From owner-freebsd-questions@FreeBSD.ORG Thu Jan 20 08:52:14 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8A2316A4CE for ; Thu, 20 Jan 2005 08:52:13 +0000 (GMT) Received: from kender.sians.org (adsl-ppp00.fastnet.gr [193.58.186.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3854943D49 for ; Thu, 20 Jan 2005 08:52:12 +0000 (GMT) (envelope-from thanos@sians.org) Received: from kender.sians.org (thtsou@localhost.sians.org [127.0.0.1]) by kender.sians.org (8.13.0/8.13.0) with ESMTP id j0K8q8BD007096 for ; Thu, 20 Jan 2005 10:52:08 +0200 (EET) Received: (from thtsou@localhost) by kender.sians.org (8.13.0/8.13.0/Submit) id j0K8q5t9024384 for freebsd-questions@freebsd.org; Thu, 20 Jan 2005 10:52:05 +0200 (EET) X-Authentication-Warning: kender.sians.org: thtsou set sender to thanos@sians.org using -f Date: Thu, 20 Jan 2005 10:52:05 +0200 From: Thanos Tsouanas To: freebsd-questions@freebsd.org Message-ID: <20050120085205.GA5537@kender.sians.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <20050120074624.GA3246@kender.sians.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2i Subject: Re: Security for webserver behind router? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jan 2005 08:52:14 -0000 On Thu, Jan 20, 2005 at 12:27:01AM -0800, Ted Mittelstaedt wrote: > > Just how much secure do you want to be? You can run apache > > chrooted in its directory. That basically means, that if > > apache is installed at /var/www/ , you can set it so that it > > isn't aware of anything that's not under /var/www/ > > > > So, even if a security hole is found on apache, and someone does > > manage to break in, they won't be able to do much to the system, > > nor gain information about it, but will only be able to deal > > with /var/www/* ... > > Not true. Naturally this is more of an academic discussion since > the vast majority of cracks are perpetuated against Windows. > > If they get access to the CGI directory they can launch attacks > against the loopback address 127.0.0.1 and thus have access to > all services on the server, including the ones that are behind > the firewall. They can also attack other hosts on the same subnet > and compromise those then head back to the apache box. Have you actually done such a thing with obsd? Please let me know how you did it, and let it not include a httpd -u flag on the apache, nor things like chmod -R 777 / .... ;) > They can fill the disk up and if /var/tmp is on there then > things might stop working. Of course /var/tmp is not in /var/www... > And of course, if the server isn't configured all that well they > might find a script that some cronjob is executing, that is > located down in the chrooted directory and install their stuff > there. Ok, so you put scripts under /var/www/ for use with cronjob.. is this stupid or what? > > If security is all that matters, you might want to have a look > > at OpenBSD's approach, which runs a modified apache version, > > chrooted by default. > > OpenBSD's approach to security is designed to allow Theo de Raadt > to run around and lecture everyone else about how crappy their > security is. Out of the box an OpenBSD server is pretty useless. > Secure but useless. To get it to do anything you have to start > turning on things, (like the webserver, etc.) and it's those > things that get broken into. You obviously never used it. But the point is not to talk about obsd on a fbsd list, is it? The guy needs suggestions, and i gave him the best i could think of. See the strength points of each os, don't just act childish defending your fave. We would have the same discussion a year ago if i had suggested to guy asking for firewalls to use pf. Of course, now pf is in freebsd so you would accept it as good. > It's like when Microsoft ran around claiming that Windows NT 3.51 > was "C4" security compliant (Air Force manual 33-270) everyone > was really impressed but what Microsoft didn't tell you is that > NT only met C4 security when it didn't have a network adapter > installed!!! Yes you are right. It's like that. You are funny. > > P.S. Running apache chrooted is a great idea, and that's how my > > httpd is running, but it can be a PITA if you try to > > install it without understainding how it works. > > I'm sure you feel more secure running it like that, if it makes > you happy, go for it. Me, I'm not going to be shutting down > my DMZ any time soon. Sure, if it makes you happy don't use it. Who cares. P.S. No point of this being in the list, so if you want a reply on this thread mail me personally. -- Thanos Tsouanas .: Sians http://thanos.sians.org/ .: http://www.sians.org/