Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a client who runs an IIS webserver on Windows 2000 and their webserver has been compromised (before I was called). They were compromised because they were not patched.
I can't guarantee they will stay up to date with their patches and I can't speak for Microsoft getting their patches out 0 day.
I am thinking of using an apache webserver on a linux box in proxy mode that will listen to requests and retrieve pages from the IIS server behind the firewall.
Does this sound like a good solution? The Apache server will re-write requests without the exploited requests correct?
I've never actually tried that so this is speculation, but I would guess it depends on the type of attack and also how you plan on rewriting the requests. For example a simple overflow like GET htttp://somefiles.AAAAAAAAAAAAAAAAAAAAAAAAAAA would probably make it through as Apache couldn't tell the difference between it and legitimate requests, unicode stuff would probably go through too. To be effective though, Apache would need to truly re-write the requests rather than just forward them. Probably would work best using a module like mod_security that is designed to filter out weird URLs like malformed and escaped requests upstream of the Apache core. Personally, I think a true proxy like squid or ZORP would probably work the best (that's part of what they're designed to do.
Hey thank you for the reply, I will cancel my refund request!
Good info, appreciated. I run squid as a cache to fetch requests for the internal networks so I am somewhat familiar with it. Since squid has lots of 3rd party plugins I would think this would be a great solution. I will research it as a rewrite proxy and post with my findings.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.