[thelist] Hardening a webserver More Exact

Chris Johnston fuzzylizard at gmail.com
Fri Jan 14 23:29:00 CST 2005


On Fri, 14 Jan 2005 23:52:14 -0500, Scott Wolpow <scott at wolpow.com> wrote:
> Ok I need to take more time. Just doing to many things.
> Here is the plan.
> On the main server will be the accounts database. In the database will be
> passwords and logins for other specific sites.  The login form for a
> specific site lives on the main server. The other sites will only accept
> logins from the main server along with a certificate. From the site the
> user will interact with various features and some of that information will
> be passed to the main server and stored on the database.
>   Currently I am running a freebsd machine with full root access, but would
> change if there is a better way. I would like to keep the budget low until
> this project takes off.
> I hope this is a better explanation.
> 

I am not totally sure about this, but is not the first rule of
security to place the database on a separate computer behind a
firewall? That way, if the server is hacked, the database stays
secure.

I would set up three zones -- Red (being the internet), Green (being
behind a firewall), and DMZ or Orange (Being accessible from the
internet). Your web server would go in the DMZ, the database server
goes in the Green zone and everyone else belongs in the Red zone.

However, in order to do this, you will need to create some form of
pass through functions on the main server that allow the satellite
servers to get information from the database. The satellite servers
would invoke functions on the main server, these functions would then
query the database and return the results. And of course this would
all happen using SSL. However, this is for maximum security and I am
not sure how much time, money and development you want to through at
this problem.

As for OSes, I would definitely pick FreeBSD as already mentioned. If
you want a full distributed system, you could always do all of your
development in J2EE. This would add the security of a compiled
language which makes it much harder to hack the source code. Plus,
distributing the web app across multiple servers would probably be
easier as this can be handled by the app server.

Hope some of this helps.
-- 
chris johnston

www.fuzzylizard.com

"For millions of years, mankind lived just like the animals and
something happened which unleashed the power of our imagination, we
learned to talk."
Pink Floyd


More information about the thelist mailing list