Re: [glob2-devel] Dioxide status (currently hosting globulation2.org)

[Andrew Sayers]

On Fri, Nov 25, 2005 at 10:59:17PM -0800, Kyle Lutze wrote:
> Ok, I've been doing a lot of research lately on securing my box and 
> software that we can use on it. I have decided that once I finish up 
> this last bit of work I have to do, it will be ok to run phpbb on my 
> system. my plan is to lock everything away from apache so even if phpbb 
> is exploited, apache won't have access to actually let it do anything!
> 
> other things:
> - this x-mas/new years server will go down for a few, preferably 
> minutes, for a rack (if I get it) and a UPS to go in.
> 
> - crontab only works for root by the looks of it :( so if you have a 
> link to allow fcron to work for everybody, I'm all ears, but in the 
> meantime, just give me a line that you want me to run. keep in mind, if 
> it's a script, the script will be chmod'ed so nobody can write to it for 
> security reasons.

Why not use vixie cron?  The blurb for fcron suggests it's only useful
if your system isn't up all the time, which yours is.  If you really do
want to stick with fcron, you should `chmod 2755 /usr/bin/fcrontab`.

> - the plan is to get exim setup for smtp, but I'm no expert whatsoever 
> on email systems. On that note, if anybody is willing to sit down with 
> me and help me understand all of this that would be much appreciated so 
> i can get a fully working email system up for everyone!

Why not use qmail?  While I'm told that exim is best for really busy
mail hubs, qmail is famously the most secure mailer (the author has a
$500 reward for anyone who finds a significant security hole, which has
gone unclaimed for many years).  Qmail is a mailer written by a pure
mathematician, so like pure mathematics, it's extremely weird when
you're getting into it, but there's a beauty and elegance to it when you
have.

> - iptables is currently locked down pretty tight, I probably need to add 
> an exempt to them for port 80 and 443 as right now I block AOL, China, 
> Korea, and Nigera. Which ones would you guys liked unlocked? If anybody 
> wants to take a look over those things, the link to them is:
> http://dioxide.randomvoids.com/~appleboy/iptables.sh

That URL is wrong, but you shouldn't really put your firewall rules
online anyway.  Just make it readable by those of us with SSH access.

Why not just do `iptables -P INPUT DROP` and forget about all the
complex rules?

> - bandwidth is currently at 5mbps/800kbps up/down respectively, I'm 
> working on getting the upgrade, ETA unknown but at this point in time 
> none of that bandwidth is used.

I take it that neither your current, nor your future deals have
bandwidth caps, and that your ISP is OK with you eating up a significant
fraction of your bandwidth allocation?

Even so, 1024x768 images aren't a particularly good idea - even with the
few small images we had before, they became the majority of the
bandwidth used by the server.

        - Andrew