Shorewall for web server?

John Summerfied debian at herakles.homelinux.org
Wed Dec 28 13:49:59 UTC 2005 

Tim wrote:
> On Wed, 2005-12-28 at 00:04 +0000, Timothy Murphy wrote:
> 
>>I still don't really see any great advantage
>>in running the web-server on a different machine to the firewall.
>>Can one not restrict the part of the computer 
>>accessible through the web-server in a reasonably secure way?
> 
> 
> It's just another step towards greater security.
> 
> A firewall will only allow the traffic that you want, and it can block
> things in different ways (if you want) that a web server doesn't/mayn't
> have features to do.  Not just blocking incoming connections to your
> system, but blocking any exploits they make of your server back to the
> outside world.
> 
> 
>>Actually, everything available through the web-server is fully backed
>>up, so it would not be any great loss if someone hacked this.
>>On the other hand, I would be upset if someone hacked into
>>the main part of the computer running the firewall.
> 
> 
> If someone hacks into a firewall PC with no servers on it, they're a bit
> lost.  They can't do much more than look at whats on it.
> 
> But if they break into a box with servers, then they've got more
> opportunities to make a nuisance of themselves.  Both to you, and to
> others through you.  In the latter case, it looks like it is you harming
> others, and you might have to wear the responsibility of it.  Spam may
> be the least of your problems, they might carry out illegal acts through
> you.
> 

Oh, Tim!

I've seen a couple of cracked boxes. The first thing the intruders did 
was install their own server, an IRC bot. It was licenced under the GPL, 
and they complied with the licence, giving me the source code to it.

It's true the boxes had servers on them: one needs ssh for remote 
maintenance, and it's the nature of useful server (boxes) that they run 
server software on them, but the intruders didn't use the existing 
servers except to gain entry.

The protection offered by a firewall against incoming attacks is vastly 
overrated.

OTOH, blocking outgoing traffic can be very handy. If the firewall on 
the above boxes had limited outgoing TCP connexions to approved sources, 
then it would have been a little harder to install their IRC bot. Quite 
possibly enough to defeat a script kiddie.




-- 

Cheers
John

-- spambait
1aaaaaaa at computerdatasafe.com.au  Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list

More information about the fedora-list mailing list