On Wed, 28 Dec 2005 07:54:16 +1030
Tim <ignored_mailbox@xxxxxxxxxxxx> opined:
> Jeffrey Tadlock:
> >> You may not want to run a webserver on your firewall from a security
> >> standpoint, but that aside...
>
> Timothy Murphy:
> > Is it safer to run shorewall on another computer behind the firewall?
>
> Shorewall is what configures your firewall, it's done on the same
> computer.
>
> > I'd be interested in any information - eg pointers to documentation -
> > on making a home web-server secure (or more secure, at least).
>
> The basic advice is to run something separate as a firewall between the
> WWW and you. If you wanted to be really safe, and run a public web
> server, then you'd run the web server on a separate box, too.
>
I'm not entirely sure how much a firewall has to do with this. It's a matter of
how the firewall is used. No need for Shorewall IMO.
The issue becomes who to block, how and for how long.
One option is to do this via snort (there are several methods of triggering
firewall rules).
Another method is with mod_security. On a busy server, that can get expensive.
I tried adaptive techniques using "string" and "recent." String can get very
expensive. Furthermore, without RegEx, it's hard to control. Recent can be
cumbersome to use.
The solution that I have arrive on is to use Swatch to identify a list of
patterns (some from snort rules). The first packet whacks the IP (input and
output) in netfilter. Then, the same script pushes a job to ATD to remove the
block in 30 minutes. This keeps the tables effective and lean.
--
Our DNSRBL -
Eliminate Spam: http://www.TQMcube.com/spam_trap.php
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
Zombie Graphs: http://www.TQMcube.com/zombies.php
GeoGraphics: http://www.TQMcube.com/origins.php
