[OWASP-LEADERS] Big welcome to Carric / Server Setup

Carric Dooley carric at com2usa.com
Mon Nov 11 14:40:09 EST 2002


Mark: we can build it anyway we want it.


On 8 Nov 2002, Mark Curphey wrote:

>>I will get valid SSL certs for the portal so user auth at an absolute
>>min and password changes etc are over SSL.
>>
>>I was assuming we would have a three tier portal. Web Server (with
>>coyote connector or similar), app server (Tomcat 4.x) and database
>>(Hypersonic) / directory (LDAP). Is that right David ? I really don't
>>want to collapse the app and web tiers on the same box for obvious
>>security reasons.
>>
>>If thats accurate I will need to find one more box. That should be
>>pretty easy as it will only be static images, jsps and the connector...
>>
>>Then we also need to figure out the packet filtering reqs. 
>>
>>Carric, I guess maybe Sanswire can drop everything bar 80 and 443 to the
>>web tier directly from the ingress router ? If they can maybe we can
>>setup SSH from static IP's such as Davids, yours etc ?
>>
>>
>>n Fri, 2002-11-08 at 20:08, David Raphael wrote:
>>> Hello Everyone,
>>> 
>>> Welcome Carric! Its great to hear more people are interested in the
>>> cause!
>>> 
>>> To business:
>>> 
>>> Are we comfortable with Apache 2 being the most secure?  I am not a
>>> Linux security specialist, but I don't believe that Apache 2 has had
>>> the same exposure as 1.3.xx ...What does everybody think?  
>>> 
>>> I like the idea of no Port other than 80 being open.  A terminal server
>>> might be a good alternative for remote administration!  Maybe we could 
>>> get a hold of a little cyclades or something.  Please give you comments.
>>> Use dial-in only access.  Or if it is on some kind of Private LAN with 
>>> alternative access.
>>> 
>>> What does anyone think about this?
>>> 
>>> -Dave
>>> 
>>> 
>>> > -----Original Message-----
>>> > From: owasp-leaders-admin at lists.sourceforge.net
>>> > [mailto:owasp-leaders-admin at lists.sourceforge.net]On Behalf Of Ingo
>>> > Struck
>>> > Sent: Thursday, November 07, 2002 6:29 AM
>>> > To: owasp-leaders at lists.sourceforge.net
>>> > Cc: mark at curphey.com
>>> > Subject: [OWASP-LEADERS] Big welcome to Carric / Server Setup
>>> > 
>>> > 
>>> > Hi Carric,
>>> > 
>>> > I assume that Mark put you on this list, so welcome at the 
>>> > OWASP staff.
>>> > It is really great that you volunteered for some admin work 
>>> > and that you
>>> > could provide a hosting location for our production servers.
>>> > Thanks a lot!
>>> > 
>>> > Some weeks ago I already sent a personal wishlist for the 
>>> > production server
>>> > setup, so I simply repost it here:
>>> > 
>>> > === snip ===
>>> > 
>>> > Here you go with a detailed wishlist for the server configuration:
>>> > (I am currently not sure, whether the BSD or a linux box will be
>>> >  used for vulnxml - that makes no difference for me)
>>> > 
>>> > 1. The file system setup *must* provide separate partitions for
>>> >     /var and /tmp
>>> > 2. The file system setup *should* provide separate partitions for
>>> >     /opt , /usr and /home
>>> > 3. All apache stuff goes to /opt/apache, i.e.:
>>> >    /opt/apache/httpd      httpd (preferably 2.0.43, 1.3.27 
>>> > will do as well)
>>> >    /opt/apache/tomcat    tomcat (4.1.12)
>>> >    (I will provide the appropriate conf files for httpd 2.0 
>>> > and for tomcat)
>>> > 4. The vulnxml application goes to /opt/owasp/vulnxml
>>> >     (I will provide this directory in a whole as tar.bz2)
>>> > 5. absolutely no ftp, telnet, finger or other crap access
>>> > 6. only port 80 open for remote access (best would be a package filter
>>> >    firewall), if *really* necessary port 22 for ssh
>>> > 5. If it is somehow possible (i.e. you have got the servers 
>>> > near to you)
>>> >    NO SSH ACCESS AT ALL
>>> > 
>>> > Due to our project goals I expect our apps to be attacked more than
>>> > an average web app. Thats why I want the servers as leakproof as
>>> > possible.
>>> > 
>>> > === snap ==
>>> > 
>>> > Kind regards
>>> > 
>>> > Ingo
>>> >     
>>> > 
>>> > 
>>> > 
>>> > 
>>> > -------------------------------------------------------
>>> > This sf.net email is sponsored by: See the NEW Palm 
>>> > Tungsten T handheld. Power & Color in a compact size!
>>> > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
>>> > _______________________________________________
>>> > Owasp-leaders mailing list
>>> > Owasp-leaders at lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/owasp-leaders
>>> > 
>>> > 
>>> 
>>
>>
>>
>>
>>-------------------------------------------------------
>>This sf.net email is sponsored by: See the NEW Palm 
>>Tungsten T handheld. Power & Color in a compact size!
>>http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
>>_______________________________________________
>>Owasp-leaders mailing list
>>Owasp-leaders at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/owasp-leaders
>>





More information about the OWASP-Leaders mailing list