Re: libapache2-mod-jk2 configuration -- Do NOT do that!
From: Alan Chandler (alan_at_chandlerfamily.org.uk)
Date: 06/24/05
- Previous message: Brendon Lloyd Higgins: "Re: cdda2wav giving more than 700 MB of wav files"
- In reply to: Paul D. Bain: "Re: libapache2-mod-jk2 configuration -- Do NOT do that!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: debian-user@lists.debian.org Date: Fri, 24 Jun 2005 07:00:40 +0100
On Friday 24 June 2005 01:12, Paul D. Bain wrote:
>
> I am not an expert on network security, but, IIRC, putting a web server
> on the same physical box as a firewall is an incredibly _bad_ idea, at
> least from a security point of view. Why? Well, if your web server is
> compromised (via the box's "external address," as you term it), and if
> the attacker then gains root access to the box on which the web server
> runs (which he can do with a root kit), he can then either (a) attack
> machines that lie _behind_ the firewall (the ones with IP addresses
> beginning with "192.168") or (b) install a packet sniffer to gather
> passwords and other sensitive information. Furthermore, here, you are
> proposing to run not one, but _two_, web servers (Apache and Tomcat) on
> your firewall box, increasing the chances of compromise (simply because
> twice the servers means twice the security vulnerabilities in the server
> software).
>
> If I were you, I would have a security expert give a quick opinion on
> the soundness of your proposed configuration.
I understand your concerns. However this is a home configuration and I only
have one server, so I don't have a choice.
I have, in the past, run small standalone routers as my firewall. Both a
netgear rp614 and a dlink 604. However, at the times when there are the
trojans about, causing massive numbers of ARP messages on my ISPs local lan
segment to which my broadband modem is connected, these routers tend to lock
solid requiring a power off reset to restart them. Yet my linux box running
all these extra services (and postgres, mysql, exim4, smapd, courier-imap,
fetchmail, bind, dhcpd3, samba, subversion server ...) has run solid for over
a year without a problem.
Of course my iptables firewal has locked down everything pretty solidly, but
it is only one line of defence. I do understand that ideally I should take
an onion like approach (multiple layers) to security. Unfortunately I don't
have a choice. Fortunately the is not much sensitive data around either
I do have a root kit sniffer run every night (which every night reports that
dhcpd3 is sniffing the ethernet) in case someone does get in.
-- Alan Chandler http://www.chandlerfamily.org.uk -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- Previous message: Brendon Lloyd Higgins: "Re: cdda2wav giving more than 700 MB of wav files"
- In reply to: Paul D. Bain: "Re: libapache2-mod-jk2 configuration -- Do NOT do that!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
