From owner-freebsd-questions@FreeBSD.ORG Thu Dec 15 09:06:29 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F6B916A41F for ; Thu, 15 Dec 2005 09:06:29 +0000 (GMT) (envelope-from chad@shire.net) Received: from hobbiton.shire.net (mail.shire.net [166.70.252.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F14143D5E for ; Thu, 15 Dec 2005 09:06:29 +0000 (GMT) (envelope-from chad@shire.net) Received: from [67.161.222.227] (helo=[192.168.99.68]) by hobbiton.shire.net with esmtpa (Exim 4.51) id 1Emp4G-00033X-1w; Thu, 15 Dec 2005 02:06:28 -0700 Mime-Version: 1.0 (Apple Message framework v746.2) In-Reply-To: <200512150111.10835.mistry.7@osu.edu> References: <200512150111.10835.mistry.7@osu.edu> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <14EE21D2-DBAC-4E5A-AE29-F584E6A42F05@shire.net> Content-Transfer-Encoding: 7bit From: "Chad Leigh -- Shire.Net LLC" Date: Thu, 15 Dec 2005 02:06:27 -0700 To: Anish Mistry , Free BSD Questions list X-Mailer: Apple Mail (2.746.2) X-SA-Exim-Connect-IP: 67.161.222.227 X-SA-Exim-Mail-From: chad@shire.net X-SA-Exim-Scanned: No (on hobbiton.shire.net); SAEximRunCond expanded to false Cc: Subject: Re: Insecure Web App Hosting X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2005 09:06:29 -0000 On Dec 14, 2005, at 11:10 PM, Anish Mistry wrote: > On Wednesday 14 December 2005 07:13 pm, Mike Esquardez wrote: >> i have to install a server that will host a "test drive" of a web >> app on the internet. from my inital look at the app, it looks like >> it will be a target to be exploited. i am not involved with the >> code so fixing it is not an option. what i would like to try and do >> is host it in a manner where i can minimize the risk and damage. it >> will only have sample data and it doesnt have to be "live". some >> ideas i have- >> >> automate disk imaging or rsync. >> read only filesystem. >> integrity tool. >> live cd version of the app. >> >> any other ideas????? >> >> its using apache/php/mysql and i have explained that it might not >> be fully functional or might have to be offline for a small amount >> of time each day. i have only just switched to freebsd so if any >> one has any links to some docs or tools that would be helpful. >> thankyou. >> Mike > 1) Setup a "jail" and make sure to set a high enough "securelevel" Also, you can set up your jail so that the "system" parts of the jail filesystem (not var and etc but / and /usr /lib /bin /sbin etc) are read only so that no system executables can be modified at all from inside the jail. This should prevent most root-kit type things being installed and replacing system binaries. google on jail and nullfs and readonly to see previous discussions Chad > - Create a separate partition to run the jail and enable quotas > 2) Setup suphp to run the php scripts as an unprivleged non-www user, > make sure to run php in safe_mode > 3) Make sure the the database user (It's not using "root" right?) only > has privileges to access it's tables, and better yet restrict that to > the normal table operations (DELETE, UPDATE, SELECT, INSERT) if the > application isn't doing anything fancy. > > -- > Anish Mistry --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net