Outline · [ Standard ] · Linear+ WANTED: Networking & Security gurus!, COME ONE, COME ALL

[Boss429]

Alright you networkers!

I would like all your help! I am going to petition my director, and boss actually, for our schools Technology Area. I want a PHP server. Which I can get no prob if it is not LIVE.

After talking to some of the other UTS people, it si a general agreement for me to build the "prototope" showing look what i learned! Can we have ti live now?


I believe i have enough spare parts at my disposal.... most ly older equip.


I can perobably get an Old P3 or p2 for the system, hopefully 256mb ram but ithink most have 128.

HD... well i have not idea on the size which at the moment is not that important.

But here is what i would like to do:

Win200 server and Linux(unix or whatever i get as recommends form youguys) in a dual boot.

I like Apache, but with internet secutiory, ignoring or not using somethnig is not a way to do things.

So things I will neeD:
(LIST TO BE UPDATED)

* 2 O/s linux, unix, what ever and winskserv (i have that)
* system
* Apache
* Mysql
* php

what am i missing?

And I would like the help of anyone seasoned to the the drawbacks, loop holes, and flaws in this set up, and how to fix them to step up and give a hand.

School well the got rid of PHP on the main system cause of a hacker called... badtiger, or redtiger who brought down the main system over the summer, and they are very hestiant.. rather deadset against having serverside scripting and the "i" server front end cause that area is the students, shared DIRs, the ftp, and mail server.


So If I can prove to them it is looked down, though if it were to go live, they would make sure there was no .. other system acess availible.

There is currently a comupter i can use that is already setup witn win2k serv.. onlkhy mabye installed two weeks ago and is only use for the netwokring for dummies course.. has two NICS, cause ti was acting as a router/bridge between teh two subnets. (madeup)

Bear, DK, Pimps, Rad, anyone, even songi, though maybe at the end cause he causes things to spark, flame and rendered useless.

thanks gents!

This post has been edited by Boss429: Dec 1 2004, 06:58 PM

[optomos]

What about fault tolerance?

[DutchKid]

I assume that you've already locked down all the internet ports that are not needed for it to function correctly. So that leaves the software that has access to the internet and is visible from the outside open. Patch where needed, check google for msgs about security, specifically for the software. Keep things up to date, but not TOO much up to date if you get me...

To prove that it's good, keep it running for a few weeks, connected to the net, then advertise the server. If you keep it running it's good :D

[Sn_ake]

Just to add to the point concerning firewalls, I asume the server will be hosting only PHP, will the server be used internaly or is it to be purely external facing?

If it is going to be external facing i would suggest that you place it on a dmz if you have the resources to do so, and again lock down all the ports aswell as services running on the sys which will not be used. Then you can just focus on building up the armour on the areas which will be exposed.

Also if the network which this server will be running on has a decent router that supports ACL's then it might be worth setting up some decent ACL's, this will provide a bit of security, but it all adds up.

For choice of OS i would go with depending on your linux knowlage Debian, do a very minimal install no x server, then start installing the bit's you need, SSH, Apache ect... keep everything to a bare min, this will help with both performance and security. If you can run ok with out a dual boot then stay with linux as there will be less overhead, allowing you to run older cheaper hardware.

How ever if you have to have windows installed too, i would say go with 2k. 2003 enterprise edition would be nice but you sys spec will have to be a fair bit higher to cope with all the overhead, and to be honset would probably be overkill, all depends realy on what featres you want and need.

Look at what your going to be doing with php and what server load you will be expecting, this will play heavily into the selection of hardware giving you a more stream lined sys wich will be aimed to do the job propperly.

PHP side of stuff, theres been some good descusions knocking around concerning security, i will see if i can dig up some of the links i was scanning over, www.php.com is well worth a good reading through, also get your self on a decent mailing list for php.

Also find out what kind of scurity is being used on the network and have a look into ways of using it to better secure your system.

Other points to look out for are such things as delegation, will you be needing for the server to impersinate users for certain code based on the users credentials. If so lookinto to Kerberos, but this is well worth doing anyhow, as Kerberos works through more layers of an application and provides less server work when it comes to checking a users credentials. There is also a number of other benifs to kerberos but i will not go through them now.

Keep good logs and have a good system for monitoring them, someting along the lines of having the logs periodicly mailed to the admin for example. This will help you pick up on possible attack atempts as well as identifying where the breach was if you ever have one.

Last point before i get back to doing some work, when you sys is up and running during the development and deployed try breaking in to the system, give it a good testing.