LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-14-2003, 11:50 PM   #1
hardigunawan
Member
 
Registered: Dec 2001
Posts: 35

Rep: Reputation: 15
reason for separating web server and database server


Hi,

is it better to separate web server and database server to two different host, with a firewall in the middle?

If someone hacked the web server, surely he can read the scripts which contain the uid/passwd to connect to the database server?
 
Old 01-17-2003, 08:21 AM   #2
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Not only for security reasons it's a better idea to seperate that to two different hosts, if you get under heavy load it will definately be a performance reason!

For the security part it depends what kind of sensitive data you've got in the database ... if it's data like credit card, orders, etc I would definately seperate them. But if the data is just plain dynamic content it doesn't really need to be seperated from a security point of view.


So if you want to install MySQL on the 2nd server (when you have sensitive data in there) install it chrooted like described here


For the firewall something like that would be your configuration:

iptables -A INPUT -i eth0 -s <webserver ip> -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o eth0 -d <webserver ip> -p tcp --sport 3306 -j ACCEPT

Be sure to LIMIT the MySQL connection to the webserver source ip and do NOT let others access it ;-)
 
Old 01-18-2003, 06:31 AM   #3
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
You should of course also secure the mysql user permissions, so do NOT give the users for your web scripts ALL privileges, just give them the privileges they NEED.

Like Insert, update, etc ... do NOT give them ALTER, DROP, CREATE privilege if it's not required!
 
Old 01-18-2003, 06:55 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,139
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Also make sure you don't allow public access to administrative stuff like myPhpAdmin and Big Brother. Trawling around for fun (not profit) I've come across many sites where I have access to stuff I shouldn't have access to. The easiest way is to rename the main page, and cover up the dir with a blank (default|index).(ph*|ht*) depending on your servers' defaults. Having authentication for that dir is a better way ofcourse.
 
Old 01-18-2003, 07:02 AM   #5
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
If you need help securing the basic configuration of your webserver let us now ... I've set up Apache v2.0.43 with PHP v4.3.0 and MySQL v4.0.9 as a test development a few days ago ...
 
Old 01-25-2003, 12:45 PM   #6
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
chrooting apache is a real mess, anyways I've created a secure configuration of apache and php which you could take a look at here
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[IPTABLES] open ext access to web server on GW server kozaki Linux - Networking 3 08-27-2005 05:11 PM
How the DNS-server is connected to work of a web-server and a mail-server? ukrainet Linux - Newbie 2 01-10-2005 09:18 PM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 06:21 AM
so is a web server running Linux without X 4x faster than win2k server? Mr. Mojo Risin General 3 09-02-2003 07:41 PM
Setup a linux server, DNS, WEB, FTP, and Mail Server Help watermelon_lee Linux - Networking 1 08-26-2003 03:09 AM


All times are GMT -5. The time now is 12:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration