Right, I'm in the process of setting up a small lamp server for my final year uni project, obviously
security is important as I don't want anyone breaking in and ruining the machine whilst my work is on
there!!

I didn't know whether to place this question in the networking or security questions so if anyone feels it
belongs elsewhere please move it

Right here we go!


I have the lamp services basically set up. The server is connected to a wireless router, there are two
windows boxes also connected to the wireless router. The router is connected to the net through 512kb bb.

Now, first of all I only want one machine to be able to connect via ssh at the moment (there will be
another shortly) this is one of the windows boxes which is on a 192.168.0. address. I have edited the
hosts.allow file with the following

sshd:192.168.0.2

However it is still allowing access from other local machines on the network. It was at this point I've
decided to ask all of the following questions at once and one answer might have an impact on later
questions!

This is essentially what I'm after :

• Only one local machine .2 should be allowed to SSH to the machine.
  
• From this SSH session the user should be able to use mysql client, edit dbs etc.
  
• The apache directory needs to be viewable externally through the internet e.g. on the other side of the
  router. EDIT : Also ideally the server should have it's own static IP address (I've got one spare) so I
  understand that port forwarding will need to be setup on the router, what I'm puzzled about is how I can
  get the server to have a static address e.g. 81.123.45.6 when it's behind the router which has it's own
  external ip! e.g. another 81.123.45.6
  
• It is likely that one other machine will be allowed to use SSH, but this will be external (e.g. through
  the internet)
  

As i've mentioned before i need this to be as secure as possible. The system is running SUSE 9.1 on a
minimum install.

Any help is appreciated!

Ok, the router needs its own ip...so if the router is 81.123.45.6 you will have to assign your other one to the linux box e.g. 81.123.45.7 Once that is in place, from your explanation I'm gathering that you want webserver and ssh accessible from the outside. This is accomplished by forwarding port 22 (default ssh port), port 80 (default http port) and optionally port 443 (default https port) to the linux box, if you want to go a little further you could forward port 21 for ftp also.

As far as allowing certain hosts to ssh in you had it right but i believe you missed one step...In your hosts.allow you should have the ip's of the machines you want to be able to connect e.g. 192.168.0.2 (that part you did right), this is the part that you forgot... in your hosts.deny you want to have an entry that says ALL : ALL
So basically you are denying everyone but allowing 1 particular ip to log in.

As far as using mysql client I usually just set up phpmyadmin on the server with authentication set to http so its protected by htaccess. Its a great free tool for mysql administration and you can pick it up here--> http://www.phpmyadmin.net/home_page/ or off of the command line
this will bring to the mysql shell.

hope this helps ya out...

linux_terror

Thank you very much

I'll let you know how i get on