Logic check on Apache access and security

calabash · 06-08-2008, 07:09 PM

I've been reading up on Apache and I would just like to run my understanding past those who are more knowledgeable than I.

1) Apache is secure on my LAN as an intranet until I port forward traffic to it from my router.

2) When I wish to make my Apache server available on the internet the safest way for an average user to do so would be to have 3 routers, one to feed internet to the next 2: one having the Apache Server, the other having my local lan. Then use port forwarding on the top router and the router that the Apache server is connected to in order to enable traffic.

Current patches, real passwords assumed.

Is this solid basic logic for this?

I understand that those better versed than I would just port forward and be done with it, but I do not feel sure enough that I will dot every i and cross every t; so I'm looking for solid damage mitigation should such a thing occur.

T.I.A.

snowtigger · 06-08-2008, 07:40 PM

<disclaimer> I'am not an expert at this </disclaimer>

1, yes that would be true, unless of course somebody manages to break into your network and reconfigure things, but then thats another matter altogether.

2, yes and no. You could do it that way but then you might have problems with the amount of NATing your doing.

Instead of 3 routers you could go a number of ways, depending what hardware you have at you disposal.

Method A,
! this may still give you NATing problems !
In this method you port forward from router_A to the webserver,
Then all you other computers sit behind router_B which should
keep hidden. Both routers are standard consumer thingies

Code:

[internet]-<>-router_A 
                      \-<>-webserver
                       \-<>-router_B
                                    \-<>-your_computers

Method B,
This method uses a router/firewall that has 3 zones,
red = internet;
orange = publicly accessable network;
green = your private network.
This can either be a purpose built device or a computer configured in the relevant way to behave like a this (see > http://www.smoothwall.org/)

Code:

[internet]-<>-(red(WAN))-router_A
                        \-(orange(DMZ))-<>-webserver
                         \-(green(LAN))-<>-your_computers

There maybe other ways to go about this which i am not aware of. Personally i use method B.

calabash · 06-08-2008, 08:04 PM

1) I agree! Then it would be another matter entirely!

2a) I was uncertain if having my Local Lan directly downstream from the top router would give it access problems. From what you indicate, this is not s concern and I can remove a router. And, I should have specified, the local lan has less than 10 devices, so I do not think NAT will be an issue. Sorry for not mentioning it.

2b) I agree that this is the more elegant solution, but since I have little or no experience with directly configuring a firewall product, I lack confidence that I could determine if I set it up properly. My only experience with setting up dedicated routers is with MikroTic; and then only in the most basic fashion.

Thank you for your input. I'm just anticipating disaster having fed myself on all the "HACKER" books out there where the majority of vulnerabilities exploited are due to incompetent configuration or patching. I don't want to be one of those servers spewing garbage throughout the internet. >.<

So my strategy is to run an internal server for a time, get used to the lingo and conventions so that when I read a discussion regarding security holes I can understand it.

Then, test the layered network configuration with a Ventrillo server perhaps. Something with no personal data on it.

Finally, launch the server out there and monitor the heck out of it. <laughs> Wish me luck, it's a new frontier for me.

snowtigger · 06-08-2008, 09:08 PM

Do have fun on your ventures, and you are right for preparing yourself for the journey. As long as you don't do anything silly like run your webserver as "root" and have the document root as "/". Oh and run software that is full of holes, then you should be fine.

Regardless of how many machines are on your LAN you may still be bothered by NATing issues. By this i mean that router_A's WAN (the internet) will get a global IP address. It serves a LAN which lets say has a network of "192.168.1.0" (192.168. is a reserved set of address for private use) On this LAN you will give you router an IP address (lets say 192.168.1.1). Your webserver (192.168.1.2), and the WAN of router_B (192.168.1.3) an IP address.
Now router_B serves a LAN with a network of "192.168.2.0" Lets say the LAN IP address of router_B is "192.168.2.1" and each other machine has an IP address from the range of "192.168.2.2-254".

So when your computer behind router_B with an address of 192.168.2.2 wants to talk to the "internet at large"(TM) it will go through router_B which will use NAT and end up speaking on router_A's network as router_B's WAN IP address, which is "192.168.1.3". It will then go through router_A, which will again use NAT to give it router_A's WAN IP address (this address is assigned to you by your ISP and is unique to you (it may change from time to time))

( are we lost yet :P )

So your computer has in effect had its IP address NATed twice to get to the outside world. Now this can work, but if you have a router that is a bit flaky or badly designed it will fail miserably on you. How it will fail depends, you maybe able to speak out to the "internet at large "(TM) but the replies won't be able to find there way back to you, or it might happen the other way round.

I know this sounds scary and like i'm trying to put you off, but i just think its something you need to be aware of incase you set it all up, thinking its all configured correctly but just doesn't work.

calabash · 06-08-2008, 09:54 PM

I'm still with ya!

I actually understood all the NAT concerns you brought up. I'll be using off the shelf Netgear routers, so that should be solid.

I've actually seen and worked with a 3 router configuration with no NAT issues (low number of devices).

I've also worked with a single router and an non-standard IP range with a high number of computers (>100) and seen NAT fail. Oh the lag and timeouts!

So I appreciate that you bring up any and all issues that I might be hit with! I promise not to run off screaming into the night!

I should also note that I'm manual-friendly, so if anyone has a particularly good web how-to in mind or a book that is on the beginner's level - please reference.

Currently I'm using these two books:

Multitool Linux
Apache 3rd ed. The Definitive Guide

And poking around the i-net as well.

I'm finding the O'Reilly book to be a trifle daunting. But finding step-by-step how-to guides is keeping me on track.

Thank you again snowtigger!