Re: Shorewall for web server?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tim wrote:

On Wed, 2005-12-28 at 00:04 +0000, Timothy Murphy wrote:


I still don't really see any great advantage
in running the web-server on a different machine to the firewall.
Can one not restrict the part of the computer accessible through the web-server in a reasonably secure way? 


It's just another step towards greater security.

A firewall will only allow the traffic that you want, and it can block
things in different ways (if you want) that a web server doesn't/mayn't
have features to do.  Not just blocking incoming connections to your
system, but blocking any exploits they make of your server back to the
outside world.



Actually, everything available through the web-server is fully backed
up, so it would not be any great loss if someone hacked this.
On the other hand, I would be upset if someone hacked into
the main part of the computer running the firewall.



If someone hacks into a firewall PC with no servers on it, they're a bit
lost.  They can't do much more than look at whats on it.

But if they break into a box with servers, then they've got more
opportunities to make a nuisance of themselves.  Both to you, and to
others through you.  In the latter case, it looks like it is you harming
others, and you might have to wear the responsibility of it.  Spam may
be the least of your problems, they might carry out illegal acts through
you.



Oh, Tim!
I've seen a couple of cracked boxes. The first thing the intruders did was install their own server, an IRC bot. It was licenced under the GPL, and they complied with the licence, giving me the source code to it.
It's true the boxes had servers on them: one needs ssh for remote maintenance, and it's the nature of useful server (boxes) that they run server software on them, but the intruders didn't use the existing servers except to gain entry.
The protection offered by a firewall against incoming attacks is vastly overrated.
OTOH, blocking outgoing traffic can be very handy. If the firewall on the above boxes had limited outgoing TCP connexions to approved sources, then it would have been a little harder to install their IRC bot. Quite possibly enough to defeat a script kiddie. 




--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux