-
May 16th, 2010, 05:05 PM
#1
Member
Separate web servers, or not?
Hi Guys,
I see you're all complaining of it being quiet round here, so I'll give you something to do... help me! ;-)
I'm contemplating setting up multiple mail servers using zones/jails, and would like to add collaboration software.
From a security point of view, am I better off:
a) running a web server in each zone (to keep data separated), but in doing so adding an extra piece of software to be cracked, or
b) having a web server on a separate box that if cracked, potentially has access to all groupware data, but only IMAP access to (all) the mail servers?
Guidance once again gratefully accepted...
Cheers!
What's your favourite OS?
Seen it. Tried it. Crashed it.
-
May 19th, 2010, 02:57 AM
#2
Personally, I usually run multiple servers, even though I could consolidate several servers on one box. We run many virtual servers, so setting up a new one is a breeze. Just make sure that you stay up on patches, and implement other security measures. What sort of web servers are you looking at setting up? If they run Linux, use ipchains to block traffic from ip ranges that you know will never need to connect. [ie. China, North Korea, Nigeria, etc.]. If you are running an additional firewall, I would suggest blocking those ranges there as well.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
May 19th, 2010, 04:26 AM
#3
I'd recommend looking into FreeBSD for this. They're done an amazing job at making their stuff Solid, Stable, and Secure, and, that has three "S"s
Seriously, though, FreeBSD works wonders for Mail Servers. You can still use some half assed 486 for this task, and as long as you keep the machine up to date, and possibly stay away from Sendmail, you'll have a nice start already. They have Jails, sandboxes, everything.
What I'd do personally if I were setting up a Mail server though, and security was the main idea? First, I'd take FreeBSD or Linux, and, either do it myself, or pay someone to do it, and have them basically remove EVERYTHING in the Kernel, that isn't required for the Hardware it's on, and for lack of a better word "Hack" the Mail Server into the Kernel, set up filters so it drops EVERYTHING that isn't mail from your users, and drop everything else. Web Sites do this sometimes, and it seems to work well.
Basically you hack a Web Server into the Kernel, get rid of everything that isn't required to run that server, and there is nothing left to get into.
Oddly enough I know of someone who used to do this and Porn sites used to pay out the ass for that. It takes a lot of skill that I don't even come close to as I'm not only not a coder, but I'm sure as crap no Kernel Hacker.
If you're not going THAT deep, then, basically, FreeBSD is a neat mail server, and it doesn't need X Windows or some sissy GUI that wastes RAM and CPU cycles to display some Graphics on a machine that may not even have a monitor.
Also, again, the Jails, Sandboxes, and so on, makes it a reliable option.
-
May 24th, 2010, 09:59 PM
#4
Member
gore,
I used FreeBSD on a laptop for a couple of years during the 4.x phase, but when it all went horribly wrong when the 5.x series came out, I was somewhat put off. I tried again recently with a different laptop with the 7.xs, and PC-BSD, and both crashed horribly during the installation causing file system destruction.
I'm wary to say the least...
I did make an attempt at starting to look at jails on my server, but stopped when I realised the fibre cards weren't supported.
westin,
block traffic from ip ranges that you know will never need to connect. [ie. China, North Korea, Nigeria, etc.]
That's good advice.
What's your favourite OS?
Seen it. Tried it. Crashed it.
-
May 25th, 2010, 12:35 AM
#5
I actually have a list of CIDR ranges that can easily be thrown in hosts.deny to block all non-US traffic, although I realize that isn't practical for a lot of organizations. Where I work, there are only a few thousand people that need to access our services... and they are all in the US. If you want the list, let me know. It is in the format:
SSHD: 2.0.0.0/255.0.0.0
SSHD: 3.0.0.0/255.0.0.0
SSHD: 6.0.0.0/255.0.0.0
SSHD: 9.0.0.0/255.0.0.0
SSHD: 11.0.0.0/255.0.0.0
SSHD: 13.0.0.0/255.0.0.0
SSHD: 15.0.0.0/255.0.0.0
~
I used sed to replace SSHD with ALL, which of course blocks traffic to all ports.
PM me if you want it.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
May 25th, 2010, 01:51 AM
#6
Originally Posted by shakeshuck
gore,
I used FreeBSD on a laptop for a couple of years during the 4.x phase, but when it all went horribly wrong when the 5.x series came out, I was somewhat put off. I tried again recently with a different laptop with the 7.xs, and PC-BSD, and both crashed horribly during the installation causing file system destruction.
I'm wary to say the least...
Laptops back in 4.0 must have been terrible heh. Even now they're still working on making them good for BSD. I don't think I've had BSD on my Laptop because a lot of hardware isn't going to work right. The last time I installed, no working in a GUI because it just wouldn't work.
I now have the new 8.0 but haven't installed yet because I just haven't felt like screwing around with it, but from what I hear it works good. I haven't had any issues running it on a Desktop though.
I think you might want to try it on a Desktop system with real hardware, and not the usual on board integrated bastardizations they use in laptops. Unless you have already...
I didn't really have much hardware before. Right now I have a Celeron 433 MHz machine, with 192 MBs of RAM, and it's running Slackware 13.0 and it from time to time is used for BSD too. I generally use SlackBSD for that machine's host because I've dual booted FreeBSD and Slackware on it so many times I know exactly what it is.
Have you used any of these on something not like a Laptop?
-
May 26th, 2010, 01:58 PM
#7
Member
westin,
Now that you've forced me to think (never a good idea!), I'm a bit stumped. Realistically (email wise) a potential customer could come from anywhere. I agree that you could probably remove most of Africa, but after that it's a case of separating the wheat from the chaff.
In my case, I'm currently in the UK, but I have email addresses hosted in Australia and the US. I'd have to open port 25 to each of these even though I'm not there (not that the US or Aus are problem areas, but you get the idea). How many potential customers use email systems outside their locality?
I was intending to start with greylisting, but if I read it right anyone that's persistent will still get through.
I'll have to ponder...
What's your favourite OS?
Seen it. Tried it. Crashed it.
-
May 26th, 2010, 02:18 PM
#8
Member
gore,
I liked FreeBSD in the 4.x days. A pain to set up, but you only needed to do it once! Setting up the X driver timings manually was interesting, but I'm glad we don't have to do that any more. Amazingly, even the laptop sound card worked. Maybe I was lucky!
I'm in the middle of setting up OpenBSD on my firewall. For some reason (at least to me) it seems to work better "out of the box" than either Free- or NetBSD. Install isn't as friendly, though.
What's your favourite OS?
Seen it. Tried it. Crashed it.
-
May 27th, 2010, 06:58 PM
#9
BSD is server software. Period. Any "real" organization isn't going to be running a server from a laptop. So why would they take the time to make it work well on a laptop?
As for the original question, it really depends on what the final goal is. Is this for a business or a personal project? Are you talking 50 email accounts, or 50,000,000? What is the web server for? Is it static or dynamic? Does it even need access to any of the groupware data?
etc etc
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
-
May 27th, 2010, 08:34 PM
#10
Member
BSD is server software. Period.
Why would they put X and lots of nice apps on if they don't expect anyone to use them?
I'm not so much complaining that FreeBSD won't work on my laptop - there are plenty of other OSes that will - more that at 4.x they had it working (and I was a big fan) and now it bo!!oxes the filesystem at install. If that's progress, count me out.
As to the original question, I'm looking to host mail accounts for small businesses and include groupware, project management software, etc. With my current boxes I would say there's a limit of about 2000 accounts, but I won't know for sure until it's configured and trialled. The web servers are to host the groupware/project/webmail software. I was hoping to give each company it's own segregated mail server, and would like to know if I should also do the same for the webservers, and if keeping them on a different box is more secure than allowing web access to the mailserver zones/jails? The groupware data could reside on either server, whichever is more appropriate (that's probably my next question...).
What's your favourite OS?
Seen it. Tried it. Crashed it.
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By Tiger Shark in forum The Security Tutorials Forum
Replies: 5
Last Post: March 4th, 2004, 05:00 PM
-
By chsh in forum Miscellaneous Security Discussions
Replies: 1
Last Post: January 11th, 2004, 05:59 AM
-
By Unleashed in forum AntiOnline's General Chit Chat
Replies: 2
Last Post: April 8th, 2002, 11:56 PM
-
By iraklis777 in forum Security Archives
Replies: 10
Last Post: October 23rd, 2001, 08:41 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|