| I would be hosting an FTP service for my files for my own use in other locations. So that would require some 'read' access from a network. So that network connection would have to have internet access somehow, thus the firewall and possibly VPN. These are not incriminating files in any way mind you. I just am wary about things like packet injection, and other sneaky practices that miscreants use. I would also be hosting a webpage or two, for blog and possibly web-shop purposes. The blog would again be "read-only", but the web-shop would require some semblance of 'write' permissions available for users. So the blog would share the 'read-only' connection ideally. The Web-shop would share the write capable connection instead. Finally, the laptop being able to SSH into the server solely is for security purposes due to not wanting to use any form of IPMI due to some security concerns over it. I would instead being using a dedicated network card for just its purposes only. This laptop would not connect to the internet through anything, even the server. No shared connections between the network nics at all. And I realize it may seem overkill to some people, but I don't care if it is overkill. It's when people get sloppy and cut corners that backdoors and security vulnerabilities arise. IMHO. If I had a million dollars, I would have the most secure server in the world, lol. The firewalls/VPN's are essentially there to act as a stop-gap measure just in case anyone decides to poke their nose in where it doesn't belong. Partially to catch them in the act, partially to stop them in the act. Ideally. Here is a simple text explanation of sorts of my setup I have in mind. - Nic 1: Blog/FTP, Read only. No copying files to the FTP, just copying files from it. You can only read the blog, not comment, or anything like logging in. The only person who ever needs to 'log in' is me, from my laptop. - Nic 2: Web-shop and maaaybe a game server for testing purposes.(Considering making a simple game that will need some net code tested in the future.) This will have full read and write capability, since it will need to. This is the network that will require all the extra firewalls and VPN connections, if I use them at all. The other one might be able to get away with not having them, but this one will need them in my mindset on the matter. Logging in is definitely a thing on this part of the server. This server will have (and maybe I should have mentioned this before) a virtualized instance for each service. This way I can sandbox each, and kill each sandbox if ever needed due to whatever malicious actions some dingus decided to do. The laptop is essentially going to be my monitor, keyboard, and mouse; so I don't need to run multiple of each for yet another machine. (I have 2 desktops, and another laptop. I need to simplify things down a bit, even if this seems more complex, lol.) All of this is getting its own intranet essentially, completely separated from my main internet connection. It will also be getting its own business connection instead with a static IP address for any sort of connections to the outside world. The only way my two networks will ever talk to each other, is either through the internet itself, or via a firewalled connection between the intranet I have setup, and my other computers. In this way, it will act like a local NAS for my other computers, but also for when I am out and about, and need a certain file suddenly. I should also mention I tend to live with roommates, so I like having an extra layer of security here and there when doing so, since you never know when your roommate is going to try to do something sneaky. Like my current one who decided to give our password to the neighbors downstairs... and across the wall... Why? Because they lied to him and said they pay for the internet here too.(They don't.) Or so he claims. Quite frankly, I have found out rather recently because of this and some other things that he has a habitual need to lie and deflect. Fun stuff. Again, this may all seem like overkill to some people, but I have long learned from experience that what one person considers overkill, another considers underkill. I would much rather do things to a point where people go "jeezus" than be the one going "ah damn". With that note, there will be absolutely zero windows operating systems on this machine, and any machine that directly connects to it, like my laptop; will also be running non-windows environments. The machines that do need to run windows, due to things like my capture card from Avermedia not supporting linux basically at all... they are going to be locked behind the firewalls, and allowed to connect only to the basic internet connection I already have setup. Everything else is linux. Everything. Even my 'other' laptop that currently has windows on it, only has it, because it came with it. That changes, very soon. And besides, you wanna see real overkill? I'll be setting up my own version of Kali essentially on the first laptop for SSH and stuff into my server, so I can also do security audits. But it's either going to be Arch based, or Gentoo based. Why? Because I don't trust the folk who made Kali, otherwise used to be known as Backtrack. Why? Because they still use torrents, and not magnet files, to start. And while even Arch has a way to be used on Windows now; I can at least install it via Bash on my own without needing to use some pre-made packaged installation. Hence why I might move on to Gentoo. And I realize that no OS is perfect, and security flaws exist everywhere. That's why I am going overkill. Also, this is how I learn things. By doing them. And I basically want to learn how to make some of the most redundantly secure servers, so that people who come to me for my services get something they can trust isn't going to be easily hacked by some script kiddie. |