|
Matt Walkowiak wrote:
OH.... here might be a good way to do it... Can I put a rule in the OUTPUT
chain? This rule would only allow port 80 from the LD to the RealServers -
when the RealServers respond, they would be using the FORWARD chain, right?
That would prevent my Firewall/LD box from responding to anyone talking to
it on port 80 - so even if LVS gets subverted, im still protected. Does
that logic hold?
Nope, if your hacked they can just change your firewall rules...
One of my clients got hacked and the only way they found out was because
the hacker (possibly script kiddy) tried to flush the iptables rules,
therfore breaking all of the NAT rules therefore taking down the web site...
How did he get in, broke into IIS through common bug, installed a
trojan, used SSH to get from the web server to the firewall .. etc etc...
Even if you put the LVS behind a firewall (which I prefer) you still
need to open port 80... is it secure ? yes I think so hackers tend to
concentrate on application i.e. apache or iis these days its much easier..
One other gotcha.. If your fallback server is localhost you are
obviously exposing your local apache installation !
--
Regards,
Malcolm Turnbull.
Crocus.co.uk Ltd
01344 629661
07715 770523
|
