Re: are IPTABLES good enough security for a webserver
From: Alan Frame (alan.frame@acm.org)
Date: 04/09/03
- Previous message: neill: "p2p servers outside the firewall"
- In reply to: Kasper Dupont: "Re: are IPTABLES good enough security for a webserver"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: alan.frame@acm.org (Alan Frame) Date: Wed, 9 Apr 2003 09:17:12 +0100
Kasper Dupont <kasperd@daimi.au.dk> wrote:
> Grant Holman wrote:
> >
> > Will IPTABLES act as a secure enough firewall for a web server or should I
> > be looking at a dedicated 3rd party firewall packge?
>
[]
> But whatever you choose to do, you should still configure the
> webserver in a way that would be secure even without any firewall. No
> firewall however good it may be, will secure you if you don't keep
> your webserver software updated.
Indeed.
A reasonable set of iptables rules for a webserver would be to only
allow new incoming connections from world+dog to 80 & 443 on a public
(possibly port-forwarded- IP addreess and ssh (with key) from specified
trusted hosts on 1918 addresses on another NIC.
After those three lines setting up iptables, my job is done, and it's up
to the application-support guys to secure the box against in-band
attacks.
Would the webserver in question be running, say, PHP, perl[0], or an old
Apache, or an old ssl?.....
rgds, Alan
[0] i.e. untrusted cgi
-- 99 Ducati 748BP, 95 Ducati 600SS, 81 Guzzi Monza, 74 MV Agusta 350 "Ride to Work, Work to Ride" SI# 7.067 DoD#1930 PGP Key 0xBDED56C5
- Previous message: neill: "p2p servers outside the firewall"
- In reply to: Kasper Dupont: "Re: are IPTABLES good enough security for a webserver"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
