[nycbug-talk] Apache, ftp, samba, etc....

[Francisco Reyes]

On Sun, 2 Oct 2005, Marc Spitzer wrote:

>> To protect in case someone breaks into apache/ftp?
>
> yes.  With a script you can rebuild a jail, including saving all the
> data(web site etc), and recover from an incident automatically.

Sounds like a good idea.

> you are running apps that give you root you only get root in the jail

I have actually used jails, just have never set one up. Now will have a 
machine where I think it may make sense.

> and your tripwire( or mtree if you want to be bsdish(and who does
> not)) should be running out of the main box that has not been
> compromised.

I like that idea. Specially for files one does not expect to change.
I already have a little script to use mtree to compare directories.

How about CPU overhead?
I like the concept of a jail, but in the past I always wondered if the 
extra complexity and CPU overhead were necessary for my needs. I think a 
current box I am setting up is the first time I think it make sense.

I will have both confidential services/data AND at the same time need to 
serve an app through http to the public. In an ideal world I would like 
two machines, but given how little load I expect to have on the machine 
it's hard to justify.