+ Post New Thread
Results 1 to 8 of 8
Web Development Thread, security of internally hosted web server in Coding and Web Development; Following on from the post by beeswax... I wish to host internally a server running moodle. I've no problem getting ...
  1. #1

    Join Date
    Nov 2005
    Posts
    95
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    security of internally hosted web server

    Following on from the post by beeswax...

    I wish to host internally a server running moodle. I've no problem getting LAMP and Moodle installed and working (already have a windows box running Moodle and LAMP box on which I'm playing with Typo3 for our web site).

    My query is over the security of making a LAMP box visible from outside whilst still allowing the web server to see our AD for authentication.

    I know it's technically possible and was all up for doing it today whilst our tech support company was in on their contracted day, but they put some doubts into my mind.

    My understanding is that if the server is connected to the DMZ and the (hardware) firewall is configured correctly nothing should be able to get through to main part of the network and only allowed traffic (port 80) will get to the web server.

    Techie chap's persuasion was that if someone managed to get control of the LAMP machine they may be able to get into the network.

    Now, the big problem is that this stuff is beyond my knowledge and I can't speak authoritatively about it AND tech support company don't suport Linux (or even Apache on any platform). So they are likely to try and convince me it can't be done easily or securely.

  2. #2

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,403
    Thank Post
    637
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    319

    Re: security of internally hosted web server

    This thread might be of interest to you.

  3. #3
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,427
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111

    Re: security of internally hosted web server

    Surely this will all depend on how it binds to the directory? I have set up stunnel to encrypt my ldap queries and send them over ssl instead to the DC (at least I think its working). Also done the same for the pop3 account on the helpdesk server.

  4. #4

    Join Date
    Nov 2005
    Posts
    95
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: security of internally hosted web server

    Quote Originally Posted by webman
    This thread might be of interest to you.
    Thanks, that was thread I was refering to at the start. The difference here though is that I need the web server some access through to AD.

    If nothing was allowed to get from web server in, then I would have no worries doing it.

    I'll look into SSL method, any other ideas.

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,427
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111

    Re: security of internally hosted web server

    Oh, I also force ssl on most web applications now, due to the AD links, I don't want any passwords moving around in clear text

  6. #6


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    Re: security of internally hosted web server

    My understanding is that if the server is connected to the DMZ and the (hardware) firewall is configured correctly nothing should be able to get through to main part of the network and only allowed traffic (port 80) will get to the web server.
    Yes, you can allow the LDAP query through the firewall though by port forwarding 389 to the DC, the firewall config should allow you to make sure only the LAMP server is connecting. You'd have to do the same thing if you were running windows in the DMZ.

    Techie chap's persuasion was that if someone managed to get control of the LAMP machine they may be able to get into the network.
    Same argument will IIS

  7. #7
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    33

    Re: security of internally hosted web server

    If someone does take control of your LAMP box, they could (in theory) be able to collect the passwords that are passed into the application despite any SSL encryption.

    Assuming they can only hit the web server's external-facing port 80, they would probably have to know an exploit in either Apache or the Moodle application code. That would probably get them access on a fairly limited account, but one which has access to the passwords after they leave the protection of SSL and before Moodle sends them through the internal firewall to AD (securely or not).

    That said, if you keep Apache and Moodle fully patched and up-to-date you are doing about as much as you can.

  8. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: security of internally hosted web server

    You could use the same technique as our RBC. Have your web server on your LAN and have a reverse proxy in your DMZ. That way only port 80 access is required but you still get the seperation you require.

SHARE:
+ Post New Thread

Similar Threads

  1. Global Security Groups - Server 2003
    By steve in forum Windows
    Replies: 4
    Last Post: 8th November 2007, 06:14 PM
  2. Replies: 11
    Last Post: 4th October 2007, 01:53 PM
  3. Mac OS X Server Security
    By Nij.UK in forum Mac
    Replies: 2
    Last Post: 23rd May 2007, 12:44 PM
  4. Replies: 4
    Last Post: 21st January 2007, 09:48 PM
  5. Hosted Moodle
    By daverage in forum Web Development
    Replies: 7
    Last Post: 26th January 2006, 03:43 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •