Very Computer

We will be bringing a unix server shortly that will have some
confidential
data on it that will be used in medical research.  The system needs to
be on
the internet for distribution of the data to the various research
organizations
involved.  In addition to the other security measures that will be
taken, I
am considering taking the system off-line or even shutting it down
nights and
weekends.  I'ld like to hear some ideas on how you might go about
automating
this.  An automtic shutdown at 5:00 is easy but I'm not sure about an
automatic
startup the next morning.  If I just kill tcp/ip for the night I'm not
sure
which deamons to kill and restart the next day.  Another possibility
might be some firewall type of software that can disable all network
traffic for certain
hours.

Thanks,
al

Quote:>am considering taking the system off-line or even shutting it down
>nights and
>weekends.  I'ld like to hear some ideas on how you might go about
>automating
>this.  An automtic shutdown at 5:00 is easy but I'm not sure about an
>automatic
>startup the next morning.  If I just kill tcp/ip for the night I'm not
>sure
>which deamons to kill and restart the next day.  Another possibility
>might be some firewall type of software that can disable all network
>traffic for certain
>hours.

You could use cron jobs that do "ifconfig <interface> down" and "ifconfig
<interface> up" at the appropriate times.

--

GTE Internetworking, Powered by BBN, Cambridge, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.

It's better to set up two run levels, 2 & 3 for the two modes desired.
Then simply change run level with cron.  RedHat used to come with
something like this already, Solaris does.

Adding future services just means determining the appropriate run
level, rather than another cron entry.

--
     DK            The most unreliable component in any
                   glider is the fathead at the controls

Al

Another possibilty is to use your tcp-wrappers. The way I
usually did that was to have two directories in /etc called
/etc/open, and /etc/closed with two sets of hosts.* files in
each directory. Cron would move the ones out at night that
closed things down considerably, and then the less restrictive
ones out during the week days. It provides the additional
benefit of logging what the heck is going on. Works like a charm
both during the week and weekend. This can effectively close
down ALL of the inet services as desired. It just depends on
how you configure it.

If you are worried about the residual security holes left in
sendmail, I would advise replacing it with qmail or vmail when
(if?) it becomes available. If you HAVE to run sendmail, at least
do it with the latest one with smrsh.

Turning the beast off on weekends works for me, but that may
or may not be an option depending on the people that you are
working with. I have a feeling they will scream *y *
if you do it. If the data is especially sensitive, I assume
they will just have to live with it. You will have a problem of
mail boomeranging during that time but that is only a problem if
you have lots of email going into the machine.

It is NOT a good idea to kill the inetd (/usr/sbin/inetd -s
on Sun/Solaris), but if that is what you want to do, just
run:
        - at night -
        "/etc/rc2.d/S74xntpd stop"
        "/etc/rc2.d/S72inetsvc stop"
        "/etc/rc2.d/S69inet stop"
         - at morning -
        "/etc/rc2.d/S69inet start"
        "/etc/rc2.d/S72inetsvc start"
        "/etc/rc2.d/S74xntpd start"

You will probably also have to kill /usr/sbin/rpcbind, and
several other daemons as well. I am assuming Sun/Solaris
given the group you posted to and where you are at. If this
is wrong, let me know. I do NOT consider the killing of these
daemons an effective method! Once you start to do this, things
can really get screwed up forcing s reboot to clear things up.
The wrappers approach is much simpler and less likely to cause
problems.

Henry Hertz Hobbit

PS  Ask Pieter B. if he agrees with my method...

That's a cool idea. hadn't thought of that one.

--

Richard Knechtel
email(richard dot knechtel at eds dot com)
Centrobe
(Systems Engineer/System Administrator)
(Aspiring AS/400 GURU)
(Aspiring Linux GURU)
(Aspiring Visual Basic Programmer)

       The contents of this message express only MY opinion.
       This message does not necessarily reflect the policy or views of
       my employer, Centrobe.  All responsibility for the statements
       made in this posting resides solely and completely with the
       ME.
       I Ex-Spaminate spammers!
       See US Code Title 47, Sec.227(a)(2)(B), Sec.227(b)(1)(C)
       and Sec.227(b)(3)(C).

if you use Sun hardware, you can configure it to go into 'Suspend' mode
and restore the system at a given time. Useful and very easy if you want
to bring the box offline from say 9pm to 8am.

bye,

Nicolas

: We will be bringing a unix server shortly that will have some
: confidential
: data on it that will be used in medical research.  The system needs to
: be on
: the internet for distribution of the data to the various research
: organizations
: involved.  In addition to the other security measures that will be
: taken, I
: am considering taking the system off-line or even shutting it down
: nights and
: weekends.  I'ld like to hear some ideas on how you might go about
: automating

I don't see this as very valuable.
Anyway, what about people in different time zones?
It may be worth investigating one of the virtual private network-over internet
products, that way you are almost ensured uncrackability.

--
See http://www.mauve.demon.co.uk/    |Linux PDA, cheap electronics/PC bits sale.
See_header,_for_UCE_policy___________|_____________________________Ian_Stirling.
Two parrots sitting on a perch. One asks the other, "Can you smell fish?"