getting to www servers from inside where they have an Internal IP
Charles Steinkuehler
charles at steinkuehler.net
Mon Jan 30 10:32:07 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Monty J. Harder wrote:
> On 1/30/06, Jeremy Fowler <JFowler at westrope.com> wrote:
>>
>> Well, I think the only security reason to run an http server on a port
>> other than 80 is to hide it from the general public. Port scanners can get
>> around this hurdle quite easily though. Plus, the fact that you SNAT port 80
>> to that
>
> "Security through obscurity" isn't. The obscurity just makes it difficult
> for you to administer it. Put the stupid thing on port 80, do the split DNS
> that serves the internal IP to the internal machines, and if the internal IP
> must be changed, change it in DNS. What's the big deal?
The only thing I saw in the original post that would preclude running on
port 80 was the desire to run as a non-root user.
This is kind of a moot point, however, as most any distribution will run
Apache (or the webserver of your choice) with non-root permissions. The
server gets launched as root only so it can start listening on port 80,
then immediately drops permissions and runs as a different user (account
typically specific to distribution and/or local configuration...debian
uses www-data).
- --
Charles Steinkuehler
charles at steinkuehler.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD3j+HLywbqEHdNFwRAl4pAJ9k8YjvPtUhGrvMRWWNDRbIUXDpwQCg7Drv
5Wn8w/SlR3/rDe587zl6GFo=
=1YAi
-----END PGP SIGNATURE-----
More information about the Kclug
mailing list