Results 1 to 3 of 3
  1. #1
    Join Date
    Aug 2004

    * Why need a firewall on webserver?

    In a case where a standalone websever is the firewall.

    With a software running, you still have to open incoming on 80 and SSH port.
    SSHD takes care of logins
    Apache takes care of HTTP

    DDOS can not be stopped by software firewall or even hardware firewall.

    Most breakins are due to bad scripts, easy gussing passwords, unupdated software.

    So why do you need a firewall at all? In what cases, a firewall can make your sever more secure?

  2. #2
    Join Date
    Dec 2002
    chica go go
    bad scripts can be secured with a strict mod_security configuration. But, that can interfere with normal scripts.

    insecure passwords - run a password audit every few weeks, and email users who have weak passwords.

    DDOS can be prevented with mod_dosevasive, or even BFD. There's also APF, which does a decent job.

    sshd listening port can also be changed.

  3. #3
    Join Date
    Dec 2004
    A properly configured firewall allows only the ingress and egress traffic that you explicitly allow, nothing more and nothing less. This has several security implications. For one, if you give your users shell access, they can't run any server software on the machine that might grant an attacker a shell account which they could then elevate to root via a local exploit, or just cause havoc from the user account. It may protect you from script kiddie type attacks that simply search for an exploit and try to install rootkit X through it. If RK X happens to listen on a port to allow the attacker to gain root, that traffic won't get through and the exploit will have 'failed'.

    I wouldn't say it's really absolutely necessary to have a firewall; a secure machine without one is about as secure as a secure machine with a firewall, however as you add more users and more services, your machine has more and more possible points of entry. If you run a firewall, you mitigate some of the possible damage. Mostly it's just good practice...why would you *want* to deal with traffic that comes in on some random port? Why would you want to forward odd traffic coming from your machine?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts