Re: Advise on setup of small office locally or via VPS
Op Wed, 18 Mar 2015 03:58:02 +, schreef Dan Purgert: snip I read it as you were /planning/ on using a Debian box for routing and firewall (and then switched gears to what's a good appliance? midway through the writing), which is why I asked. Honestly, unless you already have said box ready to go, I would skip it and just use an appliance (e.g. the UBNT Edge Router). Less to go wrong / muck up. I don't have such a box so I would rather use an appliance as you suggested. Thanks, looks like a simple and adequate solution. Yeah, they're a bit more than adequate -- they rival equipment put out by other vendors that's several times more expensive (IIRC, cheap Cisco kit is like 500-1000 USD). Yes, I really liked the specs. Note - I'm in the USA, perhaps your local ISP's equipment isn't as rubbish as the ones here. Best way to figure it out is by finding out what they'd supply, and then digging up discussions about it on google. Indeed, I will look at the router type and see what google comes up with. What I meant was that if you're putting a local server into a DMZ area already (because it's public facing), adding that extra internal server seems to be adding complexity for the sake of complexity, and wouldn't be offering you any benefits -- this also ties in with your webmail solution, if you choose to also have that going. Now, if you were a bigger company with two or more sites that happen to be somewhat distant from one another, then running a relay would be beneficial (as users would all be hitting their local mail server, instead of /everyone/ needing to hit the server at your HQ site). That's a valid remark. I will opt to leave the mailserver on the VPS for the time being. You've already got a frontend for them (hint - roundcube) Yes, I just need to find a good plugin allowing for the users to change their password. Probably not. I mean, yeah some of the syntax for the config files may have changed, but LDAP is still LDAP ... so the core principles of the setups will be the same. I dug up my notes and I have found some ldif files and procedures. I'm good to go. emacs :) Hehe, I have tried it once. I should take the time to give it a more thorough try. Git works well with source code, I'm not really sure how well it works outside of that (e.g. ODT files). I imagine that it would provide some of the functionality you're looking for, but possibly not all of it. For simple text files, I've taken a liking to rcs. One of the guys here (or on one of the other newsgroups I haunt) had a decent basic wrapper for it too. I don't know rcs. I will have a look at it. Well, not so sure about the extra firewall in the mix there - I mean, yeah you'll have one on site likely as part of your router appliance ... but that's pretty much a given these days anyway. Or are you planning on throwing a firewall somewhere else, such as between the LAN and the file server (and if so - why?) I would hook up the firewall after the ISP router, before the LAN. The routers of ISP's here only have very basic firewall capabilities. I rather use my own device to protect the LAN. And it gives me a chance to learn the UBNT Edge router. They'll definitely make it to your ISP. Whether or not your ISP will relay them as yourdomain.com or our-ip-address-block.somewhere.ISP.com is something you'll have to check with them though ... Really about the only guaranteed way of getting that would be to own an actual block of IPs (i.e. bought directly from one of the number registrars ... ARIN or RIPE or one of their delegated subsidiaries). But in doing so, you're talking about buying something like a /20 (or whatever their currently smallest allocation is). A big block is going to be overkill so I'll have to get by with whatever my ISP offers me. If I have a couple of IP's, it's enough for the public services I have. Regards, Benedict -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/mebf48$dbt$1...@ger.gmane.org
Re: Advise on setup of small office locally or via VPS
Op Tue, 17 Mar 2015 18:50:39 -0700, schreef David Christensen: On 03/17/2015 04:22 AM, Linux4Bene wrote: Thanks for any advice, thoughts, links or info and for your patience if you got this far :) I run a SOHO LAN with ADSL, 4 static IP's, and a few Internet services. I avoid running key Internet-facing services locally -- my WAN bandwidth is too precious and the services are too important. I prefer service provider DNS and mail, and VPS WWW. I thought about using the domain registrars DNS but I wanted to set it up as a learning exercise. VPS is really suited for www. I still have to figure out how to setup a staging area. Do I go with another VPS server for that or not? Ideally there would be another machine hosting the sites so they are still accessible when the other VPS goes down. I haven't really researched this yet, but it's on my to do list. +1 for using a dedicated device/ FOSS distribution for your WAN/LAN gateway. I use IPCop. I have heard of IPCop, haven't tried it out. +1 for using Samba for the LAN file server -- I want interoperability: Linux, *BSD, Windows, Mac, and others. Indeed, and the setup is rather painless :) VPN's are appealing, but consider the consequences of a VPN machine compromise. Securing the rest of the VPN against that risk is non-trivial, and involves other people's computers and networks. I turned it off. I thought it made some sense to tie the WAN and LAN part together. After reading your comment, it indeed seems like over complicating things. As Dan already suggested, there is merit in KISS. I guess you access your VPS servers also via SSH only then? I run no gui on them so it's enough for my needs. Thanks David for the insight, Regards, Benedict -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/mebflf$dbt$2...@ger.gmane.org
Re: Advise on setup of small office locally or via VPS
On Wed, 18 Mar 2015 09:05:12 +, Linux4Bene wrote: Op Wed, 18 Mar 2015 03:58:02 +, schreef Dan Purgert: [snip] You've already got a frontend for them (hint - roundcube) Yes, I just need to find a good plugin allowing for the users to change their password. Dunno about roundcube (I use horde), but I do recall a bit of trial and error with convincing horde/imp to play nice with the SASL authentication provided by dovecot. Well, not so sure about the extra firewall in the mix there - I mean, yeah you'll have one on site likely as part of your router appliance ... but that's pretty much a given these days anyway. Or are you planning on throwing a firewall somewhere else, such as between the LAN and the file server (and if so - why?) I would hook up the firewall after the ISP router, before the LAN. The routers of ISP's here only have very basic firewall capabilities. I rather use my own device to protect the LAN. And it gives me a chance to learn the UBNT Edge router. Gotcha -- since the ERLite (or, well most any router these days) includes a firewall in the box already, I wasn't sure if you meant that, or if you were adding another firewall-only appliance into the mix... They'll definitely make it to your ISP. Whether or not your ISP will relay them as yourdomain.com or our-ip-address-block.somewhere.ISP.com is something you'll have to check with them though ... Really about the only guaranteed way of getting that would be to own an actual block of IPs (i.e. bought directly from one of the number registrars ... ARIN or RIPE or one of their delegated subsidiaries). But in doing so, you're talking about buying something like a /20 (or whatever their currently smallest allocation is). A big block is going to be overkill so I'll have to get by with whatever my ISP offers me. If I have a couple of IP's, it's enough for the public services I have. Yep, figured as much. And TBH, ARIN et. al. are pretty stingy with giving out IPs in the first place ... so you'd probably be shot down anyway. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/mec5rf$b1f$1...@ger.gmane.org
Re: Advise on setup of small office locally or via VPS
On 03/18/2015 02:14 AM, Linux4Bene wrote: VPS is really suited for www. I still have to figure out how to setup a staging area. Do I go with another VPS server for that or not? Ideally there would be another machine hosting the sites so they are still accessible when the other VPS goes down. I haven't really researched this yet, but it's on my to do list. I have one VPS running nginx with named-based virtual hosts. I use projectname.mydomain.com for staging and www.projectname.com for production. If you have the money for multiple www servers, then you might want to set up a load balancer that can detect a dead www server and stop routing packets to it. I guess you access your VPS servers also via SSH only then? Yes. David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/550a2f2a.80...@holgerdanske.com
Re: Advise on setup of small office locally or via VPS
On Tue, 17 Mar 2015 16:02:31 +, Linux4Bene wrote: Op Tue, 17 Mar 2015 13:38:26 +, schreef Dan Purgert: snip Didn't you just say that you were using a Debian box as your firewall/ router? Not yet. I'm still employed ... Currently I have my own VPS running but no business internet line yet ror a Debian Firewall but that's the plan. Just thinking ahead on how I will get up and running as fast as possible :) I read it as you were /planning/ on using a Debian box for routing and firewall (and then switched gears to what's a good appliance? midway through the writing), which is why I asked. Honestly, unless you already have said box ready to go, I would skip it and just use an appliance (e.g. the UBNT Edge Router). Less to go wrong / muck up. Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're really nice - based on Vyatta 6.3, rival bigger names in terms of routing performance, and are cheap ($100 for the 3-port model ER Lite, and under $500 for the 8-port ER-8. There's also a PRO variant of the 8- port that includes 2 SFP ports that're shared with 2 of the copper ports, and a 5-port model with PoE, but this is really only the ER Lite with a switch in the same case, so it's 2x routing ports + 3x switch ports, and might not fit in your situation). Here's the Datasheet for their routers -- http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf Thanks, looks like a simple and adequate solution. Yeah, they're a bit more than adequate -- they rival equipment put out by other vendors that's several times more expensive (IIRC, cheap Cisco kit is like 500-1000 USD). [snip] Depends on how their router is configured, but this sounds about right. That said, in 99.5% of cases that I've seen the ISP-provided routers are absolute rubbish, and should be relegated to bridge-only mode so that you can use a better (i.e. more configurable) device to handle the tasks. I didn't know that. Thank you for the information. Note - I'm in the USA, perhaps your local ISP's equipment isn't as rubbish as the ones here. Best way to figure it out is by finding out what they'd supply, and then digging up discussions about it on google. If the email server is public already (in the DMZ zone), you'll probably have an easier (and still secure) time if you just have the clients using STARTTLS to access THAT server. Not that you couldn't set up a gateway / relay, but there is much to be said about the KISS principle. The mail service is public on the VPS. There isn't a DMZ zone on that server. As you suggest, both postfix and Dovecot are accessible via STARTTLS/SSL. If I read your comment correctly, you would leave the mail server config as it is, and put it in a DMZ and that's it? This would leave the mails also in the DMZ but as you said, accessing mail can only be done over a secure connection (SSL). I have SSL certificates setup for this (for my website, and Dovecot). What I meant was that if you're putting a local server into a DMZ area already (because it's public facing), adding that extra internal server seems to be adding complexity for the sake of complexity, and wouldn't be offering you any benefits -- this also ties in with your webmail solution, if you choose to also have that going. Now, if you were a bigger company with two or more sites that happen to be somewhat distant from one another, then running a relay would be beneficial (as users would all be hitting their local mail server, instead of /everyone/ needing to hit the server at your HQ site). [snip...] Indeed. There is some really great info regarding Postfix and keeping all the necessary info in a Postgresql db. If I would ever go with offering this as a service to users, I would use Django to build a web interface but that's a whole different topic. You've already got a frontend for them (hint - roundcube) I can see LDAP being useful to have central authentication. It can be a challenge to setup though. Are there other ways of having a simple central authentication? LDAP, and a couple of books on the subject. ;) Hehe, in the past I have setup LDAP on my own home network with Samba. It worked great and I could login from my Windows machine as well. The docs that I wrote back then will be horribly outdated by now :) Probably not. I mean, yeah some of the syntax for the config files may have changed, but LDAP is still LDAP ... so the core principles of the setups will be the same. I like using a CLI but not when dealing with LDAP. Are there any good gui tools to manage a LDAP server? I have come across phpLDAPadmin. Is it any good? emacs :) I have thought about using a document management system from the start. But I have only experience with commercial ones and that might be overkill from the start. Besides, they are Windows based. You mean like git? Funny you should say that. I have thought about
Re: Advise on setup of small office locally or via VPS
On 03/17/2015 04:22 AM, Linux4Bene wrote: Thanks for any advice, thoughts, links or info and for your patience if you got this far :) I run a SOHO LAN with ADSL, 4 static IP's, and a few Internet services. I avoid running key Internet-facing services locally -- my WAN bandwidth is too precious and the services are too important. I prefer service provider DNS and mail, and VPS WWW. +1 for using a dedicated device/ FOSS distribution for your WAN/LAN gateway. I use IPCop. +1 for using Samba for the LAN file server -- I want interoperability: Linux, *BSD, Windows, Mac, and others. VPN's are appealing, but consider the consequences of a VPN machine compromise. Securing the rest of the VPN against that risk is non-trivial, and involves other people's computers and networks. I turned it off. David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5508d9ef.7000...@holgerdanske.com
Re: Advise on setup of small office locally or via VPS
On Tue, 17 Mar 2015 11:22:29 +, Linux4Bene wrote: Hi, Local setup === I would connect a Debian box with 3 nics to the ISP router to serve as firewall. 1 nic for WAN, 1 for LAN, 1 for DMZ. I have always used iptables to do this. The wan nic would have 1 public IP, LAN 192.168.1.0/24, DMZ 172.16.1.0/24. DMZ would have 2 machines: 1 with web and DNS 1, another with DNS 2 and SMTP gateway. I would keep the free DNS for added redundancy. On the LAN part, I would put a file server, local DNS and some internal web apps. This raises some questions: - What device could I use for the firewall. I don't want to use an old computer as I have some public services and need a reliable service. I'm open to using an appliance as well. Any links or info is welcome. Any easy way to having this devices redundant? Didn't you just say that you were using a Debian box as your firewall/ router? Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're really nice - based on Vyatta 6.3, rival bigger names in terms of routing performance, and are cheap ($100 for the 3-port model ER Lite, and under $500 for the 8-port ER-8. There's also a PRO variant of the 8- port that includes 2 SFP ports that're shared with 2 of the copper ports, and a 5-port model with PoE, but this is really only the ER Lite with a switch in the same case, so it's 2x routing ports + 3x switch ports, and might not fit in your situation). Here's the Datasheet for their routers -- http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf It's not difficult to get redundancy, though depending on the levels of redundancy you're after, it can get a bit complex. Easiest route is a cold spare -- buy a second of whatever router, config it exactly the same way, and then shut it down for use if / when the first one dies. Though you could always scale to multiple WAN connections spread across multiple routers, with OSPF / iBGP being used to manage the routes... but this is probably a bit much for a small business. - I would only allow some traffic (mail for instance) from the DMZ to the private LAN. LAN could access the DMZ. Any downside to this security wise? If I'm understanding your plan, no this shouldn't pose any problems. - If I have multiple public IP's, I would assign each public machine a public IP. I assume it's the ISP's job to redirect the IP's in my range to their router in my office. I could then map the public IP's to a private IP by prerouting all allowed traffic on the public IP to the private IP address of the machine in the DMZ. Depends on how their router is configured, but this sounds about right. That said, in 99.5% of cases that I've seen the ISP-provided routers are absolute rubbish, and should be relegated to bridge-only mode so that you can use a better (i.e. more configurable) device to handle the tasks. - My mail service (only used for my own purposes right now) consists of Postfix, Clamav, Pyzor, Razor, Spamassassin, with authentication provided by Dovecot. Domains, users and aliases are stored in a Postgresql database. Security wise it would be better to place this set up in the LAN part, and put a SMTP gateway in the DMZ to receive mail, and have the gateway forward the mail to the setup I just described. The SMTP gateway should have the same parts (Clamav, Spamassassin, ...) but just not store the mail locally. Any thoughts on this kind of setup? If the email server is public already (in the DMZ zone), you'll probably have an easier (and still secure) time if you just have the clients using STARTTLS to access THAT server. Not that you couldn't set up a gateway / relay, but there is much to be said about the KISS principle. - I have Roundcube (webmail) installed as well. I think I could handle this by forwarding the requests from firewall to the internal mail server. Not sure if this is the safest way to do this. One can of course argue about web mail in the first place. Again, might be easiest (best) to keep the entire mail service in the DMZ, including webmail. - Central user and document management. I would like to have a space on the file server where people could store their own and shared documents. I think I would need NFS for this (haven't used this before). The docs might need to be accessible from Windows as well, although I really would like to only use Debian machines for my own people. Otherwise, this would mean using Samba. If you need / want access to the file server from windows hosts, I'm pretty sure samba is your only solution. My mail users are in a Postgresql database. I would like to keep it that way if I would ever provide mail to customers. Sure. If you're selling email services, then you might need a dedicated DB box, but that's not exactly 'difficult'. I can see LDAP being useful to have central authentication. It can be a challenge to setup though. Are there other ways of having a
Re: Advise on setup of small office locally or via VPS
Op Tue, 17 Mar 2015 13:38:26 +, schreef Dan Purgert: snip Didn't you just say that you were using a Debian box as your firewall/ router? Not yet. I'm still employed but have everything up and running in a VPS, and I have all the legal stuff in order like VAT and so on. Legally this means it's seen as a secondary activity. From the moment I quit, it becomes my main occupation. That's how it works over here. Currently I have my own VPS running but no business internet line yet ror a Debian Firewall but that's the plan. Just thinking ahead on how I will get up and running as fast as possible :) Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're really nice - based on Vyatta 6.3, rival bigger names in terms of routing performance, and are cheap ($100 for the 3-port model ER Lite, and under $500 for the 8-port ER-8. There's also a PRO variant of the 8- port that includes 2 SFP ports that're shared with 2 of the copper ports, and a 5-port model with PoE, but this is really only the ER Lite with a switch in the same case, so it's 2x routing ports + 3x switch ports, and might not fit in your situation). Here's the Datasheet for their routers -- http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf Thanks, looks like a simple and adequate solution. It's not difficult to get redundancy, though depending on the levels of redundancy you're after, it can get a bit complex. Easiest route is a cold spare -- buy a second of whatever router, config it exactly the same way, and then shut it down for use if / when the first one dies. Though you could always scale to multiple WAN connections spread across multiple routers, with OSPF / iBGP being used to manage the routes... but this is probably a bit much for a small business. I should have been more clear about the use case. The cold spare in my case is enough. If a lot of other people would use services, that's somethings else but I don't see that happening in the near future. Depends on how their router is configured, but this sounds about right. That said, in 99.5% of cases that I've seen the ISP-provided routers are absolute rubbish, and should be relegated to bridge-only mode so that you can use a better (i.e. more configurable) device to handle the tasks. I didn't know that. Thank you for the information. If the email server is public already (in the DMZ zone), you'll probably have an easier (and still secure) time if you just have the clients using STARTTLS to access THAT server. Not that you couldn't set up a gateway / relay, but there is much to be said about the KISS principle. The mail service is public on the VPS. There isn't a DMZ zone on that server. As you suggest, both postfix and Dovecot are accessible via STARTTLS/SSL. If I read your comment correctly, you would leave the mail server config as it is, and put it in a DMZ and that's it? This would leave the mails also in the DMZ but as you said, accessing mail can only be done over a secure connection (SSL). I have SSL certificates setup for this (for my website, and Dovecot). - I have Roundcube (webmail) installed as well. I think I could handle this by forwarding the requests from firewall to the internal mail server. Not sure if this is the safest way to do this. One can of course argue about web mail in the first place. Again, might be easiest (best) to keep the entire mail service in the DMZ, including webmail. OK I would really like to go KISS :) Basically, if I end up with a local situation I would move the services to a local server in a DMZ zone. Otherwise, I could just keep the VPS to serve as our mail server. - Central user and document management. I would like to have a space on the file server where people could store their own and shared documents. I think I would need NFS for this (haven't used this before). The docs might need to be accessible from Windows as well, although I really would like to only use Debian machines for my own people. Otherwise, this would mean using Samba. If you need / want access to the file server from windows hosts, I'm pretty sure samba is your only solution. That's what I thought. My mail users are in a Postgresql database. I would like to keep it that way if I would ever provide mail to customers. Sure. If you're selling email services, then you might need a dedicated DB box, but that's not exactly 'difficult'. Indeed. There is some really great info regarding Postfix and keeping all the necessary info in a Postgresql db. If I would ever go with offering this as a service to users, I would use Django to build a web interface but that's a whole different topic. In my current mail setup, I would need to provide a way for users to change their password. Maybe Roundcube has such a plugin. I can see LDAP being useful to have central authentication. It can be a challenge to setup though. Are there other ways of having a simple central