Login, Security, and the like

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
Johnm
Forum Contributor
Posts: 344
Joined: Mon May 13, 2002 12:05 pm
Location: Michigan, USA
Contact:

Login, Security, and the like

Post by Johnm »

Hi all,
I am in the midst of moving five of our sites on to a LVS cluster. This creates some new needs for security due to the fact that some of the sites are internal and some are external. I am running Redhat Advanced Server 2.1 with Piranha handling the LVS. I am running Apache 1.3.27 with PHP 4.2.3 Here is what I am trying to do:

The internal sites cannot be accessible externally... as it stands a simple entry into a "hosts" file will probably allow someone to enter.

If a user bookmarks a page they can re-access that page without logging in. It really will not do them much good but it is a security issue none the less.



... Anyone have any suggestions?

John M
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

Post by BDKR »

One idea may be to have all internal web sites served at a different port. Say, port 7483 for example, then have your firewall not allow traffic in on that port.

However, the cluster managers, or whatever they're called using Pirannah, are forwarding requests to the appropriate servers based on ? The reason I ask is becuase in the setup we use, using Turbo Cluster 6, the cluster manager forwards a request to the correct server based on the port it's coming in on. Port Forwarding. So, if the cluster manager were to see incomming traffic on port 5801 (assuming it got past the firewall), it would do nothing with it as there are no services it recognizes using that port.

Therefore, if internal web sites listen at a different port, they'll never see traffic from the outside world.

Another possibility. I don't know if it's possible, but using .htaccess, is it possible to only allow access from particular netowrks? So if your internal LAN network is 192.168.52.0, then set .htaccess to only traffic for addresses on that network.

Ultimately, there are a ton of options here, but much of it depends on how the LVS cluster managers are setup to route traffic through the system.
If a user bookmarks a page they can re-access that page without logging in. It really will not do them much good but it is a security issue none the less.
Couldn't (or shouldn't) this depend on things like the data that's passed to the page when the user accesses it? With my sites, some joe could log in, then bookmark, only to find that when he tries to get in later, his session is no longer valid, and therefore see's a "Go login" message of some sort.

Cheers,
BDKR
Post Reply