[OWASP-LEADERS] Big welcome to Carric / Server Setup

Carric Dooley carric at com2usa.com
Mon Nov 11 14:38:47 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have you reviwed the new features?

http://httpd.apache.org/docs-2.0/new_features_2_0.html

If any of these are requirements, I would use 2.0. Apache.org says they
have been running it since Dec. 2000 so it isn't really "brand new".

Out-of-band is more secure, but will require phone lines, and a term
server, and then there is the issue of bandwidth.. if you are moving a
large file, dial-up is going to suck, esp. since, without something like a
Total Control or Ascend Max, you can't even do 56K.

I would argue that you could mitigate most of the risk by tunneling
everything through SSH, using tcp wrappers to control what hosts can even
connect, and monitoring the hell out of the box.

I like your idea from a security perspective, but the useablity suffers
with that scenario.

Will content be drive by a database engine? I am just starting to ponder
the IDS and monitoring solution. Has anyone given extensive thought or
made a huge effort on solutions, etc.? 


On Fri, 8 Nov 2002, David Raphael wrote:

>>Hello Everyone,
>>
>>Welcome Carric! Its great to hear more people are interested in the
>>cause!
>>
>>To business:
>>
>>Are we comfortable with Apache 2 being the most secure?  I am not a
>>Linux security specialist, but I don't believe that Apache 2 has had
>>the same exposure as 1.3.xx ...What does everybody think?  
>>
>>I like the idea of no Port other than 80 being open.  A terminal server
>>might be a good alternative for remote administration!  Maybe we could 
>>get a hold of a little cyclades or something.  Please give you comments.
>>Use dial-in only access.  Or if it is on some kind of Private LAN with 
>>alternative access.
>>
>>What does anyone think about this?
>>
>>-Dave
>>
>>
>>> -----Original Message-----
>>> From: owasp-leaders-admin at lists.sourceforge.net
>>> [mailto:owasp-leaders-admin at lists.sourceforge.net]On Behalf Of Ingo
>>> Struck
>>> Sent: Thursday, November 07, 2002 6:29 AM
>>> To: owasp-leaders at lists.sourceforge.net
>>> Cc: mark at curphey.com
>>> Subject: [OWASP-LEADERS] Big welcome to Carric / Server Setup
>>> 
>>> 
>>> Hi Carric,
>>> 
>>> I assume that Mark put you on this list, so welcome at the 
>>> OWASP staff.
>>> It is really great that you volunteered for some admin work 
>>> and that you
>>> could provide a hosting location for our production servers.
>>> Thanks a lot!
>>> 
>>> Some weeks ago I already sent a personal wishlist for the 
>>> production server
>>> setup, so I simply repost it here:
>>> 
>>> === snip ===
>>> 
>>> Here you go with a detailed wishlist for the server configuration:
>>> (I am currently not sure, whether the BSD or a linux box will be
>>>  used for vulnxml - that makes no difference for me)
>>> 
>>> 1. The file system setup *must* provide separate partitions for
>>>     /var and /tmp
>>> 2. The file system setup *should* provide separate partitions for
>>>     /opt , /usr and /home
>>> 3. All apache stuff goes to /opt/apache, i.e.:
>>>    /opt/apache/httpd      httpd (preferably 2.0.43, 1.3.27 
>>> will do as well)
>>>    /opt/apache/tomcat    tomcat (4.1.12)
>>>    (I will provide the appropriate conf files for httpd 2.0 
>>> and for tomcat)
>>> 4. The vulnxml application goes to /opt/owasp/vulnxml
>>>     (I will provide this directory in a whole as tar.bz2)
>>> 5. absolutely no ftp, telnet, finger or other crap access
>>> 6. only port 80 open for remote access (best would be a package filter
>>>    firewall), if *really* necessary port 22 for ssh
>>> 5. If it is somehow possible (i.e. you have got the servers 
>>> near to you)
>>>    NO SSH ACCESS AT ALL
>>> 
>>> Due to our project goals I expect our apps to be attacked more than
>>> an average web app. Thats why I want the servers as leakproof as
>>> possible.
>>> 
>>> === snap ==
>>> 
>>> Kind regards
>>> 
>>> Ingo
>>>     
>>> 
>>> 
>>> 
>>> 
>>> -------------------------------------------------------
>>> This sf.net email is sponsored by: See the NEW Palm 
>>> Tungsten T handheld. Power & Color in a compact size!
>>> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
>>> _______________________________________________
>>> Owasp-leaders mailing list
>>> Owasp-leaders at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
>>> 
>>> 
>>
>>
>>-------------------------------------------------------
>>This sf.net email is sponsored by: See the NEW Palm 
>>Tungsten T handheld. Power & Color in a compact size!
>>http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
>>_______________________________________________
>>Owasp-leaders mailing list
>>Owasp-leaders at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/owasp-leaders
>>

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Made with pgp4pine 1.75-6

iQA+AwUBPdAHTlUqWOkDpMZ2EQK7LQCVFfvp3LAXi3MOXwatFefU+SvV2QCeMfWO
WgRs81qgnjNDhjBc4EUHiR8=
=u6qs
-----END PGP SIGNATURE-----






More information about the OWASP-Leaders mailing list