ekrajb <no@email.xxxwrites:
Hi,

Is it safe to use one server as Router/firewall, file/backup server,
torrent klient, ssh and maybe also as a webserver?

Ubuntu is the S I would like to use.

Architecturally speaking, it's generally discouraged to have any
user-level usage of the border firewall, which mitigates against
having the torrent client on there. File and backup serving is also
relatively high risk because if someone pops any of the services
you're discussing, they have instant access to all data for your
organization.

There are some worthy benefits to separating the firewall and routing
functions onto a dedicated appliance at the very least. A general
purpose computer running linux has some drawbacks as a firewall
device. For one, it has a shell available to it, which makes
vulnerabilities relatively easy to exploit if you were to fall lax in
patching. A dumber device dedicated to border security does has some
benefits, and allows you to be able to implement some more security in
depth.

But security questions are always about managing risks and balancing
tradeoffs of cost, and those questions don't always have simple pat
answers. And I'm afraid there really isn't such a thing as a "safe"
internet connected system.

However, I think it's safe to encourage you to consider a dedicated
firewall appliance that is separate from at least the torrent client
and the file/backup server, and to encourage you to do as much reading
as possible about locking down linux based servers before you uncork
this on the world. Include thoughts of file integrity checking
software (tripwire), log management, and intrusion detection (such as
snort) in your planning. Patch management is also important, and of
course, if you're rolling custom software on the web site you plan to
deploy, there are all sorts of ways web apps can be broken unless
they're coded by someone rather security savvy.

Best Regards,

ekrajb <no@email.xxxwrites:

I think I just keep my Linksys Router then.
Thank you for the answer.

Do a few things to that though:
a) make sure it's a newer one that has a stateful packet
inspection (SPI) firewall. The older packet filtering
firewalls are pretty easy to bypass.
b) make sure the firmware is up to date. some linky's have
exploits out for them that make them trivial to
compromise. Attacker gets admin access, slides your
servers into the DMZ of the router, and presto, you're no
longer behind the firewall like you thin kyou are
c) please tell me the administrator password has been set to
something different than the default.
d) you will want to send the logs somewhere to an inside box
to tie into the intrusion detection system.

If you're serious about security, you'll want a more featureful
firewall than the standard $60 linky. And in order to get web
services through the linky and such, makes sure your configurations
are secure.

Good luck!

Best Regards,

Begin <84wtch5icp.fsf@ripco.com>
2006-05-20, Todd H. <comphelp@toddh.netwrote:
If you're serious about security, you'll want a more featureful
firewall than the standard $60 linky.

For that, `linux' can provide the tools to do it. can use a simple
old desktop with two (or more) network cards. Another way is to get a
small board that doesn't need much power and/or room like a linksys but
that does allow you to install a better S on it. Some off-the-shelf
routers allow you to put linux on them (a certain netgear model, I
believe).

Mini-ITX based machines are often used for this purpose as well. Also,
soekris.com (various models) and pc engines (their WRAP board) make
low-power boards that run a variety of free unices (*BSD, linux).

I am not affiliated with either. See also: http://m0n0.ch/wall for a
FreeBSD based project; their hardware links might be of interest.

jpd <read_the_sig@do.not.spam.it.invalidwrites:

Begin <84wtch5icp.fsf@ripco.com>
2006-05-20, Todd H. <comphelp@toddh.netwrote:
If you're serious about security, you'll want a more featureful
firewall than the standard $60 linky.

For that, `linux' can provide the tools to do it. can use a simple
old desktop with two (or more) network cards. Another way is to get a
small board that doesn't need much power and/or room like a linksys but
that does allow you to install a better S on it. Some off-the-shelf
routers allow you to put linux on them (a certain netgear model, I
believe).

Linksys wrt54g is among them. There's a good deal of 3rd party
open source firmware for them.

Mini-ITX based machines are often used for this purpose as well. Also,
soekris.com (various models) and pc engines (their WRAP board) make
low-power boards that run a variety of free unices (*BSD, linux).

Soekris.com boxes are kewl.

I am not affiliated with either. See also: http://m0n0.ch/wall for a
FreeBSD based project; their hardware links might be of interest.