Cheap POP-In-A-Box?

Interloper asks: "I have been considering creating a non-profit ISP for a small community. The idea is to provide dial-up v.34 or v.90 connections at cost. What hardware and software are available to make an all-in-one POP for dial-up users as cheaply as possible. The sort of features needed include WAN connectivity (upstream provider,frame-relay or leased line), a digital interface for a group of dial-up lines, internal routing, internal mail handling, authentication, and any other needed support for 8+ simultaneous users. Web page hosting is not considered necessary. Basically just e-mail and browsing. Can these features all be contained in one box? What distro and hardware would make this as cheap and fast as needed?"

Pocket ISP for my office

[BigBlockMopar]

"...a digital interface for a group of dial-up lines, internal routing, internal mail handling, authentication, and any other needed support for 8+ simultaneous users. Web page hosting is not considered necessary. Basically just e-mail and browsing. ... What distro and hardware would make this as cheap and fast as needed?"

Okay. I worked for a division of Litton, until we got "divested" to my General Manager.

Now, Pat's a good guy, but he's cheap. He was going to be perfectly happy without his own domain and everything, and with a 56k dial-up connection to the Internet. (We have 17 users on the LAN I administer. We make and sell a variety of very weird and specialized stuff. We *need* connectivity, for communicating with both customers and suppliers.)

And yet, our homepage was going to be "http://www.whateverisp.com/~companyname". It was a joke.

Did I mention that Pat is clueless?

So, I called an ISP. Had PPPoE-based DSL installed. We've got two static IPs. Stole the fastest spare computer we had kicking around (an old Compaq Deskpro Pentium 100 from under the old receptionist's desk), stuffed two cheap Realtek-based PCI ethernet cards into it, and took it home with me.

At home that night, I threw Red Hat 6.2 onto it. Got the Roaring Penguin PPPoE solution, which installed absolutely painlessly. Set up DNS, Apache, sendmail, user accounts, password-protected SAMBA for our internal LAN (so that one of the engineers can change specs and stuff on our webpage without a hassle).

I brought the machine back in to the office the next day, plugged it into our LAN, configured it as our office DHCP server, set up ipchains to serve as our NAT firewall and gateway to the Internet. Plugged in the Northern Telecom DSL modem, typed "adsl-start", and we were up and running!

Essentially, an Internet Service Provider in a box. The biggest difference with what you'd want to do is that you need dial-in services. A bunch of modems (remember, Winmodems don't work under Linux!), plugged into a bunch of 486s, could probably serve your needs easily and inexpensively. Without getting into expensive terminal server solutions or multi-serial cards, a legacy PC will support 4 serial devices, and that's only if you can get the IRQ sharing to work. Worst case traffic on each machine will be 4 modem @ 56k each. No sweat. Just plug in as many 486s configured like that as you need. Your limiting factor is likely to be the speed of your connection to the Internet; even so, when all your modems are in use, it's unlikely that all your users will be downloading MP3s at the same time, etc.

My system's current uptime is 77 days. Aside from going in and upgrading BIND on Monday (security upgrade), the system is pretty maintenance-free. Our e-mail service is quick and reliable. Our webpage doesn't get more than 50-60 different visitors a day, so the Pentium 100 doesn't even break a sweat. And Linux is so efficient at the NAT services that our 17 users, many of them on Pentium IIIs and stuff, max out the speed of our DSL, not the old Compaq.

My boss can't believe this thing, but it's true.

Oh, and to avoid a distro war, I chose Red Hat Linux over Debian, Caldera, SuSE, or even FreeBSD because I know RH Linux better, and getting this thing up and running quickly was of the essence.

Can these features all be contained in one box?

Well, you could do everything that I've done in one box. In fact, everything here runs in the one box. Instead of putting in the second network card, since your clients aren't on a LAN like mine, you could use the free slots for the 4 modems you'd be able to shoehorn into that thing. Or the multi-port serial card (make sure that it has Linux drivers available before buying it!). I don't think that running a PPP dialup server would require much more CPU horsepower than what I'm doing.

HOWEVER, I do want you to think about something. If all your services are provided by one machine, you're at risk.

Just this past week, a vulnerability was found in BIND (Berkeley Internet Naming Daemon). BIND is a DNS server, responsible for turning "www.whatever.com" into an IP address.

Since, for example, my mail server and my DNS server are on the same machine, if a cracker breaks into BIND and gets root access on my box, he's also got root access on my mailserver.

Which means that he can read the contents of /var/spool/mail/private_stuff. And he can even post it to alt.sex.fetish.hamster.duct-tape. Or he can sell it to our competition.

The best thing is to have a firewall machine - could be a 386, as long as you can install a highly secure operating system on it - with two network cards and nothing else installed but the bare minimum. A 386 can easily saturate 10base-T ethernet, even loaded down with (ugh!) Windows 95. So, as long as your operating system of choice will run on the system, it really doesn't have to be too spectacular. Money is not needed to buy servers when most of the time companies have to pay to get get rid of this sort of hardware.

Make the firewall machine redirect all port 80 requests to your dedicated webserver. Make the firewall machine redirect all port 25 to the dedicated SMTP server. All domain requests to the DNS server. Etc. This way, if someone roots your webserver, they just have your webserver. If someone roots your firewall, they just have your firewall. If they've got your firewall but they want your mailserver, they'll have to use your firewall machine to break into your webserver.

The point here is that if someone wants in badly enough, they'll get in. Security is just about obstacles, and stratifying the machines is another obstacle.

Plug your PPP server(s) into the DMZ's hub, set up the firewall to perform NAT for those machines, set up the PPP server(s) to use the firewall machine as a gateway, and you're off to the races. Your users will have two measures of isolation from the hax0rs and evil users on the 'Net, and your server farm will be out of harm's way.

Now, if all this is so great, why don't I have this in the office?

Did I mention that Pat is clueless?

He's also too cheap to let me spend the time to actually set up a DMZ with a couple of the old 486s we have kicking around the office.

Having said that, I still sleep pretty well at night. One Linux box running all these functions, but with ipchains set up to only be open on the needed ports, frequently backed up by an administrator who watches the security websites, is still far more secure than almost any Windoze server running IIS and all the associated crap with it. Hell, it's not too far off to say that I portscan my server far more often than I get portscanned.

Oh, and yeah, I'd give the name of the domain here, and you could check out the server. But given that there are elements to the Slashdot audience who are very capable of breaking into just about anything, and I really don't want to attract their attention to my company's server, I won't.