[OWASP-LEADERS] Big welcome to Carric / Server Setup

David Raphael david.raphael at ceterum.net
Mon Nov 11 22:21:08 EST 2002


...cool...

Sounds good.  I will enjoy seeing what you are going to set up.

You build the house.  We'll stock the kitchen with <insert food of 
choice> :)

Good to have you aboard.

-d


On Monday, November 11, 2002, at 01:38 PM, Carric Dooley wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Have you reviwed the new features?
>
> http://httpd.apache.org/docs-2.0/new_features_2_0.html
>
> If any of these are requirements, I would use 2.0. Apache.org says they
> have been running it since Dec. 2000 so it isn't really "brand new".
>
> Out-of-band is more secure, but will require phone lines, and a term
> server, and then there is the issue of bandwidth.. if you are moving a
> large file, dial-up is going to suck, esp. since, without something 
> like a
> Total Control or Ascend Max, you can't even do 56K.
>
> I would argue that you could mitigate most of the risk by tunneling
> everything through SSH, using tcp wrappers to control what hosts can 
> even
> connect, and monitoring the hell out of the box.
>
> I like your idea from a security perspective, but the useablity suffers
> with that scenario.
>
> Will content be drive by a database engine? I am just starting to 
> ponder
> the IDS and monitoring solution. Has anyone given extensive thought or
> made a huge effort on solutions, etc.?
>
>
> On Fri, 8 Nov 2002, David Raphael wrote:
>
>>> Hello Everyone,
>>>
>>> Welcome Carric! Its great to hear more people are interested in the
>>> cause!
>>>
>>> To business:
>>>
>>> Are we comfortable with Apache 2 being the most secure?  I am not a
>>> Linux security specialist, but I don't believe that Apache 2 has had
>>> the same exposure as 1.3.xx ...What does everybody think?
>>>
>>> I like the idea of no Port other than 80 being open.  A terminal 
>>> server
>>> might be a good alternative for remote administration!  Maybe we 
>>> could
>>> get a hold of a little cyclades or something.  Please give you 
>>> comments.
>>> Use dial-in only access.  Or if it is on some kind of Private LAN 
>>> with
>>> alternative access.
>>>
>>> What does anyone think about this?
>>>
>>> -Dave
>>>
>>>
>>>> -----Original Message-----
>>>> From: owasp-leaders-admin at lists.sourceforge.net
>>>> [mailto:owasp-leaders-admin at lists.sourceforge.net]On Behalf Of Ingo
>>>> Struck
>>>> Sent: Thursday, November 07, 2002 6:29 AM
>>>> To: owasp-leaders at lists.sourceforge.net
>>>> Cc: mark at curphey.com
>>>> Subject: [OWASP-LEADERS] Big welcome to Carric / Server Setup
>>>>
>>>>
>>>> Hi Carric,
>>>>
>>>> I assume that Mark put you on this list, so welcome at the
>>>> OWASP staff.
>>>> It is really great that you volunteered for some admin work
>>>> and that you
>>>> could provide a hosting location for our production servers.
>>>> Thanks a lot!
>>>>
>>>> Some weeks ago I already sent a personal wishlist for the
>>>> production server
>>>> setup, so I simply repost it here:
>>>>
>>>> === snip ===
>>>>
>>>> Here you go with a detailed wishlist for the server configuration:
>>>> (I am currently not sure, whether the BSD or a linux box will be
>>>>  used for vulnxml - that makes no difference for me)
>>>>
>>>> 1. The file system setup *must* provide separate partitions for
>>>>     /var and /tmp
>>>> 2. The file system setup *should* provide separate partitions for
>>>>     /opt , /usr and /home
>>>> 3. All apache stuff goes to /opt/apache, i.e.:
>>>>    /opt/apache/httpd      httpd (preferably 2.0.43, 1.3.27
>>>> will do as well)
>>>>    /opt/apache/tomcat    tomcat (4.1.12)
>>>>    (I will provide the appropriate conf files for httpd 2.0
>>>> and for tomcat)
>>>> 4. The vulnxml application goes to /opt/owasp/vulnxml
>>>>     (I will provide this directory in a whole as tar.bz2)
>>>> 5. absolutely no ftp, telnet, finger or other crap access
>>>> 6. only port 80 open for remote access (best would be a package 
>>>> filter
>>>>    firewall), if *really* necessary port 22 for ssh
>>>> 5. If it is somehow possible (i.e. you have got the servers
>>>> near to you)
>>>>    NO SSH ACCESS AT ALL
>>>>
>>>> Due to our project goals I expect our apps to be attacked more than
>>>> an average web app. Thats why I want the servers as leakproof as
>>>> possible.
>>>>
>>>> === snap ==
>>>>
>>>> Kind regards
>>>>
>>>> Ingo
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------
>>>> This sf.net email is sponsored by: See the NEW Palm
>>>> Tungsten T handheld. Power & Color in a compact size!
>>>> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
>>>> _______________________________________________
>>>> Owasp-leaders mailing list
>>>> Owasp-leaders at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This sf.net email is sponsored by: See the NEW Palm
>>> Tungsten T handheld. Power & Color in a compact size!
>>> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
>>> _______________________________________________
>>> Owasp-leaders mailing list
>>> Owasp-leaders at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
>>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.1
> Comment: Made with pgp4pine 1.75-6
>
> iQA+AwUBPdAHTlUqWOkDpMZ2EQK7LQCVFfvp3LAXi3MOXwatFefU+SvV2QCeMfWO
> WgRs81qgnjNDhjBc4EUHiR8=
> =u6qs
> -----END PGP SIGNATURE-----
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Owasp-leaders mailing list
> Owasp-leaders at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
>
>





More information about the OWASP-Leaders mailing list