How I implemented the first rule of doing business in Russia

"one. Keep the server abroad »

(c) 9.5 rules for conducting a safe business in Russia



The prologue.



We are a small company of 10 employees, half of which occasionally work remotely.

What we had initially: a server with Windows and terminal access, which stood in the office. All users had laptops. We do not have any particularly confidential information, except for information important for business.

At one point, I was finally “finished off” by paranoia and it was decided to bring the server out of the office.

')





1) We rented two servers: one in Germany, the second in the Netherlands.

The configurations are the same: Intel Xeon Quad Core E3-1230 3.20 GHz / 8GB / 2x 1TB.

The prerequisites were: IP-KVM 24x7, guarantee of technical support response up to 4 hours around the clock, next-business day server replacement warranty (NBD) and unlimited traffic.

Additional software requirements: Windows 2008 standard, Windows 2008 enterprise, terminal licenses and MS Office (Word, Excel, PowerPoint)

These wishes and determined quite immodest budget: 756 euros / month.



Hosters leave unnamed. I can only say that because of the desire to pay via Webmoney (ie, not by credit cards), I had to turn to resellers.



2) Setting up both servers at the initial stage was completely identical. After gaining access to the servers, the entire first day was spent on the OS update. After it was installed Hyper-V.

A virtual machine was immediately created on CentOS, which became the router: it was her “white” IP. All other machines (including the host system) worked on the "gray" addresses.

To carry out this focus with IP, constantly connected IP-KVM came in handy. In this case, embedded IPMI and iLo on each of the servers.

Open VPN server was raised on the router, only he was accessible from the outside. All other ports were closed.

Also on the router raised NAT and proxy server.



3) A virtual server with Windows 2008 Standard was created on the first server for all available memory, which became our new office server.

7 GB for simultaneous work of 10 people in the terminal - more than comfortable conditions. Internet users office server is available only through a proxy.

Dr.Web works, licenses for which we got by subscription from the network to which our office is connected.

Standard office software suite: MS Office, Acrobat Reader, PDF Creator, WinRAR, InfranView, KeePass, Chrome, Firefox.

To prevent users from getting confused, a Bginfo file was attached to autoload for everyone, which changes the color of the desktop and writes on it what kind of server it is.



4) On the second server, everything is a bit more interesting.

On the host server is Windows 2008 Enterprise, which allows you to install up to 4 virtualok for free with Windows 2008 Standard.

Thus, it is, in fact, a server for an accountant: four virtual machines work here - CRM / billing, 1C8 (we switch to it), 1C7 (we work with it), client-bank.

All four servers are separated from each other: they are located in different Hyper-V virtual networks that cannot see each other.

This is done so that in a situation where some of the machines pick up some infection, the infection does not spread beyond it.

From the same machines, we send reports to the tax office through MeDOC and “Farewell zvitnist”. Tax sees that reports come from the IP of our office and not from Europe, as traffic from the “accounting” servers is routed through the VPN tunnel to the office.

Just like on the office virtual machine, on servers with 1C, the Internet is accessible through a proxy, Dr.Webs and standard software work.

In 1C 7th, the key works through the Usb-over-network, with 1C 8 we use the software key.

Internet is disabled on the client bank server: access is only available to the banks' servers. The bank also sees our office IP and not the real IP of the server.



5) All of these servers are accessible via Remote Desktop (RDP) after logging in to the Open VPN server (either of the two).

And one more fruit of my paranoia: when connecting to the Open VPN server, it is impossible to see any server in your network.

By RDP, servers can only be accessed via a non-standard port that “flushes” (DNAT) to the RDP port of the corresponding virtual machine.



6) In the office we have a Wi-Fi router D Link DIR-320. We reflash it, and then set up an OpenVPN client on it.

The DIR-320 includes a USB printer, to which all virtuals can print through a tunnel.

Employees from the office can work without changing anything on their laptops.

Employees who want to work remotely have been given Open VPN keys and the following instructions: how to set up a tunnel on MacOS / Windows, how to go to the remote desktop, how to print to an office printer, how to print to a home printer, and so on.



7) The most important is backup.

Since there is nothing on the host systems except Hyper-V, they are not backed up.

On Friday afternoon, all employees receive a mailing (a reminder of the event from the Google Calendar) asking them not to forget to close all applications and save all documents.

On the night from Friday to Saturday, the Power Shell – script turns off all virtuals, copies their VHD images to a separate folder, and from where it copies to a backup server through the VPN tunnel + to my server in Ukraine.

But this is only half the battle.

Every day a script is launched on all virtual machines that archives the data that has changed during the day; and every week - archives all user data (really everything - from documents to 1C-databases).

Archiving takes place based on this instruction: habrahabr.ru/blogs/personal/82185 , but we make archives password-protected, multi-volume and with the addition of information for recovery. The archives are made up into premium accounts of DropBox and Google Drive and through these services fall on both servers (+ director on a laptop).



What we have in the end:

- Upon request, I can recover any document for any day.

- All archives with a password of hundreds of random characters. Even if DropBox will show someone all their files again, it will be extremely difficult to open my archive.

- In case of any force majeure with one of the DCs, I, in less than an hour, will be able to run a copy of the server a week ago on another server in another country + roll changes from the archives.



Everything described has been working for us for almost a year. There are no particular complaints, except that the software update on four servers takes four times longer :).

Data from backup archives was restored a couple of times on demand - it works like a clock.

For the test, imitated the DC shutdown several times: raised all servers from backup on one of the servers. Everything works, except for 1C8 with a software key, it is important to make a completely similar configuration on the new server.

The accountant once “flew” the laptop, - the work was restored in half an hour, simply issuing a new one and setting up shortcuts for connecting to servers.

Data centers were not available several times for half an hour due to the upgrade of routers, but this was never the case during working hours.

Also, once there was an attack on the DC in the Netherlands: everything “lagged” for about an hour during working hours.

Theoretically, it would be possible to still tweak encrypted filesystems and spread servers across different continents, but in our case I do not see any point in this.





I hope this information was interesting. I would be glad if it is useful to someone.

If you decide to repeat this configuration, do not hesitate to ask: I will be happy to help with the advice and reveal any unclear details.