[mythtv-users] Help NEEDED !

[Paul Bender]

Peter VanDerWal wrote:
>> I run a single server with: a MythTV backend (2 PVR-250 cards and one
>> HDHomeRun), a mail server (IMAPS and SMTPS with ClamAV, SpamAssassin and
>> MIMEDefang), a web server (HTTPS), a file server (CIFS), a slimserver, a
>> RADIUS server, a directory server (LDAPS), a web proxy, a Windows domain
>> controller, a WINS server, a DNS server and a DHCP server. In addition,
>> I use it to compile MiniMyth.
>>
>> It ran fine for years on a 2.4GHz P4. However, I upgraded it to a Core 2
>> Duo so that compilation would be faster.
> 
> I used to run everything on the same server.  But I keep logs of the nice
> folks that try to break in.  Between the viruses, trojans, script kiddies,
> etc. the number of daily attacks gets quite impressive.
> 
> I figure there is a better than even chance that someday, one of them will
> be successful.  Because of that I have separated my internal network from
> my external one.
> This way a hacker that breaks into my webserver won't be able to trash my
> movies, etc.
> I run different distros on the internal vs external and use a firewall
> with a different operating system.  Hopefully if anyone penetrates one of
> my servers, the same vunerabilities won't apply to the others.
> 
> FWIW
> I recently purchased some Nagasaki MS-2100s off ebay (they were only $65
> each) that I'm going to move my web and mail servers to.  I'm planning on
> booting from a read-only source and rebooting them daily. Finally I'm
> adding another, isolated, intrusion detection system.
> As far as I know, my systems have never been compromised, I hope to keep
> it that way.
> Even if you only have one external IP address, you can run a NAT firewall
> and port forward mail/web services to different, isolated, computers.  Not
> only does this make it harder to break in, but it also reduces damage from
> any successful penetration.

It is definitely the case that separation makes things more secure. I 
decided to take the risk in order to reduce the number of 7/24 boxes.

I have a COTS NAT box. It port forwards externally facing services to 
the server using the NAT box's DMZ port and a physically separate NIC on 
the server. The server does additional filtering on the DMZ interface.

In addition, the externally facing interfaces are somewhat restrictive. 
The external services run over SSH/SSL/TLS and require authentication 
and are limited to address ranges where I am likely to be located. My 
mail server polls for email, so port 25 is not external facing.

Overall, it is not as secure as separating the services. However, having 
only one box is more important to me.