Reverse proxy server setup and iptables

[LuckyTaxi]

I may be doing this incorrectly, so if you have any suggestions, I'm open to it. So I installed a reverse proxy server on my LAN. It's not on the DMZ because it's coming from a blade running inside a virtual machine. Anyways, so I installed iptables and locked everything down from the outside coming in. Only port 80 is open from the outside. My question is, what if someone compromised the box in any way, I want to deny them access to our local lan. However, just thinking about this, if someone got in through SSH or something they could just disable iptables, no?

I was thinking of denying traffic from the proxy to our LAN but is that irrelevant? I still need my LAN to talk to the proxy server since our back-end webservers need to communicate w/ this proxy server.

 

[Crusty]

You don't have SSH open to the public, so the only way someone could get access to it is via your local LAN. You can always disable root logins from SSH and use sudo to your admin activities. You can also setup public/private key pairs with a passphrase, just make sure to lock down your private key

 

[LuckyTaxi]

yea thats what i thought, you just hear security guys say lock down your server as much as possible. I figure if I'm only opening port 80 (whether its hardware firewall or iptables), how else would someone be able to "hack" into the box?

 

[Crusty]

Originally posted by: LuckyTaxi
yea thats what i thought, you just hear security guys say lock down your server as much as possible. I figure if I'm only opening port 80 (whether its hardware firewall or iptables), how else would someone be able to "hack" into the box?

Exploits!

 

[LuckyTaxi]

Originally posted by: Crusty

Originally posted by: LuckyTaxi
yea thats what i thought, you just hear security guys say lock down your server as much as possible. I figure if I'm only opening port 80 (whether its hardware firewall or iptables), how else would someone be able to "hack" into the box?

Exploits!

so you're saying through port 80 they can "log" into my box if apache has a security hole?
If that's the case, I better lock it down some more on the OS level w/ iptables.

 

[Crusty]

Originally posted by: LuckyTaxi

Originally posted by: Crusty

Originally posted by: LuckyTaxi
yea thats what i thought, you just hear security guys say lock down your server as much as possible. I figure if I'm only opening port 80 (whether its hardware firewall or iptables), how else would someone be able to "hack" into the box?

Exploits!

so you're saying through port 80 they can "log" into my box if apache has a security hole?
If that's the case, I better lock it down some more on the OS level w/ iptables.

It doesn't matter what the service is, you always have to consider there to be exploits in the service. A secure server takes a lot more into account then a simple firewall.

Another thing to consider is what to do if/when the server gets compromised and how you are going to be aware of that.

If you know by nature a program is full of security holes you can always run it from a chroot environment. Also, try not to run public facing services as root, because if they DO get a shell the shell will have the privileges of the user running the exploited service....

 

[n0cmonkey]

Originally posted by: LuckyTaxi
I may be doing this incorrectly, so if you have any suggestions, I'm open to it. So I installed a reverse proxy server on my LAN. It's not on the DMZ because it's coming from a blade running inside a virtual machine.

You're doing it wrong. You should not mix security domains like that.