On Wed, 3 Nov 1999, Evan Moore wrote:
> port to act as a loging machine, and then make the web server a read
> only system. How may a person make a read only system. Would mounting
> the drive ro do the trick, or would it be easy for someone to remount
> the system rw.
In general it is neither possible nor desirable to make a system "read
only." Such a setup will increase your hassle dramatically but will not
really improve security in any meaningful way.
The best way to preserve security on a web server is to block off all the
ports other than port 80 using a firewall, and make sure you follow the
Apache mailing list and keep up to date on possible security concerns in
the Apache software itself as well as any software that you have that
works in conjunction with it, such as CGI scripts, PHP, etc.
Having another machine attached via serial port is a reasonable thing to
do. It won't really provide any security, but it will provide a
(hopefully unassailable) syslog facility. Of course, you must configure
the logging machine to not accept any data from the webserver other than
the syslog using the Linux kernel's packet filtering abilities. You would
then (possibly) want to connect the logger to the rest of your network for
- From: Evan Moore <email@example.com>