Running a webserver behind a firewall, is it secure?

ssh security web-server firewall

Solution 1:

Yes. DMZ solves this problem. You can create DMZ on Linux(separate network) use one more NIC or create VLAN.

In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The term is normally referred to as a DMZ by information technology professionals. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

dmz

Solution 2:

@ooshro gave a good answer about DMZs, but I want to add there are additional steps you should look at for securing your external access to limit the possibility of your host being compromised.

First, make sure you set up proper firewall rules on the linux bugtracker server. Since it will be publically accessible, you should control access in and out of the machine tightly. Most firewall configurations concentrate on blocking incoming connections from the outside world. That's a good first step, but you should also lock down outgoing connections. For example, if this server doesn't need to ssh to the outside world, there should be a firewall rule blocking that.

Install a minimal set of software packages on the server. Do you really need network utilities like tcpdump or traceroute? Probably not, but they can be invaluable for someone who breaks into your machine.

Take additional steps to secure incoming ssh on the linux server. You should run something like denyhosts to block automated login attempts. If only admin users like yourself are going to access the box via ssh, run your ssh server on a different port to again cut down on automated ssh login attempts.

Don't allow password-only ssh logins to the box, instead require use of pregenerated public/private keypairs. Look into running Google Two Factor Authentication so there's an additional layer of security when you log in.

Related

How do I find out if PAE is enabled?
Block SSH tunneling to IP, allow only for certain users
Who has my domain?
Danger of Scavenging Stale Resource Records In _msdcs Zone?
how to enable ls highlighting in Debian
How do I get my server off the ivmSIP/24 blacklist?
How is CPU processing speed reported in /proc/cpuinfo?
FTP: How to get rid of "WARNING! 1 bare linefeeds received in ASCII mode" message?
What happens when I kill an alter table thread that is still processing?
Send an email on reboot [duplicate]
How to run fsck on guest VMs from KVM
Can a Second Domain Controller, with buggy hard drive hardware, cause a corruption to Active Directory?