Running more than one service on one box

From: Michael Kjorling (michael@kjorling.com)
Date: 09/13/01


Date: Thu, 13 Sep 2001 18:26:52 +0200 (CEST)
From: Michael Kjorling <michael@kjorling.com>
To: Security-Basics <security-basics@securityfocus.com>
Subject: Running more than one service on one box
Message-ID: <Pine.LNX.4.33.0109131821450.11967-100000@varg.wolfpack>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please apologize me if this has been asked before, but I haven't seen
it lately at least.

Right now several of my servers are serving more than one thing - one
does web, mail (both SMTP and POP), and DNS. Another does the same and
adds the usual risks with being a workstation as well.

I have been lobbying to split this up on more machines, and using one
per service. That is, let one machine handle the email (possibly
forwarding it to internal systems), let one handle the web, two for
DNS (master and slave) and so on. But we are talking about a pretty
small company so I am having a problem of getting the hardware this
would require. It took an actual break-in to one of the systems before
I was allowed to buy a dedicated hardware firewall, and I would prefer
not having to go through the same mess again.

Could someone please give me some hints as to what the actual security
implications would be of a setup like this? As it is, the company in
question is rather dependant on their Internet connectivity (web site,
email and so on), and I don't want to get into trouble if someone
breaks in through a DNS implementation problem and then escalates
their access and starts messing with the web site, for example.

Any help is greatly appreciated!

Michael Kj÷rling

- --
Michael Kj÷rling - michael@kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)

^..^ Support the wolves in Norway -- go to ^..^
 \/ http://home.no.net/ulvelist/protest_int.htm \/

***** Please only send me emails which concern me *****

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For my PGP key: http://michael.kjorling.com/contact/pgp.html

iD8DBQE7oN5TKqN7/Ypw4z4RAkUwAJ43lou3pPNOtuDYx4Rp2DP64Tj1KQCeI0Tn
EDoYeS++weIT3TWxp3PnkWA=
=4/7X
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Running more than one service on one box
    ... DNS and so on. ... I was allowed to buy a dedicated hardware firewall, ... breaks in through a DNS implementation problem and then escalates ... their access and starts messing with the web site, ...
    (Security-Basics)
  • Re: 2 Subdomains - 1 IP Address
    ... it only works on that computer and is not a replacement for DNS. ... You do not need WWW in your web site ... The host value is next, ... Localhost defaults to 127.0.0.1 or the TCP/IP localloop ...
    (microsoft.public.inetserver.iis)
  • Re: OT-Cant Get to My Own Site!!!!
    ... the domain name servers (DNS) for your new hosting account. ... is used to identify your Web site on the Internet. ... I end up uploading my weather program. ... Then the guy looked at the program I had loaded on my server space and ...
    (alt.sys.pc-clone.dell)
  • Re: 2 Subdomains - 1 IP Address
    ... thanks a lot for your reply and helping my out with this. ... only exemption is the DNS stuff. ... > gotdns.com is your web site address. ... > For host headers, it allows you to send a FQDN (Fully Qualified Domain ...
    (microsoft.public.inetserver.iis)
  • Re: One DC cant resolve all external addesses
    ... > We originally had our only DC (with DHCP and DNS) running Exchange ... Then we DCPROMOd the original server to a member ... > display page" when we tried to go to the web site. ... You should turn off friendly HTTP errors so you can see the exact error. ...
    (microsoft.public.windows.server.dns)