I’ve been asked to set up a server for a research team at my university. I’ve already had the practice of setting a server at home, so I have a rough idea of how things should be done. Still, I wish to follow best practices when setting up a server for this use case. Plus I would prefer to avoid too much tinkering for the setup since I’m planning to keep the installation as simple as possible.
Following are some rough constraints and considerations for the setup:
- Server computer is a Mac Mini (latest model I think?). I’ve been told they would replace macOS with Linux, still I believe I should ready if they don’t (I don’t have experience with macOS at all)
- Server will be situated in university and provided a static IP address
- Team needs remote access to the server, presumably comfortable with using CLI
- I am unlikely to be permitted access to server myself after setup, so it should be ready to be managed by the team
- Extra hardware and/or paid software could be arranged but to a limited extent and within reason
I don’t think they have really any requirement other than having remote access to the server. I think SSH should suffice, however I was wondering if I could also arrange for backups, GUI server panel etc.
They already have gotten the permission for this.
However the IT department wouldn’t be helping with enabling public access to the computer via the university’s intranet. So it is up to me to figure out an alternative connection strategy like tunneling or VPN.
I might double check if you’re taking the research team’s word for it. It’s very strange to me that IT won’t help with setting up remote access, especially if you’re doing something like setting up a tunnel that would likely bypass their firewall rules and network monitoring. If anyone compromises your tunnel and are able to access education, financial, or health records with it, your IT team and you will be in very hot water. I’ve had to set up remote access for research projects before, and that involved site-to-site tunnels between participating campuses. These always run on the university’s VPN infrastructure, you’re not going to be rolling your own talescale or wireguard to do this because you want to be able to inspect the traffic flowing over it. You’ll also need to tie into the university’s identity management platform to make sure that only authorized users have access to the server. Whatever you decide to to, at least deliver a copy of your documentation, because once you’re out of the picture, it’s going to be up to campus IT to maintain it.
Honestly, after considering the security implications of enabling access to the university’s network, I think I would first warn the team about this before setting up anything and let them decide how to proceed afterwards. I’ll also inform them to ask the IT department for the in-house VPN solution and identity management.
I don’t believe there would be need for the team to access anything in the network apart from the computer itself. Is it possible to arrange a solution that disables connections to intranet devices through the server by default just to be safe?
Perhaps consider a SOCKS5 reverse proxy. If done over SSH, the client systems networking would act as though they are on the server itself, traffic would be secure, and it would walk around most firewall rules that probably exist.
Using key based authentication would also make it such that it is more secure and easier for the researchers to log in - they wouldn’t even have to remember a password, they would just need some SSH client/configs.
Specifically, read up on “bastion hosts”.