Re: libapache2-mod-jk2 configuration -- Do NOT do that!

To: debian-user@lists.debian.org
Subject: Re: libapache2-mod-jk2 configuration -- Do NOT do that!
From: Alan Chandler <alan@chandlerfamily.org.uk>
Date: Fri, 24 Jun 2005 07:00:40 +0100
Message-id: <[🔎] 200506240700.40489.alan@chandlerfamily.org.uk>
In-reply-to: <[🔎] 42BB4FE9.1050705@pobox.com>
References: <[🔎] 200506232003.14757.alan@chandlerfamily.org.uk> <[🔎] 42BB4FE9.1050705@pobox.com>

On Friday 24 June 2005 01:12, Paul D. Bain wrote:

>
> 	I am not an expert on network security, but, IIRC, putting a web server
> on the same physical box as a firewall is an incredibly _bad_ idea, at
> least from a security point of view. Why? Well, if your web server is
> compromised (via the box's "external address," as you term it), and if
> the attacker then gains root access to the box on which the web server
> runs (which he can do with a root kit), he can then either (a) attack
> machines that lie _behind_ the firewall (the ones with IP addresses
> beginning with "192.168") or (b) install a packet sniffer to gather
> passwords and other sensitive information. Furthermore, here, you are
> proposing to run not one, but _two_, web servers (Apache and Tomcat) on
> your firewall box, increasing the chances of compromise (simply because
> twice the servers means twice the security vulnerabilities in the server
> software).
>
> 	If I were you, I would have a security expert give a quick opinion on
> the soundness of your proposed configuration.

I understand your concerns.  However this is a home configuration and I only 
have one server, so I don't have a choice.

I have, in the past, run small standalone routers as my firewall.  Both a 
netgear rp614 and a dlink 604. However, at the times when there are the 
trojans about, causing massive numbers of ARP messages on my ISPs local lan 
segment to which my broadband modem is connected, these routers tend to lock 
solid requiring a power off reset to restart them.  Yet my linux box running 
all these extra services (and postgres, mysql, exim4, smapd, courier-imap, 
fetchmail, bind, dhcpd3, samba, subversion server ...) has run solid for over 
a year without a problem.

Of course my iptables firewal has locked down everything pretty solidly, but 
it is only one line of defence.  I do understand that ideally I should take 
an onion like approach (multiple layers) to security. Unfortunately I don't 
have a choice. Fortunately the is not much sensitive data around either

I do have a root kit sniffer run every night (which every night reports that 
dhcpd3 is sniffing the ethernet) in case someone does get in.

-- 
Alan Chandler
http://www.chandlerfamily.org.uk

Reply to:

References:
- libapache2-mod-jk2 configuration
  - From: Alan Chandler <alan@chandlerfamily.org.uk>
- Re: libapache2-mod-jk2 configuration -- Do NOT do that!
  - From: "Paul D. Bain" <paulbain@pobox.com>

Prev by Date: Re: cdda2wav giving more than 700 MB of wav files
Next by Date: Re: Gnome doesn't see user's PATH
Previous by thread: Re: libapache2-mod-jk2 configuration -- Do NOT do that!
Next by thread: apt-get "Errors were encountered while processing: locals"
Index(es):
- Date
- Thread