Hi A.M. On 2001.09.08 15:17:46 +0100 A. Meinerzhagen wrote:
Hi, List.
Is there a save way other than sftp/scp to let people update their webpages? Clients are using lots of Windows-Computers. After an Intrusion last week we don't like the idea anymore, that people use ftp to put their pages on the server.
Can't think of anything easy... are all your users going to update from inside your LAN, or do thay have to update over the internet? One soloution I have seen to this problem is a temporary FTP password : something like 1. you email the server, 2. a pasword is generated and is only valid for one hour 3. password emailed back to the user. Not great, but cracker has less time when she can intrude your box.
Does it make sense, with our setup, to use SuSE Firewall at all? Setup is :
IMHO, it nearly always makes sense to firewall - layers of security make it harder for a bad guy to get anywhere even if he breaks into one box...
WWW---->FW---->(eth0) Webserver (eth1)<--->LAN ^ | ^ |------------------------v-----------------|
Weird, I know. Incomming Traffic will go throug FW, but outgoing not.
The Webserver-machine runs two instances of apache, to serve the www-pages and the local www-pages. That's the reason for the two NIC's. But by design we have to look at both NIC's as hostile Networks, because any computer is connected any time to the Inter- net (University). If using the Firewall, how would a setup look like? Or better IPChains? And what would the Rules be ? We are serving only ports 80, 443, and 22 (http, https, ssh) to the "outside" and at the moment to the "inside" also. If people would insist to use ftp from inside, what then ?
I'm not sure how you gain anything by having 2 NICs on the same LAN, to my eyes, you seem to be making things too complicated... If you are using kernel 2.4.x, try iptables - it is more flexible than ipchains SuSE firewall basically makes rules for ipchains / iptables so one isn't "better" than the other, they use different ways to do the same thing. Given your unusual set-up (but fairly simple needs), I think you would be better to roll your own using iptables (sorry, Marc ;-) ) Have a look at the HOWTO at http://netfilter.samba.org for some iptables ideas. HTH, Maf.
Thanks in advance, A. Meinerzhagen
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~