Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] apache problem

On Wed, 9 Jan 2019 20:58:38 +0000
"Anderson, Charles R" <cra at> wrote:

> It can prevent specific applications (process security contexts) from
> binding to specific sockets/ports, either for inbound or outbound
> connections.  External firewalls cannot do that to my knowledge.

Not as such but it's not needed with secure infrastructure:

My web server machine is in a DMZ. The web server machine runs only
the web server. This DMZ permits connections to the web server machine
on port 443 from the public network and on port 22 from the secure
management network. This DMZ permits outgoing connections to the
application server DMZ on a designated port. Everything else is
implicitly denied. Whatever sockets an attacker binds, whatever daemons
he starts, whatever connections he tries to make, they are all
implicitly isolated by the box he is in, a box that is outside of his
ability to control from the compromised machine.

Any attempts to make network connections will be detected by my IDS
(unusual behavior). It will log the attempts and notify me of a
problem. The IDS can activate countermeasures such as continuous
snapshotting of the machine to track the intruder and redirecting the
app server connection to a honeypot, or simply cutting the power to
prevent further activity.

It makes no sense to have SELinux running on my web server machine. It
accomplishes nothing not already accomplished innately by the
infrastructure. It increases complexity which means more opportunity
for mistakes or bugs to cause other problems.

SELinux makes sense in a mainframe environment where many different
services and users need access to many different resources. But then,
that's the environment SELinux was made for.

Rich Pieri

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /