Perhaps another option (for those with a load-balanced server setup), use an intel 7170 (not cheap, but cool) load-balaning appliance, and use the loadbalancer as a router; the 7170 has the abilitiy to set rules for where it sends the load to based upon expression-matching in the URL. This means that you could intercept all "/manage*" URLs with the load balancer and direct them to a box that returns nothing but error pages. I haven't done this (I have a 7140, this model's lower-end sibling), but I have looked extensively at the docs for this, and it might be an option for the cash inclined. Other than that, this doesn't get you out of securing your boxes. I would recomend traditional security strategies (putting servers proxied behind a DMZ), and a box-by-box audit of services using a port scanner. Other than that, I can recommend one of two realistic strategies in dealing with Linux (I dont' claim to be a security expert though) - either: build the distro yourself (i.e. LFS, www.linuxfromscratch.org), and keep tabs on what services are running, as well as monitoring the lwn (www.lwn.net) security page every week, or... Commit to a particular distribution/vendor and get on their security mailing list post-haste. Apply all patches before putting the box out on the net at large. And keep the box patched. Also, monitoring lwn's security page or bugtaq isn't such a bad idea. If you have the time to invest in it, consider a network intrusion-detection system and tripwire to watch the filesystem changes on your boxes. Sean -----Original Message----- From: Simon Coles [mailto:simon@nipltd.com] Sent: Tuesday, January 16, 2001 9:50 AM To: Ragnar Beer Cc: zope@zope.org Subject: Re: [Zope] Zope and Linux flavors

Which Linux distributions are you using for running Zope and how easy it was for you to maximize security of your server?

We run a variety of RedHat 6.1, 6.2, and 7.0 and Debian 2.2, as well as Solaris. We apply all the latest updates, turn off services we don't use, and proxy Zope through Apache. We then block all but port 80 at the router. The servers are then firewalled off from the rest of the network. Simon -- --------- My opinions are my own, NIP's opinions are theirs ---------- Simon J. Coles Email: simon@nipltd.com New Information Paradigms Work Phone: +44 1344 753703 http://www.nipltd.com/ Work Fax: +44 1344 753742 =============== Life is too precious to take seriously =============== _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )