I have a small SoHo LAN which is used by the family (mostly just two of us now) for personal use and in running our small Ltd. company.

There's no very sensitive (as in confidential) information on any of the systems but I guess there is stuff in E-Mails etc. that we don't really want to escape. More impportant is the *safety* (as in not losing) of a lot of information such as the company accounts, E-Mail trails of work we do and so on.

Recently I have set up a small server machine which now handles DNS (using dnsmasq), has the publicly visible web pages (not the company site but bits and pieces that I want to make visible to 'the world') and runs an SMTP server. This means that firstly I can turn my desktop machine off now (it used to be the server) and secondly there's no direct access from the outside world to my desktop machine.

The firewall is set up to allow only ssh, http and SMTP connections from the outside and all three of these are routed to the server machine.

So far so good. Now I'm wondering whether I have overlooked anything obvious and/or if there's any way I can improve things. The most likely sort of exploit/damage as I see it is someone breaking into the server machine and just making a mess.

I keep the server software as up to date as possible with security fixes etc. for apache, ssh and SMTP (postfix) so it should be fairly difficult to break in. I only allow ssh connections from two hosts (where I have shell login accounts) so password guessing needs to get there first and then into the server.

All important data from desktop machines is backed up to a NAS in the garage (separate machine from the server) so that should protect against fire damage and even burglars as they're unlikely to break into both the house and the garage as well as notice hardware in both places. I also back up the critical company files 'off site' to my hosting company's site.

The final barrier(s) I'm thinking about are the ease (or otherwise) of doing damage if someone breaks into one system in the LAN. For example would I win anything by enabling the root account on the server (currently sudo only) so that if someon breaks in as me they'd still have to guess the root password to be able to do anything nasty.

Are there any NFS exploits I should worry about? There are quite a few NFS mounts across the various systems.