IP aliases, effect on security?
ME
dugan at passwall.com
Wed Feb 12 11:56:50 PST 2003
Daniel Smith said:
> For those of you with multiple domains on one box,
> do you have:
>
> * single ip, name-based hosting?
> * multiple ip off of one physical interface?
> * multiple User Mode Linux (virtual) machines?
> * we run 8 ethernet controllers, and we try to keep all
> of the cables straight...
> * it gives me a headache, so I simply buy a new box
> for each domain!
Single IP hosting 27 sites of which 3 are from different TLD (org, net, com)
I do my own DNS, and cross backup DNS with another guy.
Separate boxed or virt machines are good in cases wher eyour clients need
shell access and/or admin access *and* they dont trust each other. If you
dont offer shell or admin access, and you control the box, and your users
publish with filesharing (limited accesS) and/or DAV etc, then sharing of
the same OS on the same box with a shared IP is good. I *think* sonic
offers something like this for some of their client who wish to publish
content but cannot afford the price of a colocated box.
It is much easier in many ways with maintenance and work. For example, if
you built your own kernel, but forgot about adding support for IP
aliasing, and happened to tell sshd to only listen on one of the alilased
IP, then the reboot of your box could leave the IP address that sshd is
supposed to listen to, not available and then the box is unreachable.
If you really must do IP Aliasing, then consider making the IP address on
eth0 (or whatever interface is being aliased) the one that your critical
services use. If you dont do this, then when ip aliases is not available,
box is not available to those critical services.
If IP aliasing is not configured, at leas the address bound to the
interface "proper" will be available even when the aliased IP's will not
be bound.
-ME
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
More information about the talk
mailing list