[olug] Security
David Walker
linux_user at grax.com
Fri Jan 4 23:22:21 UTC 2002
That's why the pros run a demilitarized zone. Any host on the internet is
considered a security risk and is not allowed free access to your internal
network.
Firewall -
Web server
Name server
Mail server
2nd level firewall -
The rest of your network
(or a slightly different configuration)
Firewall -
DMZ Zone
Web server
Name server
Mail server
The rest of your network Zone
The rest of your network
Apache has a good security record over the past 4 years so it isn't a big
security risk but how you configure it and what scripts you run on it could
be risks. Straight html files should be rather non-risky.
I don't run sendmail so I can't really assess the risks but considering the
exploits I've heard about I would be wary.
Since SSH is not intended for anonymous use I suggest moving it to a 5 digit
port where a scanner looking for it on port 22 isn't going to happen upon it.
That way if an exploit is released you have a bit more time to upgrade
before someone finds that you are running an exploitable version.
I'm not comfortable running win2k on the internet without a firewall in front
of it.
So, using your number system, I'd say
Apache 3
SSH 2
Sendmail 1
Win2k 1
On Friday 04 January 2002 04:49 pm, you wrote:
> Wrong Brian....sorry the Brian I was referring to knows what I'm talking
> about...Also I'm glad that this has turned into a decent thread on
> security...what do we think is the risk factor of a computer whose only
> outside access is through SSH...but it still has internal network access
> how big of a risk factor is it to the internal network? How about if that
> internal network were connected to someone else's private network over a
> VPN...would that person have reason to be concerned...as on the flip side
> the person running the SSH machine would have cause for concern over a
> Win2k Server having access to the internal network and thus his over the
> VPN....aren't they both equally bad security risks or is one worse than the
> other...Then what about running Sendmail, and Apache on a machine hooked
> also into the private network where does this fall? I mean can we really
> be secure with any external access and where would people rank these risks
> 1-3, 1 being the highest risk and 3 being the lowest...here is what I say:
> 1) Apache and Sendmail, 2) SSH and 2) Win2k....i say the last two are lower
> because of all the exploits for sendmail...but I think SSH and Win2k are
> equally bad what do you all think?
>
> Thanks,
> Nate Rotschafer
>
>
> From: "Brian Roberson" <roberson at bstc.net>
>
> >Reply-To: olug at bstc.net
> >To: <olug at bstc.net>
> >Subject: Re: [olug] Security
> >Date: Fri, 4 Jan 2002 16:15:57 -0600
> >
> >Right! ??!!
> >
> > > night/this morning very well I believe...right Brian? Just my $.02....
> >
> >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> >
> >For help contact olug-help at bstc.net - run by ezmlm
> >to unsubscribe, send mail to olug-unsubscribe at bstc.net
> >or `mail olug-unsubscribe at bstc.net < /dev/null`
> >(c)2001 OLUG http://www.olug.org
> >
> >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
>
>
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
> For help contact olug-help at bstc.net - run by ezmlm
> to unsubscribe, send mail to olug-unsubscribe at bstc.net
> or `mail olug-unsubscribe at bstc.net < /dev/null`
> (c)2001 OLUG http://www.olug.org
>
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
For help contact olug-help at bstc.net - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at bstc.net
or `mail olug-unsubscribe at bstc.net < /dev/null`
(c)2001 OLUG http://www.olug.org
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
More information about the OLUG
mailing list