Hi All, Thanks to all for your advices.
I will think about it and find a way about those things. I was thinking that due to chroot, even apache got into one could not take over the rest. Anyway there are some practices that I did not used but I'm new to those considerations. Thanks, Le jeudi 26 fC)vrier 2009 C 23:13 +0100, Ingo Schwarze a C)crit : > Hi Jean-Francois, > > Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: > > > I actually built the following system : > > - OpenBSD running on a standard AMD platform > > - This box is actually used as firewall > > - This box is also used as webserver > > - This box is finally used as local shared drives via NFS file > > but only open to subnetwork through PF > > It's hard to tell what this is supposed to say, but in case you intend > to use the same physical machine as a firewall, as a public webserver > and as a private NFS server, that's almost certainly a very bad idea > and not at all secure. > > Never put your private NFS server on the same host as either your > firewall or your webserver. Never. If you don't own and can't > afford enough hardware to physically seperate the NFS server > from the firewall and the webserver, do not use NFS at all. > If your network is so small that you consider putting everything > on one single server, just use some old 200MHz i386 for the firewall > and some old 500MHz i386 for the NFS server. People will almost > certainly give you such hardware for free, at least in Europe. > That's probably sufficient, and lets you use your shiny new amd64 > box as the webserver. > > NFS is not designed with security in mind. It transmits data > unencrypted. It has no real authentication and no real access > control. If is designed for strictly private networks with > no external access that no potential attackers have access to. > > If you can afford it, also seperate the webserver from the > firewall. Webservers tend to run lots of crappy software, > and thus, they tend to get hacked. Well, perhaps that's > somewhat mitigated by running the webserver chrooted, but > anyway, it is clearly better to make the firewall a three-leg > router and physically seperate the network segment containing the > webserver (DMZ) and the internal NFS server (private intranet). > > > Assuming that subnetwork computers might be hacked or infected by > > any threat > > You mean, attackers might gain access to either the hardware of > your internal network, or any of the computers in your internal > network might get hacked from the Internet? > > If i understood that correctly, you cannot use NFS at all, > not even on a dedicated server inside your intranet, physically > well seperated from the firewall. There is basically no way to > secure it. > > > Assuming that there is no mistake in PF rules > > Assuming that there is nothing of a third party installed > > on the box (basically it's only a tuned system) > > -> Would you please confirm that hacking is almost impossible ? > > If i understood your setup and threat scenario correctly -- > computers inside your internal network might be compromised, > and you want to run an NFS server inside your internal network -- > then no, that's not secure. Spying out the private data on the > NFS server is trivial and does not even need script kiddie skills. > All the attacker needs to do is: Use an IP number having access > to the NFS server, locally create an account with the UID he is > interested in, mount the NFS volume(s) and read the data. > No hacking is required. This is completely insecure. > > > -> Would you confirm any personnal datas hosted on server are safe > > as long as the (subnet is not compromised by false manipulation > > of course) > > I don't know what you mean by "subnet is not compromised", but > it doesn't matter. If "subnetwork computers might be hacked", > then the data is not at all secure. > > No idea why so many other posters said there's no problem... :-( > > Yours > Ingo
