[Zope] Zope and Linux flavors
sean.upton@uniontrib.com
sean.upton@uniontrib.com
Tue, 16 Jan 2001 11:56:53 -0800
Perhaps another option (for those with a load-balanced server setup), use an
intel 7170 (not cheap, but cool) load-balaning appliance, and use the
loadbalancer as a router; the 7170 has the abilitiy to set rules for where
it sends the load to based upon expression-matching in the URL. This means
that you could intercept all "/manage*" URLs with the load balancer and
direct them to a box that returns nothing but error pages. I haven't done
this (I have a 7140, this model's lower-end sibling), but I have looked
extensively at the docs for this, and it might be an option for the cash
inclined.
Other than that, this doesn't get you out of securing your boxes. I would
recomend traditional security strategies (putting servers proxied behind a
DMZ), and a box-by-box audit of services using a port scanner. Other than
that, I can recommend one of two realistic strategies in dealing with Linux
(I dont' claim to be a security expert though) - either:
build the distro yourself (i.e. LFS, www.linuxfromscratch.org), and keep
tabs on what services are running, as well as monitoring the lwn
(www.lwn.net) security page every week, or...
Commit to a particular distribution/vendor and get on their security mailing
list post-haste. Apply all patches before putting the box out on the net at
large. And keep the box patched. Also, monitoring lwn's security page or
bugtaq isn't such a bad idea.
If you have the time to invest in it, consider a network intrusion-detection
system and tripwire to watch the filesystem changes on your boxes.
Sean
-----Original Message-----
From: Simon Coles [mailto:simon@nipltd.com]
Sent: Tuesday, January 16, 2001 9:50 AM
To: Ragnar Beer
Cc: zope@zope.org
Subject: Re: [Zope] Zope and Linux flavors
>Which Linux distributions are you using for running Zope and how
>easy it was for you to maximize security of your server?
We run a variety of RedHat 6.1, 6.2, and 7.0 and Debian 2.2, as well
as Solaris.
We apply all the latest updates, turn off services we don't use, and
proxy Zope through Apache. We then block all but port 80 at the
router. The servers are then firewalled off from the rest of the
network.
Simon
--
--------- My opinions are my own, NIP's opinions are theirs ----------
Simon J. Coles Email: simon@nipltd.com
New Information Paradigms Work Phone: +44 1344 753703
http://www.nipltd.com/ Work Fax: +44 1344 753742
=============== Life is too precious to take seriously ===============
_______________________________________________
Zope maillist - Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )