[nycbug-talk] New Webserver
H. G.
tekronis at gmail.com
Tue Apr 8 00:59:31 EDT 2008
On 4/8/08, Matt Juszczak <matt at atopia.net> wrote:
>
> Hi all,
>
> Been sick for a day or so so if my email sounds a bit choppy, sorry!
>
> I'm about to setup (well, ok, I actually did just setup) a new webserver
> for my side ventures. This server will have managed and self-managed
> webhosting.
>
> In the past, I've never really chrooted and/or jailed processes - I have
> to do it once or twice per customer request, but never on my own boxes as
> a general security policy. I'm usually really good at keeping boxes
> patched and up to date, etc. But this box is going to have about 20
> webhosting customers - both managed and un managed. Some of these users
> will of course be uploading their own content via SFTP or FTP, and for all
> I know the security of their PHP scripts, etc. may be "not so good".
>
> What does everyone here usually do in securing those boxes? Do you
> usually setup jails/chroots for the webserver processes, etc., or do you
> rely on internal settings in things like php.ini to maintain security for
> your public webservers?
>
> Thanks!
>
> -Matt
I don't think you can rely on php.ini settings to provide you security.
The very least I suggest is to at least be running several light web
server processes
with
each as a separate low-priv user. You could probably do well to use
mount_nullfs + jails
to create separate chroot jails that share the same /usr directories.
You could create
on
master jail where you set up and install Apache/Lighttpd, PHP and
whatever else you want.
Then for each client jail, you make sure that it has a super minimal
loadout (no binaries the
client wouldn't ever need), and have a script to mount_nullfs
read-only each /usr subdir in
the master jail to the client jails, except for /usr/local/etc.
This way, you will only have to update software in your master jail.
The updates will immediately
propagate, since all the other jails are null-mounted to the same /usr
directory. And
you also ensure
that none of the resources (shared stuff in /usr/local/share, libraries in
/usr/lib, /usr/local/lib) can be
tampered with since every client jail has these directories mounted
read-only.
The client jails each have their own fstab.<jail>, if I remember correctly.
So your script can just
make modifications to those.
This is at least for FreeBSD 6.2, I doubt that it's changed for 7.0.
Perverse and probably over-complicated, but that setup has worked well for
me in the past.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20080408/32f84019/attachment.htm>
More information about the talk
mailing list