- Posts: 42
- Thank you received: 0
Web Server Security?
9 years 3 weeks ago - 9 years 2 weeks ago #38690
by Maskkkk
[img]http://home.pct.edu/~leeand00/Hole in the Ozone Layer.gif[/img]
- A Man is not an island...that's why we have fourms!
Web Server Security? was created by Maskkkk
If you have a webserver / webapp, database and Webmin all on the same Linux machine, and you want to secure them for the internet; is it a good idea to only leave open the SSH, and web ports (443 and 80) and bind all the other private services (webmin, adminer or phpmyadmin, and database ports) only to the local loop back address (127.0.0.1, ::1), and then secure SSH with a 4096-bit public / private RSA key, prevent password-based authentication and root logins...and finally only access these private services using SSH Local Forwarding?
I was thinking too to limit the ip or mac address of the machines that are allowed to access it in it's firewall.
Anything I missed here?
Thank you,
maskkkk
I was thinking too to limit the ip or mac address of the machines that are allowed to access it in it's firewall.
Anything I missed here?
Thank you,
maskkkk
[img]http://home.pct.edu/~leeand00/Hole in the Ozone Layer.gif[/img]
- A Man is not an island...that's why we have fourms!
Last edit: 9 years 2 weeks ago by Maskkkk.
9 years 2 weeks ago #38691
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Web Server Security?
Hi Maskkk!
Nice diagram btw!
Generally placing a machine in an DMZ zone with ports being forwarded from the Public to it, poses security risks. If all these services must run on the same box, then you do have limited options, however splitting them between two or more servers could provide a wise tactic.
These days, the deployment of servers/services accessed by the public, should also be accompanied by the installation of Firewalls and IPS systems, especially if we are taking about an organization.
Use the strongest possible encryption for SSH, limit access for specific accounts from which you can then SU to gain elevated privileges. As far as binding the services to the localhost - I'm not really sure if this can work, but it sounds like an interesting idea, however something tells me that it might not just be enough.
Finally, if you are able to limit the IP addresses that will have access to the server, then do it - no question asked, especially if there is no IPS and other means of protection such as advanced firewalls etc.
Hope this helps!
Chris.
Nice diagram btw!
Generally placing a machine in an DMZ zone with ports being forwarded from the Public to it, poses security risks. If all these services must run on the same box, then you do have limited options, however splitting them between two or more servers could provide a wise tactic.
These days, the deployment of servers/services accessed by the public, should also be accompanied by the installation of Firewalls and IPS systems, especially if we are taking about an organization.
Use the strongest possible encryption for SSH, limit access for specific accounts from which you can then SU to gain elevated privileges. As far as binding the services to the localhost - I'm not really sure if this can work, but it sounds like an interesting idea, however something tells me that it might not just be enough.
Finally, if you are able to limit the IP addresses that will have access to the server, then do it - no question asked, especially if there is no IPS and other means of protection such as advanced firewalls etc.
Hope this helps!
Chris.
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.131 seconds