Gunther Birznieks writes: > If you had an Apache server and a POE app server, what would a cracker > have an easier time trying to get in?
Assuming up-to-date code, POE, for sure. > Probably the Apache server. Once broken through the Apache server, the > cracker would have to figure out that it is indeed a POE server on the > other end, and then to figure out an exploit by just trying as many > things as they can. ie they'd have to do a lot of extra work rather than > utilizing a public knowledge exploit someone else discovered. All public knowledge exploits of Apache are fixed within days if not hours. It's the private ones I worry about. There have to be more of these in POE than Apache. The more eyes, the fewer the defects. > How? Why would any firewall admin allow SSH access from the outside > world to poke progressively inwards through the protected zones? When we want to get to the middle tiers, we go in through the front ends. You need passwords at every level. I'm not sure what you mean here. > I think this is correct. But as most servers that are transactions have > mod_ssl, I kind of consider mod_ssl and other modules as being fairly > "core" to Apache. They have to be configured to be exploited. Rob
