File server security

[Roger Jagoda]

Folks,
 
I have just a quick question about server security.
 
Like most sites, we are getting more and more machines
based on client-server models. We have SPARC, DEC 3100s,
and NeXTs (yup, 35 of 'em, cute little cubes!). Each
runs on small LANs all connected together.
 
Now, we use YP and its equivalences on these LANs to
administer passwd, group, printer, and other administration
chores. We'd LIKE to reduce security risks by limiting
access (rlogin, ftp, telnet) to the servers. Our hopes
are that no one can (either intentionally or unintentionally)
start a run-away process or clog a proc table bad enough to
crash a server effecting many other machines.
 
Is there a way to limit rlogin, telnet, ftp access to just
a few users (the net administrators). You can set up
anonymous ftp which means there's a way to REMOVE some security
but can you ADD more security to these services. Or is what
I'm describing part of MIT's KERBEROS?
 
The overall problem is that these servers are usually mounted FS's
for all other machines (for /users as $HOME dirs., or /clients
for netboot machine FS trees) via nfs. So any security we add
can't interfer with that.
 
Are we looking for too much? Can you export a server's disks without
allowing access to user logins directly?
 
Thanks in advance for all tips and advice. If there's interest,
I'll summarize back to the nets.
 
--Roger Jagoda
--Cornell University
--FQOJ at CORNELLA.CIT.CORNELL.EDU