[nycbug-talk] New Webserver

H. G. tekronis at gmail.com
Tue Apr 8 00:59:31 EDT 2008

On 4/8/08, Matt Juszczak <matt at atopia.net> wrote:
> Hi all,
> Been sick for a day or so so if my email sounds a bit choppy, sorry!
> I'm about to setup (well, ok, I actually did just setup) a new webserver
> for my side ventures.  This server will have managed and self-managed
> webhosting.
> In the past, I've never really chrooted and/or jailed processes - I have
> to do it once or twice per customer request, but never on my own boxes as
> a general security policy.  I'm usually really good at keeping boxes
> patched and up to date, etc.  But this box is going to have about 20
> webhosting customers - both managed and un managed.  Some of these users
> will of course be uploading their own content via SFTP or FTP, and for all
> I know the security of their PHP scripts, etc. may be "not so good".
> What does everyone here usually do in securing those boxes?  Do you
> usually setup jails/chroots for the webserver processes, etc., or do you
> rely on internal settings in things like php.ini to maintain security for
> your public webservers?
> Thanks!
> -Matt

I don't think you can rely on php.ini settings to provide you security.
The very least I suggest is to at least be running several light web
server processes
each as a separate low-priv user.  You could probably do well to use
mount_nullfs + jails
to create separate chroot jails that share the same /usr directories.
You could create
master jail where you set up and install Apache/Lighttpd, PHP and
whatever else you want.
Then for each client jail, you make sure that it has a super minimal
loadout (no binaries the
client wouldn't ever need), and have a script to mount_nullfs
read-only each /usr subdir in
the master jail to the client jails, except for /usr/local/etc.

This way, you will only have to update software in your master jail.
The updates will immediately
propagate, since all the other jails are null-mounted to the same /usr
directory. And
you also ensure
that none of the resources (shared stuff in /usr/local/share, libraries in
/usr/lib, /usr/local/lib) can be
tampered with since every client jail has these directories mounted

The client jails each have their own fstab.<jail>, if I remember correctly.
 So your script can just
make modifications to those.

This is at least for FreeBSD 6.2, I doubt that it's changed for 7.0.

Perverse and probably over-complicated, but that setup has worked well for
me in the past.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20080408/32f84019/attachment.html>

More information about the talk mailing list