[OWASP-LEADERS] Big welcome to Carric / Server Setup

Mark Curphey mark at curphey.com
Fri Nov 8 23:30:07 EST 2002


I will get valid SSL certs for the portal so user auth at an absolute
min and password changes etc are over SSL.

I was assuming we would have a three tier portal. Web Server (with
coyote connector or similar), app server (Tomcat 4.x) and database
(Hypersonic) / directory (LDAP). Is that right David ? I really don't
want to collapse the app and web tiers on the same box for obvious
security reasons.

If thats accurate I will need to find one more box. That should be
pretty easy as it will only be static images, jsps and the connector...

Then we also need to figure out the packet filtering reqs. 

Carric, I guess maybe Sanswire can drop everything bar 80 and 443 to the
web tier directly from the ingress router ? If they can maybe we can
setup SSH from static IP's such as Davids, yours etc ?


n Fri, 2002-11-08 at 20:08, David Raphael wrote:
> Hello Everyone,
> 
> Welcome Carric! Its great to hear more people are interested in the
> cause!
> 
> To business:
> 
> Are we comfortable with Apache 2 being the most secure?  I am not a
> Linux security specialist, but I don't believe that Apache 2 has had
> the same exposure as 1.3.xx ...What does everybody think?  
> 
> I like the idea of no Port other than 80 being open.  A terminal server
> might be a good alternative for remote administration!  Maybe we could 
> get a hold of a little cyclades or something.  Please give you comments.
> Use dial-in only access.  Or if it is on some kind of Private LAN with 
> alternative access.
> 
> What does anyone think about this?
> 
> -Dave
> 
> 
> > -----Original Message-----
> > From: owasp-leaders-admin at lists.sourceforge.net
> > [mailto:owasp-leaders-admin at lists.sourceforge.net]On Behalf Of Ingo
> > Struck
> > Sent: Thursday, November 07, 2002 6:29 AM
> > To: owasp-leaders at lists.sourceforge.net
> > Cc: mark at curphey.com
> > Subject: [OWASP-LEADERS] Big welcome to Carric / Server Setup
> > 
> > 
> > Hi Carric,
> > 
> > I assume that Mark put you on this list, so welcome at the 
> > OWASP staff.
> > It is really great that you volunteered for some admin work 
> > and that you
> > could provide a hosting location for our production servers.
> > Thanks a lot!
> > 
> > Some weeks ago I already sent a personal wishlist for the 
> > production server
> > setup, so I simply repost it here:
> > 
> > === snip ===
> > 
> > Here you go with a detailed wishlist for the server configuration:
> > (I am currently not sure, whether the BSD or a linux box will be
> >  used for vulnxml - that makes no difference for me)
> > 
> > 1. The file system setup *must* provide separate partitions for
> >     /var and /tmp
> > 2. The file system setup *should* provide separate partitions for
> >     /opt , /usr and /home
> > 3. All apache stuff goes to /opt/apache, i.e.:
> >    /opt/apache/httpd      httpd (preferably 2.0.43, 1.3.27 
> > will do as well)
> >    /opt/apache/tomcat    tomcat (4.1.12)
> >    (I will provide the appropriate conf files for httpd 2.0 
> > and for tomcat)
> > 4. The vulnxml application goes to /opt/owasp/vulnxml
> >     (I will provide this directory in a whole as tar.bz2)
> > 5. absolutely no ftp, telnet, finger or other crap access
> > 6. only port 80 open for remote access (best would be a package filter
> >    firewall), if *really* necessary port 22 for ssh
> > 5. If it is somehow possible (i.e. you have got the servers 
> > near to you)
> >    NO SSH ACCESS AT ALL
> > 
> > Due to our project goals I expect our apps to be attacked more than
> > an average web app. Thats why I want the servers as leakproof as
> > possible.
> > 
> > === snap ==
> > 
> > Kind regards
> > 
> > Ingo
> >     
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: See the NEW Palm 
> > Tungsten T handheld. Power & Color in a compact size!
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> > _______________________________________________
> > Owasp-leaders mailing list
> > Owasp-leaders at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> > 
> > 
> 






More information about the OWASP-Leaders mailing list