From: GeorgeOsvald <geo...@ya...> - 2006-09-08 12:36:15
|
On Friday 08 September 2006 21:12, Philippe Schelt=E9 wrote: > >> get list of sites showing SQL-ledger from google > > > > And that was exaclty my point. That is what you have to avoid. There is > > no reason why your SQL-LEDGER server should be visible to robots. Unless > > you know exactly where to go or try to piggyback my connection you will > > simply not find my server. I can connect to it from home or anywhere but > > it is very not visible at all. > > And it would be much more helpful if you explain how to achieve this > (robots.txt ?) The safest way is to have your SL server on a dedicated web server. That wa= y=20 you can have nothing (not even robots.txt) in your web root directory and y= ou=20 can hide your SL installations in directories not normally accessible. Ther= e=20 is a lot of things you can do and I could go through different settups for= =20 hours but generally it could look something like this: I am assuming you have an internet connection with static IP. You do not ha= ve=20 to do everything I am listing here. I am simply listing stuff that I can=20 think off the top off my head. It all depends how much hassle you are willi= ng=20 to go through. Going from the top to bottom: Internet =2D------------------ 1. Your DSL modem =2D running standard firewall open 80 and 443 (all DSL modems do) =2D running NAT - this will switch network class and redirect from port 80 = to=20 port 443 (or whatever SSL port you want) =2D If you are really paranoid you can also redirect port 80 to a honey-pot= =20 system and catch the bastards there. =2D------------------ 2. You could stick a proxy server here restricting access to internal network.= =20 (and vice versa) Again anyone who manages to get through the first firewall and NAT and trie= s=20 to acces port 80 or wrong directory gets redirected to honey-pot. You can also create a DMZ between the proxy and the modem. Firewall has onl= y=20 open 443 at this point (unless you also need 22 - SSH in which case proxy i= s=20 a waste of time) Switch the network class again. =2D------------------ 3. Your SQL-SERVER. Here you could have another firewall with open 443 (and 22 if you want) Depending on your needs you can run Apache at runtime or fire it up from=20 xinetd (or inetd). Ideally only run Apache in SSL mode. Do not allow access= =20 to user directories. Dissable browsing. By using xinetd you can also again= =20 limit access to your apache server.=20 Install SQL-LEDGER in to a unique directory on the server not the standard= =20 name that everybody uses. Also the alias in Apache httpd.conf should be=20 unique. Place nothing (other than icon) in the server root directory and ru= n=20 SSL only in the directory that is used by SQL-LEDGER. You can further=20 restrict access with .htaccess file but I this at this stage it would be a= =20 complete overkill and you might get timeout errors. I am also running crontab on firewall log files and apache error files....a= nd=20 so on. In case of error or a new entry it gets printed out on my printer=20 sitting on my desk.=20 If anyone tries to connect to your server unless they know the port number = of=20 your SSL, directory that it is running from and are autorised to access the= =20 network they get nothing. Robots will bounce off the first firewall or they= =20 get stuck in the honey-pot. Anyway. That is just what I could think off.=20 There is other stuff that can be done if you are extremely paranoid but it= =20 would require much more detailed explanation. As I said before it is not=20 neccesary to do all the steps mentioned. If anyone finds any crap in what I= =20 have just written feel free to correct me. George |