Date: Thu, 20 Jan 2005 00:27:01 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Thanos Tsouanas" <thanos@sians.org>, <freebsd-questions@freebsd.org> Subject: RE: Security for webserver behind router? Message-ID: <LOBBIFDAGNMAMLGJJCKNAEBGFAAA.tedm@toybox.placo.com> In-Reply-To: <20050120074624.GA3246@kender.sians.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of > Thanos Tsouanas > Sent: Wednesday, January 19, 2005 11:46 PM > To: freebsd-questions@freebsd.org > Subject: Re: Security for webserver behind router? > > > Just how much secure do you want to be? You can run apache > chrooted in its directory. That basically means, that if > apache is installed at /var/www/ , you can set it so that it > isn't aware of anything that's not under /var/www/ > > So, even if a security hole is found on apache, and someone does > manage to break in, they won't be able to do much to the system, > nor gain information about it, but will only be able to deal > with /var/www/* ... > Not true. Naturally this is more of an academic discussion since the vast majority of cracks are perpetuated against Windows. If they get access to the CGI directory they can launch attacks against the loopback address 127.0.0.1 and thus have access to all services on the server, including the ones that are behind the firewall. They can also attack other hosts on the same subnet and compromise those then head back to the apache box. They can fill the disk up and if /var/tmp is on there then things might stop working. And of course, if the server isn't configured all that well they might find a script that some cronjob is executing, that is located down in the chrooted directory and install their stuff there. > If security is all that matters, you might want to have a look > at OpenBSD's approach, which runs a modified apache version, > chrooted by default. > OpenBSD's approach to security is designed to allow Theo de Raadt to run around and lecture everyone else about how crappy their security is. Out of the box an OpenBSD server is pretty useless. Secure but useless. To get it to do anything you have to start turning on things, (like the webserver, etc.) and it's those things that get broken into. It's like when Microsoft ran around claiming that Windows NT 3.51 was "C4" security compliant (Air Force manual 33-270) everyone was really impressed but what Microsoft didn't tell you is that NT only met C4 security when it didn't have a network adapter installed!!! > P.S. Running apache chrooted is a great idea, and that's how my > httpd is running, but it can be a PITA if you try to > install it without understainding how it works. > I'm sure you feel more secure running it like that, if it makes you happy, go for it. Me, I'm not going to be shutting down my DMZ any time soon. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNAEBGFAAA.tedm>