Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Dec 2005 01:10:53 -0500
From:      Anish Mistry <mistry.7@osu.edu>
To:        Mike Esquardez <mikeala3@hotmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Insecure Web App Hosting
Message-ID:  <200512150111.10835.mistry.7@osu.edu>
In-Reply-To: <BAY7-F189657E154043057A1B1409A3B0@phx.gbl>
References:  <BAY7-F189657E154043057A1B1409A3B0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart1478177.B6pkB4bTl6
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 14 December 2005 07:13 pm, Mike Esquardez wrote:
> i have to install a server that will host a "test drive" of a web
> app on the internet. from my inital look at the app, it looks like
> it will be a target to be exploited. i am not involved with the
> code so fixing it is not an option. what i would like to try and do
> is host it in a manner where i can minimize the risk and damage. it
> will only have sample data and it doesnt have to be "live". some
> ideas i have-
>
> automate disk imaging or rsync.
> read only filesystem.
> integrity tool.
> live cd version of the app.
>
> any other ideas?????
>
> its using apache/php/mysql and i have explained that it might not
> be fully functional or might have to be offline for a small amount
> of time each day. i have only just switched to freebsd so if any
> one has any links to some docs or tools that would be helpful.
> thankyou.
> Mike
1) Setup a "jail" and make sure to set a high enough "securelevel"
	- Create a separate partition to run the jail and enable quotas
2) Setup suphp to run the php scripts as an unprivleged non-www user,=20
make sure to run php in safe_mode
3) Make sure the the database user (It's not using "root" right?) only=20
has privileges to access it's tables, and better yet restrict that to=20
the normal table operations (DELETE, UPDATE, SELECT, INSERT) if the=20
application isn't doing anything fancy.

=2D-=20
Anish Mistry

--nextPart1478177.B6pkB4bTl6
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQBDoQj+xqA5ziudZT0RAilFAJ9dXnPgiPeIZ0auaURcqnsvJG2ovwCdHw2W
SvrM1Jlk68JpvcZWHTY8lJ8=
=phzU
-----END PGP SIGNATURE-----

--nextPart1478177.B6pkB4bTl6--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512150111.10835.mistry.7>