TOPIC: Server for small business

Dear,

I got a new job and boss is asking me to build a network for his small office, ok, the situation is below:

The office already have a network buit by the other, and the structure is below:

<ISP> --- <Modem provided by ISP> --- <Router> (ip: 192.168.1.254) (for port forwarding, they claim that the router is provided by the ISP, with DNS there, not running DHCP) --- <Linux, FC4> (ip: 192.168.0.x, sorry, forget the "x", but installed with different server like DNS, Mail, web ... etc) --- <Swtich> (ip: 192.168.0.x, sorry, forget the "x" again) --- <PC1, PC2, PC3, ... PC100, Windows Server for file sharing> (ip: 192.168.0.x ... )

So, now, the problem to this network are:
1. Webmail Slow (using Horde):
When client get a lot of email in his account, the user get a very slow response when click "next page" in their email list.

2. Hacked by someone
The server is hacked by someone and there is a webpage created automatically. We just wrote a program to delete the file periodically....

I am now improving the networks, do anyone here have suggestion to the network structure?

I have few questions too:

1. Why use Swtich after linux? what good about that?
2. Why there is a router before linux? what good about that?
3. Why not directly connect the modem to the Linux?
4. The Linux now have a lot of server there, including DNS server , MAIL server (using sendmail), WEB Server(apache) ... etc, so, now, I want to build a new server to replace the Linux, I do like below:

i) install a new Linux (FC4) on a standalone machine, with minimum installation and no any server option is clicked while installing (Done)

ii) Wire a new lan cable from the router (see above network structure) to a hubs, and then share two lan cables from the hubs to my new linux, and also a windows running win2K (Done, purpose of doing that is to let my win2K communicate with the new linux)

(Purpose of wire a lan cable from the router instead of using <PC1, PC2, PC3 ... PC100> is that I don't need to pass through the old linux to do things ... )

iii) Config the network card of both my new linux and win2K. That is, make their gateway and DNS both point to the router and I statically (coz the router don't have dhcp enabled) assign ip for both my new linux (192.168.1.52) and my win2K (192.168.1.84) (Done, purpose of doing that is to make the 2 machine able to communicate and so, i can ssh to the new linux and do installation of any server)

iv) Config my new linux as a router and build a dns server, a dhcp server and set the domain name as our current domain name(Not yet done, purpose of doing so is that, i want to make my win2K go to the Internet via the new linux only, not by the router)

v) point the gateway of win2K directly to the new linux and to test if i am able to go to the internet ... if so, i think i succeed in step iv

vi) Build a mail server using postfix and make sure that it can send/receive mail to/from outside world, also, the server should support smtp, pop, and imap, send email to test ...

vii) Build a webserver using apache

viii) Install Horde or other better webmail module

ix) Create website

x) Finally, i have to replace the old linux with the new linux ...

xi) Further step is to build a VPN tunnel with our other office at other site.

Sorry, I don't know if it is clear to you or not, I am not new to linux, I am developer before and I use linux to do software development only, I never try server installation and it seems hard to me (it spends me 1 - 2 days to finish step i to step iii). Do you think the development planning above is ok? Any suggestion? Any good reference introduce? Thanks a lot.

Best regards,
hhliu

could you give a picture of the structure of the network at present? it would give anyone a basic idea of the traffic situation and the nodes of the network. a diagram of the network is always very helpful.

also, if you beleive that your server has been hacked well i might suggest taking it offline first then secure it before having it back online. always take it as something serious... :shock:

you could try this link as a reference in your setup:

www.falkotimme.com/howtos/perfect_setup_fedora_core_4/index.php

Greetings & Welcome hhliu,

Like Jhun pointed, you must consider your current linux box as completely untrusted and unreliable for any job, untill you reformat completelly it's hard drive (or replace it).

Regarding your questions,
Reasonably you are using the switch to be able to connect multiple hosts with your linux router. Otherwise you would need to have a seperate NIC (network interface card) on your Linux router for each of your hosts. Since you mentioned the switch has an IP address, my guess is that this is a managed switch which is nice! In any case, if you do not require it's features and have any reason, you can easily replace it with a dumb hub or an unmanaged switch.
I can't know for sure, but this is often due to the ISP's policy. Generally, the ISP will want to have you use hardware with a quite standard configuration, in order for him to be able to provide support and find easier what's wrong in case of a problem. In some other cases, ISPs will provide their own pre-configured router and even lock configuration access from you, to enforce traffic/bandwidth limitations on your end.
There is indeed no reason why you can't do that and from many aspects it would be better. However, support for the modem might prove quite a headache in Linux depending on what connection interface it uses.

Yes, that shows from your methodic approach on treating this assigment

Your plan seems just fine to me. Other than perhaps the fact that using fedora as the OS might slightly complicate the task of security maintenance (I find it to be a quite messy distribution, others would disagree however). Regardless, just remember to take some security measures on your new machine.

1. Take the time to write a solid firewall ruleset.
2. Do a minimum installation and install only what will be used. Remove/deactivate any useless services.
3. Monitor the software updates . You can schedule for them to occur automatically, but I wouldn't trust any package system so much to do it (especially rpm!)
4. Use some software that keeps track of what's hapening on the system and have it mail you the results on a frequent basis. snort is the most widely used, but you can find many other that suit you by searching (just check at freshmeat.net for system monitoring / networking / logging tools).
5. Take extra care in services that will be available through the internet. Use chroots if possible and minimize the permissions of nobody user (or whatever user Apache runs as). Take a closer look at apache's configuration options that relate to security and permissions. Also check modsecurity. Likewise, check php's security related options at php.ini. The vast majority of system breaches in the internet, has web script vulnerabilities as their entry point!

In any case, keep us posted!