LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 03-09-2010, 03:47 AM   #16
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248

Not really.
You have to educate them about the way the internet works and about how apache works.
It's not windows. The world will only be able to accesss your machine, if they forward port 80 to your internal ip.
You don't have access to other peoples machines in the building do you ?
 
Old 03-09-2010, 07:50 AM   #17
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Originally Posted by ash_zz_00 View Post
The building owner is trying to help with port forwarding, but has security concerns that someone could reach my computer through the forwarded port and now has access to the private network and wreck havoc.

Are there ways to minimize it?
E.g. Is it possible for port forwarding to limit it to one or two external IP addresses? That is, if I know that I will be accessing from one or two external machines, and if the router only forwards requests from these known IP addresses, it might be an acceptable compromise.

Thanks,

Ashok.
Actually your building owner is showing some intelligence. Unfortunately, they are also focusing on the lesser threats.

It is true that by forwarding a port to your Apache server, you are open to exploits and if successful, the buildings network is at risk. Your level of vulnerability is going to depend on things like the kind of applications you are serving (PHP apps require a higher degree of vigilance than plain HTML), the degree to which you keep your system patched and the degree to which you monitor your system. So things you can do are:

  • Run extra security measures like mod_security
  • Make sure PHP is locked down tight, or don't run PHP services at all
  • Run a monitoring system like Aide or Samhain or a IDS like Snort
  • Have a patch/update plan that you actually follow
  • Run apache in a virtual machine or chroot jail

What your owner is missing is that normal web browsing using Internet Exploder is probably a much greater threat to the integrity of the building's network than your Apache server ever could be. Most of the more common threats (trojans, viruses, warez, etc.) don't require a port to be forwarded in order for the compromised machine to wreak havoc and don't require a forwarded port in order to initiate the zombifcation of the machines.

As far as locking down access to a few trusted IP addresses, that certainly can be done very easily on your server using hosts.allow/hosts.deny or iptables. The building router might be capable of it, but that is probably dependent on the router's firmware.

Last edited by Hangdog42; 03-09-2010 at 07:53 AM.
 
  


Reply

Tags
apache, dhcp, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to connect my home pc and work pc chetan_linux Linux - Networking 2 08-06-2008 01:28 PM
Linux unable to connect to my new home LAN tallmtt Linux - Networking 5 03-07-2008 03:11 PM
Apache - unable to connect, ssh ok feltdd Linux - Software 5 05-18-2006 05:03 PM
LAN Hosts unable to connect to Apache 2.0.40-21.11 Bedwig Linux - Newbie 6 02-14-2006 06:23 AM
apache unable to access /home/*/public_html directory cavemanf16 Linux - Software 6 07-08-2004 06:43 AM


All times are GMT -5. The time now is 02:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration