The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Internal Application Servers - do I need suhosin/mod_security?

Discussion in 'Security' started by Reado, Jul 13, 2012.

  1. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    We have some internal PHP application servers, as in they're only accessed by staff. They are behind a firewall so that external users cannot reach them. Do I still need suhosin and mod_security?
     
  2. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    My opinion....NO, if you are sure it is not exposed to INTERNET why the hassle of extra security and extra modules?Suhosin and mod_sec are not going to add any advantage in this case I guess!! Wait and see whether anybody has different opinion:)
     
  3. d'argo

    d'argo Active Member

    Joined:
    Jul 4, 2012
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    only if you are worried about inside threats. either malicious users or virus and worms that get on your network. if you are not worried about them then no
     
  4. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    I disagree. First, if there is any internet connectivity whatsoever (even outbound only) then the applications by definition are exposed to the outside internet and able to be attacked.

    Just for the record, I can think of more than a couple dozen different ways to bypass the firewall this user has in place to reach the backend applications with no trouble whatsoever and even circumvent the firewall entirely!

    You need to take this into consideration that something like this WILL happen because it very likely will indeed!

    Also, one common problem in many workplaces is employees visit sites that shouldn't or install applications from the internet and it is all too easy to pickup a trojan horse that also serves to allow hackers direct access so this also needs to be considered as well.

    To play it safe, your security inside a LAN should be just as strong and sharply focused as your WAN side else you've just in effect created an open exploitable vulnerability that someone will eventually find.
     
  5. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Yeah I agree with NetMantis.

    People on the network will for sure use the network for things they're aren't suppose to like steaming youtube videos.

    I've worked on a custom system that is like that and is always communicating 24/7 with multiple machines, with huge data and cpu load. found out some things were being bottlenecked a little at one point and that was part of the reason. Although hardware upgrades too care of it. Sometimes you don't have much control over what users will try to do to slow the thing down. That's all the more reason to have more security because most of those people don't actually know any better. That ignorance can be dangerous.

    I have a motto. I rather keep as much control in my control rather than someone else because it's likely I will know more than the average user. (although that's not always the case lol) :)

    It's like saying running out gas in your car, in the middle of a desert. Would you leave your doors unlocked and the key in the ignition to go get gas? Or would you lock it just in case? :)

    Although I think you have a much better chance at getting attack/hacked than your car stolen in that example. :)

    I'd think most people would lock the car though anyway.
     
  6. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    161
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    Fair enough. I only thought about excluding security from local servers to improve performance. But if there's an element of risk involved, I'll go for the secure solution.

    Thanks everyone for your feedback.
     
  7. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    I was telling that the apps are not exposed to INTERNET, then don't use extra modules because extra security in local / devel environment can cause negative effect sometimes. Also adding security module doesn't mean that app is secure for ever; I know thousands of websites which are protected with multiple layers. So my opinion valid iff the traffic can be controlled to the particular machines; of course you have couple of points in your reply ( thank you for sharing it :) ). The one and only thing I learned about security is "if you need 100% security, disconnect it from INTERNT" - that's only I know still ;)
     
Loading...

Share This Page