Protecting HP 3000s Using Linux
March 27, 2012
While HP 3000 sites deploy Linux servers this year, some of them are using the environment as a buffer for 3000s which need to be in range of the Internet. James Byrne, who's hosting the hp3000links.com website as well as managing IT project for Harte & Lyne, outlined his setup to use Linux for 3000 protection.
Byrne has his HP 3000s and the internet buffered by a dual-homed Linux box in front of the HP 3000, using that to provide firewall, SSH, and proxy services. He describes his setup a fairly primitive (where GW/FW=gateway/firewall):
Internet-> GW/FW <-> Eth0:Linux:Eth1 <-> HP 3000
The network connection to the gateway/firewall provides our public routable access. The link between the Linux front-end host and the HP 3000 is a x-over cable using a 192.168.0.0 block address. Direct network connections to the HP 3000 NIC are physically impossible. This ensures physical network security over the non-encrypted portion of the network (for SSH access).
There are a wide assortment of Linux-based firewall appliance distributions which may simplify set up somewhat for novice users. Alternatively, one can simply use a mainstream Linux distribution, or a derivative like RHEL/CentOS or Debian/Ubuntu, and add and configure the packages desired.
We use a CentOS-5 based host running IPTables, Squid, OpenSSH, VSftpd, and Denyhosts as the front-end to the HP 3000. IPTables is configured to log and drop for 7 days all addresses performing obvious port scans. IPTables similarly counts, logs and blocks IP having excessive failed connection attempts on visible ports.
Denyhosts scans the logs for other issues and really does not add much to our setup. However, Denyhosts can be used to do itself everything I have chosen to do in IPTables. Therefore, one may concentrate on learning the configuration of just Denyhosts and leave IPTables configuration to the minimum necessary to allow access.
The proxy server handles FTP but we do not allow FTP access to the HP 3000 at all -- so I could not tell you if we have that set up correctly or not. We have it there in case the need ever arises.
The intellectual load of dealing with these things is non trivial. However, the price of freedom is eternal vigilance. Once the front-end is setup ,we run logwatch to send daily reports on connections and consider whether further configuration changes are necessary.
Denyhosts scans the logs for other issues and really does not add much to our setup. However, Denyhosts can be used to do itself everything I have chosen to do in IPTables. Therefore, one may concentrate on learning the configuration of just Denyhosts and leave IPTables configuration to the minimum necessary to allow access.
The proxy server handles FTP but we do not allow FTP access to the HP 3000 at all -- so I could not tell you if we have that set up correctly or not. We have it there in case the need ever arises.
The intellectual load of dealing with these things is non trivial. However, the price of freedom is eternal vigilance. Once the front-end is setup ,we run logwatch to send daily reports on connections and consider whether further configuration changes are necessary.