Perhaps another option (for those with a load-balanced server setup), use an
intel 7170 (not cheap, but cool) load-balaning appliance, and use the
loadbalancer as a router; the 7170 has the abilitiy to set rules for where
it sends the load to based upon expression-matching in the URL.  This means
that you could intercept all "/manage*" URLs with the load balancer and
direct them to a box that returns nothing but error pages.  I haven't done
this (I have a 7140, this model's lower-end sibling), but I have looked
extensively at the docs for this, and it might be an option for the cash

Other than that, this doesn't get you out of securing your boxes.  I would
recomend traditional security strategies (putting servers proxied behind a
DMZ), and a box-by-box audit of services using a port scanner.  Other than
that, I can recommend one of two realistic strategies in dealing with Linux
(I dont' claim to be a security expert though) -  either: 

build the distro yourself (i.e. LFS,, and keep
tabs on what services are running, as well as monitoring the lwn
( security page every week, or...

Commit to a particular distribution/vendor and get on their security mailing
list post-haste.  Apply all patches before putting the box out on the net at
large.  And keep the box patched.  Also, monitoring lwn's security page or
bugtaq isn't such a bad idea.

If you have the time to invest in it, consider a network intrusion-detection
system and tripwire to watch the filesystem changes on your boxes.


-----Original Message-----
From: Simon Coles [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 16, 2001 9:50 AM
To: Ragnar Beer
Subject: Re: [Zope] Zope and Linux flavors

>Which Linux distributions are you using for running Zope and how 
>easy it was for you to maximize security of your server?

We run a variety of RedHat 6.1, 6.2, and 7.0 and Debian 2.2, as well 
as Solaris.

We apply all the latest updates, turn off services we don't use, and 
proxy Zope through Apache. We then block all but port 80 at the 
router. The servers are then firewalled off from the rest of the 

--------- My opinions are my own, NIP's opinions are theirs ----------
Simon J. Coles                                 Email: [EMAIL PROTECTED]
New Information Paradigms                  Work Phone: +44 1344 753703                     Work Fax:   +44 1344 753742
=============== Life is too precious to take seriously ===============

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - )

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to