RE: apache server plus ipfilter

[Eric Polin <eric () NetWolves com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

anant -

Each one of those services is great in its own right. However, when you
combine them together, it is not such a good practice. Any service that
holds a LISTENING port, in my opinion should be chrooted or jailed. Apache
is a great webserver in my opinion because it can be somewhat light, but can
be also be very heavy depending on what you have compiled/added into the
server. The problem with apache, and php, is that you have to stay on top,
and up to date with the apache/php/perl/foo project. I really like apache,
and use it for *almost* everyone of my webservers, but there have been many
exploits to the project. I have been through some of the code, and it looks
nice, but it is a very popular project, and because of this will always have
exploits/hacks towards it. 

I also depend highly on ipf/ipnat. More than any other fw that i have used
in unix/linux, i like ipf best. The rulesets are easy to understand, it is
quick (if setup right), and in my opinion quite secure. 

So in my opinion, i would opt for using 2 boxen for your ipf/apache
solution.

if i can be of any help, send an email. 

Eric

- -----Original Message-----
From: Anant Tamgole [mailto:anant.pn1 () pn123 vsnl net in]
Sent: Sunday, November 17, 2002 8:31 PM
To: security-basics () securityfocus com
Subject: apache server plus ipfilter


Dear all,

We recently deployed a web server on Solaris 8(Intel), with
apache 1.3.27 and ipfilter firewall.
Is this a good combination or any issues, comments ?

regards
anant

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 (Build 349) Beta

iQA/AwUBPdpZdKUUXFhoQKvpEQK7/gCfVzCj3DnsJFyuFnOHYz0HmlmZ8sEAoK6E
LXnaangmNVVHUARpO5W2YMXS
=mtES
-----END PGP SIGNATURE-----