Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Separate web servers, or not?

  1. #1

    Question Separate web servers, or not?

    Hi Guys,

    I see you're all complaining of it being quiet round here, so I'll give you something to do... help me! ;-)

    I'm contemplating setting up multiple mail servers using zones/jails, and would like to add collaboration software.


    From a security point of view, am I better off:

    a) running a web server in each zone (to keep data separated), but in doing so adding an extra piece of software to be cracked, or

    b) having a web server on a separate box that if cracked, potentially has access to all groupware data, but only IMAP access to (all) the mail servers?

    Guidance once again gratefully accepted...

    Cheers!
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Personally, I usually run multiple servers, even though I could consolidate several servers on one box. We run many virtual servers, so setting up a new one is a breeze. Just make sure that you stay up on patches, and implement other security measures. What sort of web servers are you looking at setting up? If they run Linux, use ipchains to block traffic from ip ranges that you know will never need to connect. [ie. China, North Korea, Nigeria, etc.]. If you are running an additional firewall, I would suggest blocking those ranges there as well.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I'd recommend looking into FreeBSD for this. They're done an amazing job at making their stuff Solid, Stable, and Secure, and, that has three "S"s

    Seriously, though, FreeBSD works wonders for Mail Servers. You can still use some half assed 486 for this task, and as long as you keep the machine up to date, and possibly stay away from Sendmail, you'll have a nice start already. They have Jails, sandboxes, everything.

    What I'd do personally if I were setting up a Mail server though, and security was the main idea? First, I'd take FreeBSD or Linux, and, either do it myself, or pay someone to do it, and have them basically remove EVERYTHING in the Kernel, that isn't required for the Hardware it's on, and for lack of a better word "Hack" the Mail Server into the Kernel, set up filters so it drops EVERYTHING that isn't mail from your users, and drop everything else. Web Sites do this sometimes, and it seems to work well.

    Basically you hack a Web Server into the Kernel, get rid of everything that isn't required to run that server, and there is nothing left to get into.

    Oddly enough I know of someone who used to do this and Porn sites used to pay out the ass for that. It takes a lot of skill that I don't even come close to as I'm not only not a coder, but I'm sure as crap no Kernel Hacker.

    If you're not going THAT deep, then, basically, FreeBSD is a neat mail server, and it doesn't need X Windows or some sissy GUI that wastes RAM and CPU cycles to display some Graphics on a machine that may not even have a monitor.

    Also, again, the Jails, Sandboxes, and so on, makes it a reliable option.

  4. #4
    gore,

    I used FreeBSD on a laptop for a couple of years during the 4.x phase, but when it all went horribly wrong when the 5.x series came out, I was somewhat put off. I tried again recently with a different laptop with the 7.xs, and PC-BSD, and both crashed horribly during the installation causing file system destruction.

    I'm wary to say the least...

    I did make an attempt at starting to look at jails on my server, but stopped when I realised the fibre cards weren't supported.

    westin,

    block traffic from ip ranges that you know will never need to connect. [ie. China, North Korea, Nigeria, etc.]
    That's good advice.
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  5. #5
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I actually have a list of CIDR ranges that can easily be thrown in hosts.deny to block all non-US traffic, although I realize that isn't practical for a lot of organizations. Where I work, there are only a few thousand people that need to access our services... and they are all in the US. If you want the list, let me know. It is in the format:

    SSHD: 2.0.0.0/255.0.0.0
    SSHD: 3.0.0.0/255.0.0.0
    SSHD: 6.0.0.0/255.0.0.0
    SSHD: 9.0.0.0/255.0.0.0
    SSHD: 11.0.0.0/255.0.0.0
    SSHD: 13.0.0.0/255.0.0.0
    SSHD: 15.0.0.0/255.0.0.0
    ~

    I used sed to replace SSHD with ALL, which of course blocks traffic to all ports.

    PM me if you want it.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  6. #6
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Quote Originally Posted by shakeshuck View Post
    gore,

    I used FreeBSD on a laptop for a couple of years during the 4.x phase, but when it all went horribly wrong when the 5.x series came out, I was somewhat put off. I tried again recently with a different laptop with the 7.xs, and PC-BSD, and both crashed horribly during the installation causing file system destruction.

    I'm wary to say the least...
    Laptops back in 4.0 must have been terrible heh. Even now they're still working on making them good for BSD. I don't think I've had BSD on my Laptop because a lot of hardware isn't going to work right. The last time I installed, no working in a GUI because it just wouldn't work.

    I now have the new 8.0 but haven't installed yet because I just haven't felt like screwing around with it, but from what I hear it works good. I haven't had any issues running it on a Desktop though.

    I think you might want to try it on a Desktop system with real hardware, and not the usual on board integrated bastardizations they use in laptops. Unless you have already...

    I didn't really have much hardware before. Right now I have a Celeron 433 MHz machine, with 192 MBs of RAM, and it's running Slackware 13.0 and it from time to time is used for BSD too. I generally use SlackBSD for that machine's host because I've dual booted FreeBSD and Slackware on it so many times I know exactly what it is.

    Have you used any of these on something not like a Laptop?

  7. #7
    westin,

    Now that you've forced me to think (never a good idea!), I'm a bit stumped. Realistically (email wise) a potential customer could come from anywhere. I agree that you could probably remove most of Africa, but after that it's a case of separating the wheat from the chaff.

    In my case, I'm currently in the UK, but I have email addresses hosted in Australia and the US. I'd have to open port 25 to each of these even though I'm not there (not that the US or Aus are problem areas, but you get the idea). How many potential customers use email systems outside their locality?

    I was intending to start with greylisting, but if I read it right anyone that's persistent will still get through.

    I'll have to ponder...
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  8. #8
    gore,

    I liked FreeBSD in the 4.x days. A pain to set up, but you only needed to do it once! Setting up the X driver timings manually was interesting, but I'm glad we don't have to do that any more. Amazingly, even the laptop sound card worked. Maybe I was lucky!

    I'm in the middle of setting up OpenBSD on my firewall. For some reason (at least to me) it seems to work better "out of the box" than either Free- or NetBSD. Install isn't as friendly, though.
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

  9. #9
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    BSD is server software. Period. Any "real" organization isn't going to be running a server from a laptop. So why would they take the time to make it work well on a laptop?

    As for the original question, it really depends on what the final goal is. Is this for a business or a personal project? Are you talking 50 email accounts, or 50,000,000? What is the web server for? Is it static or dynamic? Does it even need access to any of the groupware data?

    etc etc
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  10. #10
    BSD is server software. Period.
    Why would they put X and lots of nice apps on if they don't expect anyone to use them?

    I'm not so much complaining that FreeBSD won't work on my laptop - there are plenty of other OSes that will - more that at 4.x they had it working (and I was a big fan) and now it bo!!oxes the filesystem at install. If that's progress, count me out.


    As to the original question, I'm looking to host mail accounts for small businesses and include groupware, project management software, etc. With my current boxes I would say there's a limit of about 2000 accounts, but I won't know for sure until it's configured and trialled. The web servers are to host the groupware/project/webmail software. I was hoping to give each company it's own segregated mail server, and would like to know if I should also do the same for the webservers, and if keeping them on a different box is more secure than allowing web access to the mailserver zones/jails? The groupware data could reside on either server, whichever is more appropriate (that's probably my next question...).
    What's your favourite OS?

    Seen it. Tried it. Crashed it.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Central Secure Logging in a Win2k Environment
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 5
    Last Post: March 4th, 2004, 05:00 PM
  3. Security Best Practices: Servers and the Network
    By chsh in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: January 11th, 2004, 05:59 AM
  4. BA ditches MS servers after virus threat
    By Unleashed in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: April 8th, 2002, 11:56 PM
  5. help with ghostmail
    By iraklis777 in forum Security Archives
    Replies: 10
    Last Post: October 23rd, 2001, 08:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •