also sprach Andrew Miehs <andrew@2sheds.de> [2004.10.31.0907 +0100]: > On the one hand, you are happy to install via nfs, but on the > other hand, you want monitoring done via 'ssh'? Well, I agree that NFS is somewhat of a kludge. However, I want SSH to contact the servers to execute commands to prevent that someone else just executes them without authenticating. > If you really need this much security, you should probably look at > implementing ALL your connections via IPSEC - and possibly look at > storing your ssl keys on a floppy, or usb stick as someone else > suggested. Hey, IPsec is a good idea. I will be looking into that. Does anyone have stats on NFS over IPsec? These are 2 GHz machines... > Nagios mainly uses SNMP to pull its data - authenitcated but not > encrypted. Big Sister - Have heard its similar to big brother > - simple to set up (compared to nagios) and for your small network > should be more than adequate. Big Brother (and probably big > sister) have client software that runs on each machine that sends > the status info back to the display server. Yeah, but I want a pulll approach, not a push approach! > To be honest, I don't know what sort of data you have running on > these boxes, Nothing special. > but I would create a relatively secure gateway, and have my > cluster behind this. Done. > This way you could possibly reduce your internal secuity > requirements, and not need encryption everywhere. Just make sure > you back up your data regularily The problem is people plugging laptops in on the cluster side. > All logins via the gateway - squid access to the internet from the > cluster network. I think I am going to make IPsec mandatory. That's the best way probably to shield the local network. Thanks for the pointer. I did not think about it myself. Doh! -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature