[thelist] Hardening a webserver More Exact

Scott Wolpow scott at wolpow.com
Fri Jan 14 23:46:46 CST 2005


Yes it helps.  Any good books?
Scott


At 12:29 AM 15/01/2005 -0500, you wrote:
>On Fri, 14 Jan 2005 23:52:14 -0500, Scott Wolpow <scott at wolpow.com> wrote:
> > Ok I need to take more time. Just doing to many things.
> > Here is the plan.
> > On the main server will be the accounts database. In the database will be
> > passwords and logins for other specific sites.  The login form for a
> > specific site lives on the main server. The other sites will only accept
> > logins from the main server along with a certificate. From the site the
> > user will interact with various features and some of that information will
> > be passed to the main server and stored on the database.
> >   Currently I am running a freebsd machine with full root access, but would
> > change if there is a better way. I would like to keep the budget low until
> > this project takes off.
> > I hope this is a better explanation.
> >
>
>I am not totally sure about this, but is not the first rule of
>security to place the database on a separate computer behind a
>firewall? That way, if the server is hacked, the database stays
>secure.
>
>I would set up three zones -- Red (being the internet), Green (being
>behind a firewall), and DMZ or Orange (Being accessible from the
>internet). Your web server would go in the DMZ, the database server
>goes in the Green zone and everyone else belongs in the Red zone.
>
>However, in order to do this, you will need to create some form of
>pass through functions on the main server that allow the satellite
>servers to get information from the database. The satellite servers
>would invoke functions on the main server, these functions would then
>query the database and return the results. And of course this would
>all happen using SSL. However, this is for maximum security and I am
>not sure how much time, money and development you want to through at
>this problem.
>
>As for OSes, I would definitely pick FreeBSD as already mentioned. If
>you want a full distributed system, you could always do all of your
>development in J2EE. This would add the security of a compiled
>language which makes it much harder to hack the source code. Plus,
>distributing the web app across multiple servers would probably be
>easier as this can be handled by the app server.
>
>Hope some of this helps.
>--
>chris johnston
>
>www.fuzzylizard.com
>
>"For millions of years, mankind lived just like the animals and
>something happened which unleashed the power of our imagination, we
>learned to talk."
>Pink Floyd
>--
>
>* * Please support the community that supports you.  * *
>http://evolt.org/help_support_evolt/
>
>For unsubscribe and other options, including the Tip Harvester
>and archives of thelist go to: http://lists.evolt.org
>Workers of the Web, evolt !




More information about the thelist mailing list