Date: Thu, 15 Dec 2005 02:06:27 -0700 From: "Chad Leigh -- Shire.Net LLC" <chad@shire.net> To: Anish Mistry <mistry.7@osu.edu>, Free BSD Questions list <freebsd-questions@freebsd.org> Subject: Re: Insecure Web App Hosting Message-ID: <14EE21D2-DBAC-4E5A-AE29-F584E6A42F05@shire.net> In-Reply-To: <200512150111.10835.mistry.7@osu.edu> References: <BAY7-F189657E154043057A1B1409A3B0@phx.gbl> <200512150111.10835.mistry.7@osu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 14, 2005, at 11:10 PM, Anish Mistry wrote: > On Wednesday 14 December 2005 07:13 pm, Mike Esquardez wrote: >> i have to install a server that will host a "test drive" of a web >> app on the internet. from my inital look at the app, it looks like >> it will be a target to be exploited. i am not involved with the >> code so fixing it is not an option. what i would like to try and do >> is host it in a manner where i can minimize the risk and damage. it >> will only have sample data and it doesnt have to be "live". some >> ideas i have- >> >> automate disk imaging or rsync. >> read only filesystem. >> integrity tool. >> live cd version of the app. >> >> any other ideas????? >> >> its using apache/php/mysql and i have explained that it might not >> be fully functional or might have to be offline for a small amount >> of time each day. i have only just switched to freebsd so if any >> one has any links to some docs or tools that would be helpful. >> thankyou. >> Mike > 1) Setup a "jail" and make sure to set a high enough "securelevel" Also, you can set up your jail so that the "system" parts of the jail filesystem (not var and etc but / and /usr /lib /bin /sbin etc) are read only so that no system executables can be modified at all from inside the jail. This should prevent most root-kit type things being installed and replacing system binaries. google on jail and nullfs and readonly to see previous discussions Chad > - Create a separate partition to run the jail and enable quotas > 2) Setup suphp to run the php scripts as an unprivleged non-www user, > make sure to run php in safe_mode > 3) Make sure the the database user (It's not using "root" right?) only > has privileges to access it's tables, and better yet restrict that to > the normal table operations (DELETE, UPDATE, SELECT, INSERT) if the > application isn't doing anything fancy. > > -- > Anish Mistry --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14EE21D2-DBAC-4E5A-AE29-F584E6A42F05>