[mdlug] St. Pete's]

dean mdlug at sbcglobal.net
Sun Nov 26 14:28:53 EST 2006 

Did I send this out already?     This is the configuation at the church 
that Rodney had worked on.  

-------- Original Message --------
Subject: 	Fwd: St. Pete's
Date: 	Fri, 14 Jul 2006 00:41:41 -0400
From: 	Rodney Hampton <rodney.hampton at gmail.com>
To: 	dean <mdlug at sbcglobal.net>
References: 	<b25eb7f50604170812i357076ddq6b500bfe0cea8140 at mail.gmail.com>


Basically, there are two linux boxes.  One is in their computer lab 
(name is gateway.stpeterslutheranchurch.net 
<http://gateway.stpeterslutheranchurch.net>)
and the other is in the closet in Matt's classroom (name is 
router.stpeterslutheranchurch.net 
<http://router.stpeterslutheranchurch.net>)  I haven't looked in a 
while, I think they're RedHat 8.

On router, there are two NIC cards.  So the cable modem goes in one 
side, and the internal network goes in the other.
I set it up using the monmotha firewall ruleset, bastille linux, etc.  
Look in root's pine mail for all the evil stuff getting logged.  
/etc/hosts.deny is getting pretty long because I've got scripts that add 
to it regularly.
They've got a SPRINT business account and a "pizza box" wireless 
receiver on the roof.  They have 5 static ips
24.221.90.238 <http://24.221.90.238>,239,240,241,242.  Costs them $150? 
a month but has screaming fast inbound and outbound.

On the router there is email, DNS, and apache.   The box is severely 
memory constrained and is on old hardware.
It's running qmail, spamassassin, vmailmgr, procmail, qmail scan (perl 
script replacing qmailqueue binary and the real binary is qmailqueue 
original), clamav.  It's a tempermental beast, but has served them well 
enough.  The router also runs bind where they host their own 
authoritative DNS for stpeterslutheranchurch.net 
<http://stpeterslutheranchurch.net>, nslaa (their athletic league 
website), lfahall.com <http://lfahall.com> (.net, .org .biz), and my own 
elect-rodney.com <http://elect-rodney.com> domain.  If bind goes down 
(which it does from time to time due to lack of memory on the box) then 
everything stops working.  Matt usually just reboots it.   For apache, 
it's an ancient version because stpetes uses front page extensions.  
Also proxy's through ssh is locked down, will only allow certain users 
to have access.  There's an iptables rule that will allow direct access 
to the computer in the lab, listens on a specific ip/port combo.  Never 
seems to get scanned on that port.

In the computer lab, the server runs samba as a PDC so all their 
workstations can log in, they've got a 5CD rack that has some perms set 
up in /etc/samba/smb.conf.
The computer lab (gateway) also acts as a buffer between the church 
network ( 192.x.x.x and the school network 10.x.x.x.x)  I think I put 
the teacher computers in the 10.x.x.x network in one subnet and the 
student computers in another subnet as well.  Trying to add a bit of 
defense in depth, but it added to the complexity of the setup.  iptables 
here rules all.
gateway also runs apache and mysql.  The nslaa website actually runs 
back here, as does my own www.elect-rodney.com 
<http://www.elect-rodney.com> and formerly hamptonandassociates.net 
<http://hamptonandassociates.net>.  We used to host other real-estate 
sites as well for extra cash for the church.
gateway server also runs squid and dansguardian.  Basically, 
dansguardian is the proxy that the school,church, and student computers 
hit and it does filtering.  Recently I upgraded it.  Then dansguardian 
hands the outbound stuff off to squid.  I can't recall if this is 
because we wanted to tie it into samba auth.  Also have snort running, 
but ruleset is very old and all it ever did was help us figure out where 
broadcast storms were coming from when there were occasional network 
problems.
Occasionally you'll see errors from the CD rack that show up in pine for 
root.  Pay them no mind (hard to ignore these kernel messages but you'll 
get used to it).

In the church office there is an NT (yes NT) server box running 
Shepard's Staff.  That will be hard to upgrade and is crucial to their 
church so I didn't touch it.  Basically, I've only patched the NT box 
and made sure they had some kind of backup tape scheme.  Much room for 
improvement here.   There's a rats nest of cables behind the NT server 
that predates me.  The rat's nest was set up by a "consulting" company 
who didn't leave the admin password but it was so easy I just guessed it 
when they needed me to access the box.

Anyway, this gives you a 10,000 ft. overview.  

All the desktops are windows 98.  Matt aborted an upgrade to 2000 long 
ago when he saw the effort we'd need to go through.  They're mostly 
patched but I think they could be converted over to all linux someday.  
The dos programs would probably all run under crossover office, wine, or 
a dos emulator.

Thanks,




Rodney Hampton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mdlug.org/pipermail/mdlug/attachments/20061126/938f0f6d/attachment-0001.html>

More information about the mdlug mailing list