There used to be a way to track a dynamic ip with iptables so you can firewall the Internet connected ethernet port on your Linux box. I want to firewall off Internet visible services such as ssh and everything else the server needs to run internally only. I may want to allow specific sources to connect to me using openvpn or some other vpn service in which case a blanket ssh block won't be proper. I probably don't need to run X, but until I can figure out how to use a Yubikey without the gui configuration tool, I will keep X. Speaking of the Yubikey, the gui configuration tool makes zero sense to me. I want to require physical insertion of a Yubikey on my Debian Stretch server to become root. I've removed sudo so that it is impossible to become root using the password of an ordinary user, this defeats no root access using a mere password. I want to be able to give the Yubikey to someone I trust and when they are gone with it, nobody can easily become root period. The server could be booted via a USB port, but I can prevent that by enclosing it in a box with a lock on it. I can put a network plate on the back of the box that allows me to connect three patch cables to it. One from the Internet modem, one from the switch that my wired lan is built on, and one from the wireless access point that I hook to with my smart phones and tablets (they don't have the ability to connect via wire where I don't want a wifi router that bypasses my server). The box will need power too.
I ordered a new Ubiquiti indoor long range wireless access point. It is capapble of 802.11ac, low speed though, where it has a gigabit port. I know it is WPA capable at least. Not sure about WPA2. There is supposed to be configuration software for it that works in Windows, Mac OSX, and Linux. This is a POE access point and comes with an injector I believe. Cost me about $96. I decided that hostapd and a low power 802.11AC usb adapter that doesn't even work natively in Linux is the wrong approach to give smartphones and tablets Internet access. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
