main problem is the presence of Wi-Fi. There is a possibility to refuse it?
by
0 like 0 dislike
to abandon wpa-eap wpa2-psk and go to wpa2-eap authorization via radius or AD(s) based on certificates
the server put in a DMZ protecting it than a thread like cisco ASA or PIX, again with the authorization and rules
by

Related questions

0 like 0 dislike
3 answers
0 like 0 dislike
7 answers
0 like 0 dislike
1 answer
0 like 0 dislike
4 answers
110,608 questions
257,186 answers
0 comments
28,000 users