[Gllug] DMZ to inside copy

[Richard Jones]

On Fri, Jan 16, 2004 at 10:26:19AM +0000, Doug Winter wrote:
> On Thu 15 Jan Richard Jones wrote:
> > scp and the trust relationship is one solution that others have
> > already outlined.  However, I have problems creating extra login
> > accounts on sensitive machines, and I think you should avoid this if
> > at all possible.
> 
> I disagree - using accounts to seperate responsibilities makes you more
> rather than less secure.  You would prefer everyone to log in as root?

That's not what I said.

I said that I would avoid creating extra login accounts if it is
avoidable, and in this case it clearly is avoidable.

> Logs are often extremely sensitive because they reveal things you would
> rather leave unknown (ip addresses, account names and so forth).
> 
> Obscure URLs have a habit of being indexed by google.

Go back to the original message to see what I _actually_ said:

----------------------------------------------------------------------
In which case, why not publish the logs over HTTP from the DMZ machine
using an obscure URL, eg:

Alias /private-logs/ /var/log/apache/
<Location /private-logs/>
  Allow from restricted.ip.address
</Location>

Then use a simple wget on the LAN machine to fetch the logs.
----------------------------------------------------------------------

Note two reasons why this can never ever be "indexed by google" -
firstly nothing links to it, secondly (and most importantly) it uses
an "Allow from" rule to restrict to the single IP address of the LAN
machine.

Rich.

-- 
Richard Jones. http://www.annexia.org/ http://freshmeat.net/users/rwmj
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
PTHRLIB is a library for writing small, efficient and fast servers in C.
HTTP, CGI, DBI, lightweight threads: http://www.annexia.org/freeware/pthrlib/
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug