Home
Friday, November 24, 2017
4:37:23 PM
Users online: 0   You are here >> Home > Security

Forums | Security Forums search
Forum FAQ
   
  1  
Net Admin advice needed
capo 
8/5/08 11:44:22 AM
Overlord

Through a series of circumstances i have ended up as the network administrator for a highschool and I need some advice.

The school has a few hundred computers for admin staff and students. We got some fairly heavy servers for TASS and some library software etc which was all handled by my boss, i am entirely responsible for:

Routing
DNS
DHCP
proxy
filtering
QOS
mail, POP/SMTP
firewall, sectruity etc.

basicaly everything networking.

ive implimented nearly all of these using a single server with two network cards and ubuntu.

I have the entire school network behind one of these network cards and the the other one hooked up to the net, using IPTABLES to handle NAT, firewall and port fowarding. BIND9 for DNS, Squid + iptables for a seamelss proxy etc.

The problem i am having is I don't know what to use for filtering. I need a censerware package that will basicaly block porn etc. from the kids, and i am wondering if any atomicans know of a good one. It doesn't have to be free. Also, it would be nice if it intergrated smoothly with squid as were allready using that as the proxy.

Thanks in advance.

-----
Gigabyle DS3
Core Duo 2 e6400 @ 3.5ghz, 1.46875v
2gb G.skill HZ @ 876, 4-4-4-12
XFX 7900GS @ 600mhz, 1.55ghz
Proud member of the: **Atomic Hardcore Techno-Metal Club** #5

sponger 
8/5/08 6:12:55 PM
Immortal

Maybe try SquidGuard with one of these:

http://www.squidguard.org/blacklists.html

-----

wilsontc 
8/5/08 7:34:46 PM
Guru

Quote by sponger
Maybe try SquidGuard with one of these:

http://www.squidguard.org/blacklists.html



+1

Some more things to think about:

- Look at the adzapper plugin. The bandwidth you can save will really add up.
- With all that traffic, make sure you are using decent NICs on the server, not $5 r8139's :)
- Have you got a DR (Disaster Recovery) plan? Backups of the server as well? Stick another hdd in, use dd to make an image, and store it off site.

-----
Quote by hill60606
$4-5 Billion should go a fair way towards it, especially if we get it from somewhere cheap like MSY.



lew~ 
9/5/08 6:26:08 PM
Titan

Quote by wilsontc
- Have you got a DR (Disaster Recovery) plan? Backups of the server as well? Stick another hdd in, use dd to make an image, and store it off site.


+1

If you don't have much experience in this field, don't underestimate the importance of this step. After all, I'd assume it's your neck if you can't get things back up and running ASAP? :-)

-----

chome 
10/5/08 2:11:27 PM
Champion

censornet is a good cache/proxy server

easy to setup easy to maintain logs plenty of info.

-----
http://folding.stanford.edu/English/Science

sponger 
10/5/08 3:29:27 PM
Immortal

Admin is nearly all about recovery IMO. You should always be thinking of what you will do when x or y goes wrong. Admins are there to insure against entropy. An average admin will do all he/she can to ensure the best service given the available resources, and a good one will ensure that service includes minimal downtime in any disaster.

Sounds obvious but is rarely practiced.

-----

iamthemaxx 
10/5/08 4:11:37 PM
Mod
SuperHero

Immortal


Quote by sponger
Admin is nearly all about recovery IMO. You should always be thinking of what you will do when x or y goes wrong. Admins are there to insure against entropy. An average admin will do all he/she can to ensure the best service given the available resources, and a good one will ensure that service includes minimal downtime in any disaster.

Sounds obvious but is rarely practiced.



Because it is rarely practical.

-----

sponger 
10/5/08 4:55:05 PM
Immortal

Quote by iamthemaxx
Quote by sponger
Admin is nearly all about recovery IMO. You should always be thinking of what you will do when x or y goes wrong. Admins are there to insure against entropy. An average admin will do all he/she can to ensure the best service given the available resources, and a good one will ensure that service includes minimal downtime in any disaster.

Sounds obvious but is rarely practiced.



Because it is rarely practical.



Speak for yourself. I probably focus 1/2 of my time on recovery and documentation. The other 1/2 is split between learning and actual maintenance. Nothing new is implemented by me unless there is a recovery plan to go with it. If the data's important, not doing so would be akin to driving an uninsured car worth the time of labour gone into it.

If you have limited resources, you should bring it to the attention of management.

-----

iamthemaxx 
10/5/08 5:31:18 PM
Mod
SuperHero

Immortal


Quote by sponger
Speak for yourself. I probably focus 1/2 of my time on recovery and documentation. The other 1/2 is split between learning and actual maintenance. Nothing new is implemented by me unless there is a recovery plan to go with it. If the data's important, not doing so would be akin to driving an uninsured car worth the time of labour gone into it.

If you have limited resources, you should bring it to the attention of management.



Yeah fair enough, I should have elaborated.
I have just me, and a heap of systems, management know all about it but I am still waiting.


Sorry, getting a tad off topic here.


Edited by iamthemaxx: 10/5/2008 05:34:04 PM

-----

Cal-MB 
11/5/08 9:30:05 AM
Overlord

I had the same problem where I work, the requests for downtime to fix issues over a weekend were rejected time time again. Just keep making them. When our SAP system went down (leaving 30k users in the lurch for 3 days) we just pointed at a long list of refused requests and said what did you expect?

Admins are all about disaster planning and recovery. How fast you can react to problems is largely based on how much preperation you put in before hand.

-----
There is always something at the end of a road, if your not willing to see what it is you probably shouldn't be there in the first place.

bnew 
14/5/08 10:45:23 AM
Guru

http://dansguardian.org/ is what we use, in similar circumstances to you (but with more servers). Works fine with Squid.

For backups, check out something like rsnapshot (although it may be less suitable for you if you only have one server).


Edited by bnew: 14/5/2008 10:46:44 AM

-----
Hardware: the parts of a computer that can be kicked. ~Jeff Pesis

eckythump 
15/5/08 12:54:20 AM
Overlord

Hrm...

I would've thought the Dept. of Educatio nwould have policies regarding what should be used for filtering?

I would be checking that and see what, if anything they recommend. Usually, when government bodies expect you to do filtering, they provide you with options.

I'd be curious to know what you find out.

I imagine their offerings may require you to setup a dedicated box and have squid point to it as a parent proxy.

I also give a +1 to squid addons like adzap, and also to using a decent network card. While I always speak fondly of RTL8139s because "they jsut work", they are cheap'n'cheerful and fairly mickey mouse. Get yourself something decent like an Intel EtherExpress card, or perhaps something by 3com. I would be wary of anything much else i nserver land.

-----
"Grandfather had an accident, he got burnt." "Oh no, how bad?" "Well, they don't fuck around at the crematorium."

anjellycue 
21/5/08 9:13:02 PM
Overlord

imho, i think that you would be best served moving some of those essential services to another machine, a single server as we all know can be a single point of failure, i would put x and y and z on one server and a and b and c on another and possibly a fall back server if it's feasible. id have a chat to dept of education and see if that help you out with options

-----

mandalore 
11/7/08 5:31:27 PM
Banned
Filtering? Read Ashton Mills' article in issue #81. If you have #81. If not, this site should have it.

-----
Trust no one. Least of all yourself...

  1  
Forums | Security