Gallery

Lock up your servers!

Posted on 29 Jun 2006 at 12:18

Ian Wrigley and Simon Brock discuss how to keep your systems safe and secure from attacks

Always use protection

To sum up then, you need to be protecting your systems by doing - at the very least - the following tasks:

Configure your firewall to be as restrictive as possible.

Ensure you're always running the most up-to-date versions of programs such as the SSH daemon, your web server and your DNS server.
Periodically check the machines on your network for vulnerabilities and unnecessarily open ports.

Use an intrusion-detection system such as Osiris or Tripwire to watch for changes to crucial files and, if you do spot changes, do something about them immediately.

Where to get it

Nessus: www.nessus.org
Nmap: www.insecure.org/NMap
Tripwire: sourceforge.net
Osiris: www.hostintegrity.com

Open-Source Routers

Some interesting things are going on at the moment in the world of router software. Of course, big companies such as Cisco have an arm-lock on commercial routers, but groups such as the XORP (eXtensible Open Router Platform) and companies like Vyatta are trying to change that.

Vyatta has taken the basics of the XORP project, which has created an open-source routing stack, and turned it into a fully functional router that can run on any standard PC. The software, known as OFR (open flexible router), is distributed as a 'live CD', so it can be run on any computer - it boots from the CD-ROM and doesn't touch the hard drive at all. It includes Linux (a version of the Debian distribution) as well as the routing software itself.

Why would you want to use this rather than buying a traditional router? Well, cost is certainly one major factor. With this software, you can take any relatively low-powered PC with a couple of network cards and turn it into a full-blown router capable of running BGP, OSPF, RIP 2 and so on - it includes a DHCP server and supports Network Address Translation (NAT).

Of course, there are downsides, the first being that it isn't going to replace that £100,000 Juniper Networks router you're using to tie together your company's 500 satellite offices, each using hundreds of megabits per second of bandwidth. But, for many small and medium-sized businesses, it's going to be an appealing choice when it becomes ready for production environments (the company says that at the moment it should still be considered experimental, although it's already being used by some companies in live situations). Another downside is that a router shouldn't use disk drives, since the mean time between failures of any spinning disk is too low for something as critical as a router. However, there's nothing to stop you putting the software onto a flash drive and booting from that, which negates the need for a rotating medium of any type.

This isn't yet a product we'd be comfortable recommending to replace your existing router, but it's a project we're keeping a close eye on, because who wouldn't rather pay £500 for a rack-mount PC than £3,000 or more for a dedicated router, if they're capable of doing the same job. Watch this space and we'll let you know how this very interesting project progresses.

Help us, help you

We love hearing from readers who use, or want to use, open-source software. We've had some great feedback from people on the contents of previous columns, some of which we've managed to incorporate into later articles. So, if you want us to cover a particular open-source project, or if you have questions you need answers to, drop us an email at realworld@widearea.co.uk. We can't guarantee that we'll be able to reply to everyone although we do our best, but any suggestions are more than welcome. (In the spirit of open source, perhaps we'll be able to put an entire column together from other people's contributions.) Ensure you're always running the most up-to-date versions of programs such as the SSH daemon, your web server and your DNS server.