[Linux] Apache and security questions
Aaron Wolfe
linux@flux.org
Wed, 9 Jan 2008 23:08:39 -0500
> -----Original Message-----
> From: linux-admin@flux.org [mailto:linux-admin@flux.org] On
> Behalf Of Steven Benmosh
> Sent: Wednesday, January 09, 2008 9:45 PM
> To: linux@flux.org
> Subject: Re: [Linux] Apache and security questions
>
> 1. No, the ServerAlias was not it - I removed the second one
> and nothing happened differently. Besides, I think in such a
> case Apache would use the first one that matches the
> criteria, and even if it used them at random (not a good
> thing, I agree), it should not have given an error message.
>
> I fixed the problem by going to my dns provider and including
> another record for gps.words2u.net pointing to my IP address.
> After that, I get the right path and no error message. I
> guess I need to point every subdomain to my server's IP
> address, and then it is ok.
>
> 2. Regarding security, I use a linksys wrt45g (not gl). I
> looked up the wrt45gl, it seemed very similar, but with
> better specs - I am not sure how it could have 3 nics on it.
If your wrt54g is an older version, you might be lucky enough to have one t=
hat can do the types of config I mentioned. The current model is not capab=
le which is why I mentioned the wrt54gl which specifically is (the "l" stan=
ds for Linux). You can find out if your model will run an open linux on th=
e openwrt website.
As for how it could have 3 nics, I'm sure you've noticed that there are 5 n=
etwork ports on the back of the device. Each can be used as a separate nic=
with it's own IP networking configuration and full firewall control of tra=
ffic between nets, just like a computer with five network cards in it (whic=
h is pretty much what the wrt54 is once you put the right firmware on it).
To provide a DMZ for one server without adding any extra hardware you could=
for example connect port 1,2 and 3 to your internal hosts, port 4 to your =
web server, and the "wan" port to your internet device. You can change the=
4 port switch to act as two different switches, one that uses port 1-3 and=
one that uses port 4 only. You can then give the wrt an IP interface on e=
ach of the two switches. This is accomplished internally by using VLAN tag=
ging on the ports as Julio mentioned. There are some performance concerns =
in this configuration, but if you use a typical home internet connection (l=
ess than 10Mbps) they simply will not be an issue for you. You can turn a =
$50 router into a linux box with 5 ethernet nics and one 802.11 interface.
> On my wrt45g it recommends to use port forwarding and not
> DMZ, because DMZ open all ports to the server, which is still
> on the same network as the rest of the computers, while port
> forwarding limits the open ports.
The "DMZ" you are referring to is not at all what I was talking about. I h=
ave never understood why linksys firmwares call the "dnat everything to thi=
s host" feature a DMZ, but you are correct that they do call it that, and u=
sing that feature would be a silly idea.
The type of configuration I am recommending involves separate physical netw=
orks connected to different ports on the wrt and firewalled from each other=
. You cannot do this with the stock linksys firmware, but there are lots o=
f alternate firmwares that you can obtain for free. OpenWRT is a nice one.=
If you are lucky, you already have a wrt54 than can run it.
>
> Z.
>
> message is: Server not found
>
> Firefox can't find the server at dust.words2u.net.
> * Check the address for typing errors such as
> ww.example.com <http://ww.example.com> instead of
> www.example.com
>
>
>
>
> On Jan 9, 2008 6:44 AM, Lawrence Kagan < me@larrykagan.com
> <mailto:me@larrykagan.com> > wrote:
>
>
> Could be that you have the same ServerAlias for both
> Virtual Hosts.
>
> On Jan 8, 2008, at 11:16 PM, Steven Benmosh wrote:
>
>
> Ok, by now you know I am trying to set up a new
> web site. I have two questions.
>
> 1. Here is my sites-available default file:
> ...
> default file that comes with the server
> ...
>
> <VirtualHost *>
> ServerAdmin admin@words2u.net
> ServerName www.words2u.net
> ServerAlias words2u.net
> DocumentRoot /home/words2u
> </VirtualHost>
>
> <VirtualHost *>
> ServerAdmin admin@words2u.net
> ServerName gpx.words2u.net
> ServerAlias words2u.net
> DocumentRoot /home/words2u/gpxwiki
> </VirtualHost>
>
> When I use www.words2u.net
> <http://www.words2u.net> or words2u.net , I get the correct
> page. When I use the IP address, I get /var/www default page,
> as expected. But when I run gpx.words2u.net
> <http://gpx.words2u.net> , I get an error message.
>
> Where am I going wrong? Do I have to run my own
> dns server to enable urls other than www.words2u.net and
> words2u.net <http://words2u.net> ?
>
> 2.Security
>
> What is the best way to isolate my net server
> from the other computers in my network, so if/when someone
> breaks in, the rest of the network is safe? Use firewall on
> each computer to block access to the web server? Any other idea?
>
> Thanks.
>
> Z.
>
> --
> Check out my web site - www.words2u.net
>
>
>
>
>
> --
> Check out my web site - www.words2u.net
>