LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-23-2010, 02:51 AM   #1
rblampain
Senior Member
 
Registered: Aug 2004
Location: Western Australia
Distribution: Debian 11
Posts: 1,288

Rep: Reputation: 52
Can firewall offer advantages for web server?


I intend to set up a web site on a dedicated web server in colocation (containing nothing else except the server OS).

Is it sufficient to make all files read only and use Apache mod_security or can a firewall offer extra necessary protection?

Thank you for your help.
 
Old 02-23-2010, 03:36 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by rblampain View Post
I intend to set up a web site on a dedicated web server in colocation (containing nothing else except the server OS).

Is it sufficient to make all files read only and use Apache mod_security or can a firewall offer extra necessary protection?

Thank you for your help.
A firewall can most certainly offer you valuable protection. For example, in many cases a firewall will keep your box from being used to attack other boxes when it gets cracked. It's good that you're thinking about security measures before deploying them (it's important to know whether a security measure will in fact reduce the risk you're interested in). That said, a firewall is an extremely basic tool (as in, it provides functionality considered essential by most system/network administrators) and therefore it's probably more difficult to come up with reasons NOT to have one.

Still, whether it's necessary for you is impossible for us to know at this point, since we have no idea what your requirements are or what your risk assessment looks like. Security measures can't be determined to be necessary out of the blue. Have you gone through unSpawn's Security references thread? I suggest you do, even if only to get an idea of the types of security tools (and the vulnerabilities they try to mitigate) which are out there.

FWIW, I'll say this much: If I was forced to host a Web site on a server in which the only security measures were file permissions and mod_security I'd be more than a bit concerned.

Last edited by win32sux; 02-23-2010 at 03:59 AM.
 
1 members found this post helpful.
Old 02-23-2010, 02:33 PM   #3
deadeyes
Member
 
Registered: Aug 2006
Posts: 609

Rep: Reputation: 79
Quote:
Originally Posted by rblampain View Post
I intend to set up a web site on a dedicated web server in colocation (containing nothing else except the server OS).

Is it sufficient to make all files read only and use Apache mod_security or can a firewall offer extra necessary protection?

Thank you for your help.
You certainly should enable it.
block everything except 22 (ssh) and port 80 and 443 for http and https.

Then set up login with rsa keys and disable login with password and to root. Put yourself in the wheel group.

That would be a good basis
 
1 members found this post helpful.
Old 02-23-2010, 07:40 PM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,348

Rep: Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749
I wouldn't add yourself to wheel group. No need to give yourself that group in case your acct gets cracked. Instead, login as yourself then 'su -' to do root stuff. Would require a cracker to guess both your passwd and root's to get in.
 
1 members found this post helpful.
Old 02-25-2010, 04:10 AM   #5
deadeyes
Member
 
Registered: Aug 2006
Posts: 609

Rep: Reputation: 79
Quote:
Originally Posted by chrism01 View Post
I wouldn't add yourself to wheel group. No need to give yourself that group in case your acct gets cracked. Instead, login as yourself then 'su -' to do root stuff. Would require a cracker to guess both your passwd and root's to get in.
I never said to go login as root directly.
You first log in as normal user then do su.

What does this has to do with the wheel group?
In some os you need to be part of the wheel group to use su.
There is no difference when your account gets cracked. You still need the su password.
 
1 members found this post helpful.
Old 02-25-2010, 09:47 PM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,348

Rep: Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749
Well, if you need wheel group to use su, guess its ok. I haven't usually needed it to su.
No point in adding privs if you don't need them.
 
1 members found this post helpful.
Old 02-28-2010, 11:08 AM   #7
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Defense in depth is always a good thing. A local host-based firewall is a good complement to other local security measures and the network firewall if one exists. Keep your network environment in mind. Are your servers on a large subnet with other unrelated servers? Do other admin groups have access to your subnet? Do you trust everything on your subnet?
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables firewall for web server author_unknown Linux - Networking 7 05-16-2009 08:35 AM
Do you run a firewall on web server too? rhaag71 Linux - Security 13 10-02-2008 03:42 PM
Web Server Firewall > YOUR EXPERIENCE Fr33B5D Linux - Networking 1 09-02-2005 01:54 AM
Web Server / Firewall Issue JohnLocke Linux - Newbie 3 03-10-2005 02:16 PM
Web server behind RHL 9 Firewall yzxix Linux - Security 2 07-31-2004 08:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration