Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Ok so quick run down, I've been down with linux since... sh*t, like 10 years now LOL. But I never had the need or the resources to run a file ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2008
    Posts
    30

    LAMP Question...


    Ok so quick run down, I've been down with linux since... sh*t, like 10 years now LOL. But I never had the need or the resources to run a file server, LAMP setup, or anything at home... Until now LOL. Since linux hasn't been too popular in Vegas in the places I've worked I've always been stuck running windows systems, and usually its pretty simple crap sonicwall and T1's with MIIS servers or 2003 ::gag:: But here lies my problem every admin job I've had I haven't been able to build the system from the ground up. So when reading today something confused the crap out of me...

    One article said "Never install any other services on the machine you use as your firewall"

    And another said "Never run a server open to the net without a firewall on it"

    So honestly, what gives? I was going to run LAMP with the firewall on the same machine until I can buy a sonicwall or come up with another PC to use as one or something... yet I was planning on still running a firewall on the machine with the LAMP on it. So tell me am I getting mixed information here? I know regardless your system has to be secure and all my Windoze systems had firewalls installed plus the sonicwall so I dont see why I couldn't have just one machine running LAMP and Firewall, would it really be that insecure???... I mean did I really screw myself here? Have I been running vulnerable systems for ever and gained some bad habits here or what?

    (Sorry I write so much when I post, I also write movie scripts on the side so im used to explaining every detail possible)

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,875
    I run my firewall separate to my web server. As I see it, if I put the firewall on my server, if someone compromises the firewall, they can see my entire server's contents.

    If I keep them seperate, and someone compromises my firewall they get access to my empty firewall. Then they gotta do it all again for my web server.

    If someone gets access through an apache vulnerability to my web server port, they'll only have access to the machine on that port, unless they've compromised the firewall too.

    In general it's a cheap and sensible option to install a separate firewall. Use an old PC and get a copy of Smoothwall free edition.
    Linux user #126863 - see http://linuxcounter.net/

  3. #3
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    I think this
    Code:
    Never run a server open to the net without a firewall on it
    should actually say without a firewall in front of it.

    both of those are good rules but they aren't have to's. if its mission critical data then follow those rules. if its something else, play, or maybe not mission critical (cc's, and making money type services), then it is probably fine.

    Also, a firewall in front can be as simple as a rinky dinky little linksys router.

  4. #4
    Just Joined!
    Join Date
    Dec 2008
    Posts
    30
    Thanks for the input guys...

    I guess Ill either do the DD-WRT mod to my "Rinky Dinky linksys router" LOL or just get an old pc...

    Its just for fun and practice breaking and repairing the system so for now ill just keep it on the lan...

  5. #5
    j1s
    j1s is offline
    Just Joined! j1s's Avatar
    Join Date
    Nov 2006
    Location
    Norway
    Posts
    90
    I'm using an old pc running IPCop as a firewall. Works just fine. It's also a DHCP, so my 4 other servers can get an IP.

    cheers

  6. #6
    Linux Enthusiast Bemk's Avatar
    Join Date
    Sep 2008
    Location
    Oosterhout-NB, Netherlands
    Posts
    525
    Would 2 routers with firewall function + iptables on the web server be enough? I hope so because that's my current configuration (mainly because I don't like the web interface on the first router, I don't trust it's firewall either).

  7. #7
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    yes that would work, but that is a lot of layers. so it would be this

    internet
    ----------
    router1
    ---------
    router2
    ---------
    iptables
    ----------
    internal network

    thats a lot of layers. I would get rid of one of those.

  8. #8
    Linux Enthusiast Bemk's Avatar
    Join Date
    Sep 2008
    Location
    Oosterhout-NB, Netherlands
    Posts
    525
    Its more like this:

    WAN
    ---------------------------
    router 1
    ---------------------------
    router 2
    ---------------------------
    LAMP + IPTables

    It's on one machine.

    It might be a bit slow, but as I said I don't trust the firewall on the first router, which is a modem-router so removing it would also remove my modem.

    But if it works I'm happy.

    I've done a port scan on router 1, and it was wide open while firewall was set to high, the second router had it's ports shut accept for the ports I forwarded. This is WAN to LAN, and LAN to WAN is fully open, but I don't know how to shut that traffic down. Question two: do I want to shut this traffic down because my parents on the same network use things like MSN Messenger, E-mail, Update services and other crap I not always know the ports of.

  9. #9
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    I guess that all depends on who pays the bills

    outgoing traffic should be fine, just keep antivirus installed where needed (windows machines) and check for trojans and rootkits on your nix machines.

  10. #10
    Linux Enthusiast Bemk's Avatar
    Join Date
    Sep 2008
    Location
    Oosterhout-NB, Netherlands
    Posts
    525
    My dad pays the electricity bill as well as the ISP bill. That means I'm safe for now, however I do want to put some PR on the site just to make a bit money so I can pay for the extra electricity used, so my dad won't kill the project.

    I need the server for school things. I am going to give my class some lessons about GNU/Linux and I have a site for that. If my dad kills the site I don't have anything to use as teaching materials. All the documents should be in Dutch, so I write them my self. That way I don't have to find the needle in the haystack. I just make a new needle.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •