Help Adding Another Website

Hello,
I am the systems administrator for a small law firm. We host our own
website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
have a Win2K server that takes care of all other networking duties). We
have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
firewall. This has worked great for serving one domain name, but now we are
staring another company, and need to host another website. Since we're
already hosting our own on this server (and it's not even close to being
fully utilized), it would be nice if we could use our existing equipment. I
know we'll definately need to get another IP from Cox and have the domain
name point to that, but i'm not sure what to do from there. My best guess
was I'd need to get another Cisco firewall, and set it up as follow:

Cable Modem -> Hub -> Firewall 1 -> Rest of network including NIC 1 on
FreeBSD server
-> Firewall 2 -> NIC 2 on FreeBSD
server

I assume Apache and Sendmail would be ok in this situation? Any information
on how best to accomplish all this is greatly appreciated!

In article <aPiRa.51653$o86.46114@news1.central.cox.net>,
Mark Antonson <mfa@suiter.com> wrote:
>Hello,
> I am the systems administrator for a small law firm. We host our own
>website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
>have a Win2K server that takes care of all other networking duties). We
>have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
>firewall. This has worked great for serving one domain name, but now we are
>staring another company, and need to host another website. Since we're
>already hosting our own on this server (and it's not even close to being
>fully utilized), it would be nice if we could use our existing equipment. I
>know we'll definately need to get another IP from Cox and have the domain
>name point to that, but i'm not sure what to do from there.

No you don't. You can usually use the same IP address for both websites,
and this is generally preferred. Just have both DNS entries point to your
IP.

In the Apache documentation, look up "VirtualHost" for information on how
to configure multiple virtual hosts. If you have questions about
configuring Apache, comp.infosystems.www.servers.unix is the right group.

--
Barry Margolin, barry.margolin@level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

"Mark Antonson" <mfa@suiter.com> wrote in message
news:aPiRa.51653$o86.46114@news1.central.cox.net.. .
| Hello,
| I am the systems administrator for a small law firm. We host our own
| website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
| have a Win2K server that takes care of all other networking duties). We
| have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
| firewall. This has worked great for serving one domain name, but now we
are
| staring another company, and need to host another website. Since we're
| already hosting our own on this server (and it's not even close to being
| fully utilized), it would be nice if we could use our existing equipment.
I
| know we'll definately need to get another IP from Cox and have the domain
| name point to that, but i'm not sure what to do from there. My best guess
| was I'd need to get another Cisco firewall, and set it up as follow:
|
| Cable Modem -> Hub -> Firewall 1 -> Rest of network including NIC 1 on
| FreeBSD server
| -> Firewall 2 -> NIC 2 on FreeBSD
| server
|
| I assume Apache and Sendmail would be ok in this situation? Any
information
| on how best to accomplish all this is greatly appreciated!
|
|

Given that you are going to use the same box and its Cox Business Cable
modem....

I would setup the new DNS record to point to the **same IP** and use Name
Based resolution in Apache. Apache will make differentiation of the named
server being accessed and pull content from the appropriate doc root
directory.

If you are planning to run OTHER services besides www, then you should split
them out. You would still need to configure apache to respond to requests
on a certain IP/name. Check out the docs on apache.org regarding virtual
hosting.

You might check the sendmail docs on hosting multiple domains. Also, quite a
few people have posted things in the newsgroups. Use groups.google.com.

ken k

On Wed, 16 Jul 2003 20:44:54 GMT, "Mark Antonson" <mfa@suiter.com>
wrote:

> I am the systems administrator for a small law firm. We host our own
>website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
>have a Win2K server that takes care of all other networking duties). We
>have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
>firewall. This has worked great for serving one domain name, but now we are
>staring another company, and need to host another website. Since we're
>already hosting our own on this server (and it's not even close to being
>fully utilized), it would be nice if we could use our existing equipment. I
>know we'll definately need to get another IP from Cox and have the domain
>name point to that, but i'm not sure what to do from there. My best guess
>was I'd need to get another Cisco firewall, and set it up as follow:
>
>Cable Modem -> Hub -> Firewall 1 -> Rest of network including NIC 1 on
>FreeBSD server
> -> Firewall 2 -> NIC 2 on FreeBSD
>server
>
>I assume Apache and Sendmail would be ok in this situation? Any information
>on how best to accomplish all this is greatly appreciated!

Why the post to the NT Admin group for a BSD/Apache question?

Apache can run two sites just fine on one IP. Sendmail may need a
second static IP. In either case, you don't need a second
firewall/NIC/connection/etc. unless you need it for business reasons
and not technical ones.

Jeff
===================================
Jeff Cochran (IIS MVP)
jcochran.nospam@naplesgov.com - Munged of Course

I don't get much time to respond to direct email,
so posts here will have a better chance of getting
an answer. Besides, everyone benefits here.

Suggested resources:
http://www.iisfaq.com/
http://www.iisanswers.com/
http://www.iistoolshed.com/
http://securityadmin.info/
http://www.aspfaq.com/
http://support.microsoft.com/
====================================

Thanks to everyone who has replied so far. I talked with my boss this
morning, and for business reasons, he's decided he wants a seperate server
now. Now in this situation, I'm assuming it'll end up something like I had
before:

Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
-> Firewall 2 -> New Server

What kind of firewall would you guys reccommend for the new server? Do I
really need another PIX 506 or could I get by with a 501 or something less?

Thanks,
Mark

"Mark Antonson" <mfa@suiter.com> wrote in message
news:aPiRa.51653$o86.46114@news1.central.cox.net.. .
> Hello,
> I am the systems administrator for a small law firm. We host our own
> website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
> have a Win2K server that takes care of all other networking duties). We
> have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
> firewall. This has worked great for serving one domain name, but now we
are
> staring another company, and need to host another website. Since we're
> already hosting our own on this server (and it's not even close to being
> fully utilized), it would be nice if we could use our existing equipment.
I
> know we'll definately need to get another IP from Cox and have the domain
> name point to that, but i'm not sure what to do from there. My best guess
> was I'd need to get another Cisco firewall, and set it up as follow:
>
> Cable Modem -> Hub -> Firewall 1 -> Rest of network including NIC 1 on
> FreeBSD server
> -> Firewall 2 -> NIC 2 on FreeBSD
> server
>
> I assume Apache and Sendmail would be ok in this situation? Any
information
> on how best to accomplish all this is greatly appreciated!
>
>

Mark Antonson wrote:
> Thanks to everyone who has replied so far. I talked with my boss this
> morning, and for business reasons, he's decided he wants a seperate server
> now. Now in this situation, I'm assuming it'll end up something like I had
> before:
>
> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
> -> Firewall 2 -> New Server

Do you really need the servers isolated from each other by firewall?
You could do this (which is probably more common)

Cable Modem -> Firewall -> Hub -> Network and Old Server
New Server

Personally though I would replace "Hub" with "Switch".

After some more thought (and talking with another Unix/Linux guy I know),
I'm thinking now that I'll just put the new BSD machine out there on it's
own. Unfortunately, the PIX 506 doesn't support more than 2 interfaces, and
the boss wants seperate IP addresses for both websites. So I think I'll end
up with something like this:

Cable Modem -> Switch -> Cisco PIX and existing network
-> New BSD server

I think this should be ok, and I plan on locking the new BSD machine down as
much as possible and keeping it patched religiously (FreeBSD 5.1, Apache 2,
and Qmail are all I plan on running on it, besides SSH for admin, etc. No
ftp or telnet).

"Bit Twister" <BitTwister@localhost.localdomain> wrote in message
news:slrnbhgetq.38b.BitTwister@wb.home...
> On Fri, 18 Jul 2003 13:28:51 -0400, Joe Beanfish wrote:
> >>
> >> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
> >> -> Firewall 2 -> New Server
> >
> > Do you really need the servers isolated from each other by firewall?
> > You could do this (which is probably more common)
>
> It would help keep malware installed on the New Server from
> getting easy access to boxes on the Old server network.

Mark Antonson wrote:
> "Bit Twister" <BitTwister@localhost.localdomain> wrote in message
> news:slrnbhgetq.38b.BitTwister@wb.home...
> > On Fri, 18 Jul 2003 13:28:51 -0400, Joe Beanfish wrote:
> > >>
> > >> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
> > >> -> Firewall 2 -> New Server
> > >
> > > Do you really need the servers isolated from each other by firewall?
> > > You could do this (which is probably more common)
> >
> > It would help keep malware installed on the New Server from
> > getting easy access to boxes on the Old server network.
>
> I'm thinking now that I'll just put the new BSD machine out there on it's
> own. Unfortunately, the PIX 506 doesn't support more than 2 interfaces, and
> the boss wants seperate IP addresses for both websites. So I think I'll end
> up with something like this:
>
> Cable Modem -> Switch -> Cisco PIX and existing network
> -> New BSD server
>
> I think this should be ok, and I plan on locking the new BSD machine down as
> much as possible and keeping it patched religiously (FreeBSD 5.1, Apache 2,
> and Qmail are all I plan on running on it, besides SSH for admin, etc. No
> ftp or telnet).

Unless you're using "interface" to mean "ip" you don't need multiple
interfaces.
An "interface" is generally an ethernet port or such. Just plug the
cable modem
into the firewall's incoming port and plug the firewall's outgoing port
into
into the hub/switch. Then plug as many other devices as desired into the
hub/switch.
Then all devices are protected from the outside (but not from each
other).

Also, don't be fooled into thinking there's anything particularly more
secure
about ssh rather than telnet. That's only true in the case of packet
sniffing.
You're more likely to get broken into because of flaky software. ssh is
equally
vulnerable to such attacks.

I said interface because my boss wants to use seperate IP addresses, and (I
may be wrong) but i'm under the assumption that you can't bind multiple IP
addresses to a single interface on the Cisco PIX. That would mean I would
need another interface to support another external IP. But I think the way
i'm doing it will be easy and secure enough, I'll definately look into Snort
and use complex passwords. Thanks for all the help though group!

Mark

"Joe Beanfish" <joebeanfish@nospam.duh> wrote in message
news:3F1C1E4F.AE5DE7B5@nospam.duh...
> Mark Antonson wrote:
> > "Bit Twister" <BitTwister@localhost.localdomain> wrote in message
> > news:slrnbhgetq.38b.BitTwister@wb.home...
> > > On Fri, 18 Jul 2003 13:28:51 -0400, Joe Beanfish wrote:
> > > >>
> > > >> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
> > > >> -> Firewall 2 -> New Server
> > > >
> > > > Do you really need the servers isolated from each other by firewall?
> > > > You could do this (which is probably more common)
> > >
> > > It would help keep malware installed on the New Server from
> > > getting easy access to boxes on the Old server network.
> >
> > I'm thinking now that I'll just put the new BSD machine out there on
it's
> > own. Unfortunately, the PIX 506 doesn't support more than 2 interfaces,
and
> > the boss wants seperate IP addresses for both websites. So I think I'll
end
> > up with something like this:
> >
> > Cable Modem -> Switch -> Cisco PIX and existing network
> > -> New BSD server
> >
> > I think this should be ok, and I plan on locking the new BSD machine
down as
> > much as possible and keeping it patched religiously (FreeBSD 5.1, Apache
2,
> > and Qmail are all I plan on running on it, besides SSH for admin, etc.
No
> > ftp or telnet).
>
> Unless you're using "interface" to mean "ip" you don't need multiple
> interfaces.
> An "interface" is generally an ethernet port or such. Just plug the
> cable modem
> into the firewall's incoming port and plug the firewall's outgoing port
> into
> into the hub/switch. Then plug as many other devices as desired into the
> hub/switch.
> Then all devices are protected from the outside (but not from each
> other).
>
> Also, don't be fooled into thinking there's anything particularly more
> secure
> about ssh rather than telnet. That's only true in the case of packet
> sniffing.
> You're more likely to get broken into because of flaky software. ssh is
> equally
> vulnerable to such attacks.