From owner-freebsd-isp Tue May 28 15:23: 2 2002 Delivered-To: freebsd-isp@freebsd.org Received: from farley.org (dsl-64-194-106-77.telocity.com [64.194.106.77]) by hub.freebsd.org (Postfix) with ESMTP id 717B837B400 for ; Tue, 28 May 2002 15:22:50 -0700 (PDT) Received: from thor.farley.org (rsqa8hu3drmkw216@thor.farley.org [192.168.1.5]) by gw.farley.org (8.12.3/8.12.3) with ESMTP id g4SMMnvF095188 for ; Tue, 28 May 2002 17:22:49 -0500 (CDT) (envelope-from sean-freebsd@farley.org) Date: Tue, 28 May 2002 17:22:49 -0500 (CDT) From: Sean Farley X-X-Sender: sean@thor.farley.org To: freebsd-isp@freebsd.org Subject: Web site security questions Message-ID: <20020528171331.I87801-100000@thor.farley.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am setting up a commerce site on FreeBSD, but I want to go over my ideas for making it as secure as possible while still usable. Here are my current notes on the security setup: ------------------------------ Steps ----- 1) Run main machine with jails for applications. - Only allow connections via SSH from designated IPs. 2) Run database within jail on non-routable IP. - Turn off all services except for the database. - Only accept connections from the other jails using the configuration file. - Only allow connections to the database from the other jails using the firewall. 3) Run store within different jail. - Turn off all services except for the web server and SSH. - Only allow connections via SSH from designated IPs. 4) Apply, from main machine, 'chflags -R schg' (immutable) to: - /usr/local/pgsql/data/*.conf - /usr/local/etc/apache/ - /usr/local/www/store/ This should prevent anyone from altering the secure flow between the database and the store. 5) Change code to encrypt the credit card numbers with a public key. 6) Change code to decrypt the credit card numbers via an encrypted key stored within the database. 7) Change code to prompt for a password whenever a credit card number is pulled from the database. This will take a bit of work to make this convenient. Weaknesses ---------- 1) The main machine is compromised as root. This would allow a cracker to change flags and therefore any code. 2) The database jail is compromised. As root or the database user, a cracker would be able to stop the database server and create own copy of server for web application to connect against. With this the cracker will be able to log all queries. ------------------------------ Does this look like it would be secure enough? Is there any advice on what I can do to make this scheme better? Sean ----------------------- sean-freebsd@farley.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message