Re: libapache2-mod-jk2 configuration -- Do NOT do that!

To: debian-java@lists.debian.org
Subject: Re: libapache2-mod-jk2 configuration -- Do NOT do that!
From: Alan Chandler <alan@chandlerfamily.org.uk>
Date: Fri, 24 Jun 2005 07:11:51 +0100
Message-id: <[🔎] 200506240711.51342.alan@chandlerfamily.org.uk>
In-reply-to: <200506240700.40489.alan@chandlerfamily.org.uk>
References: <[🔎] 200506232003.14757.alan@chandlerfamily.org.uk> <[🔎] 42BB4FE9.1050705@pobox.com> <200506240700.40489.alan@chandlerfamily.org.uk>

Forgot to copy the reply to this list.

On Friday 24 June 2005 07:00, Alan Chandler wrote:
> On Friday 24 June 2005 01:12, Paul D. Bain wrote:
> > 	I am not an expert on network security, but, IIRC, putting a web server
> > on the same physical box as a firewall is an incredibly _bad_ idea, at
> > least from a security point of view. Why? Well, if your web server is
> > compromised (via the box's "external address," as you term it), and if
> > the attacker then gains root access to the box on which the web server
> > runs (which he can do with a root kit), he can then either (a) attack
> > machines that lie _behind_ the firewall (the ones with IP addresses
> > beginning with "192.168") or (b) install a packet sniffer to gather
> > passwords and other sensitive information. Furthermore, here, you are
> > proposing to run not one, but _two_, web servers (Apache and Tomcat) on
> > your firewall box, increasing the chances of compromise (simply because
> > twice the servers means twice the security vulnerabilities in the server
> > software).
> >
> > 	If I were you, I would have a security expert give a quick opinion on
> > the soundness of your proposed configuration.
>
> I understand your concerns.  However this is a home configuration and I
> only have one server, so I don't have a choice.
>
> I have, in the past, run small standalone routers as my firewall.  Both a
> netgear rp614 and a dlink 604. However, at the times when there are the
> trojans about, causing massive numbers of ARP messages on my ISPs local lan
> segment to which my broadband modem is connected, these routers tend to
> lock solid requiring a power off reset to restart them.  Yet my linux box
> running all these extra services (and postgres, mysql, exim4, smapd,
> courier-imap, fetchmail, bind, dhcpd3, samba, subversion server ...) has
> run solid for over a year without a problem.
>
> Of course my iptables firewal has locked down everything pretty solidly,
> but it is only one line of defence.  I do understand that ideally I should
> take an onion like approach (multiple layers) to security. Unfortunately I
> don't have a choice. Fortunately the is not much sensitive data around
> either
>
> I do have a root kit sniffer run every night (which every night reports
> that dhcpd3 is sniffing the ethernet) in case someone does get in.
>
-- 
Alan Chandler
http://www.chandlerfamily.org.uk

Reply to:

References:
- libapache2-mod-jk2 configuration
  - From: Alan Chandler <alan@chandlerfamily.org.uk>
- Re: libapache2-mod-jk2 configuration -- Do NOT do that!
  - From: "Paul D. Bain" <paulbain@pobox.com>

Prev by Date: У Вас не хватает яркости в жизни ?
Next by Date: Re: Re: Your website
Previous by thread: Re: libapache2-mod-jk2 configuration -- Do NOT do that!
Next by thread: У Вас не хватает яркости в жизни ?
Index(es):
- Date
- Thread