Date: Thu, 20 Jan 2005 10:52:05 +0200 From: Thanos Tsouanas <thanos@sians.org> To: freebsd-questions@freebsd.org Subject: Re: Security for webserver behind router? Message-ID: <20050120085205.GA5537@kender.sians.org> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNAEBGFAAA.tedm@toybox.placo.com> References: <20050120074624.GA3246@kender.sians.org> <LOBBIFDAGNMAMLGJJCKNAEBGFAAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 20, 2005 at 12:27:01AM -0800, Ted Mittelstaedt wrote:
> > Just how much secure do you want to be? You can run apache
> > chrooted in its directory. That basically means, that if
> > apache is installed at /var/www/ , you can set it so that it
> > isn't aware of anything that's not under /var/www/
> >
> > So, even if a security hole is found on apache, and someone does
> > manage to break in, they won't be able to do much to the system,
> > nor gain information about it, but will only be able to deal
> > with /var/www/* ...
>
> Not true. Naturally this is more of an academic discussion since
> the vast majority of cracks are perpetuated against Windows.
>
> If they get access to the CGI directory they can launch attacks
> against the loopback address 127.0.0.1 and thus have access to
> all services on the server, including the ones that are behind
> the firewall. They can also attack other hosts on the same subnet
> and compromise those then head back to the apache box.
Have you actually done such a thing with obsd? Please let me
know how you did it, and let it not include a httpd -u flag on
the apache, nor things like chmod -R 777 / .... ;)
> They can fill the disk up and if /var/tmp is on there then
> things might stop working.
Of course /var/tmp is not in /var/www...
> And of course, if the server isn't configured all that well they
> might find a script that some cronjob is executing, that is
> located down in the chrooted directory and install their stuff
> there.
Ok, so you put scripts under /var/www/ for use with cronjob..
is this stupid or what?
> > If security is all that matters, you might want to have a look
> > at OpenBSD's approach, which runs a modified apache version,
> > chrooted by default.
>
> OpenBSD's approach to security is designed to allow Theo de Raadt
> to run around and lecture everyone else about how crappy their
> security is. Out of the box an OpenBSD server is pretty useless.
> Secure but useless. To get it to do anything you have to start
> turning on things, (like the webserver, etc.) and it's those
> things that get broken into.
You obviously never used it. But the point is not to talk about
obsd on a fbsd list, is it? The guy needs suggestions, and i
gave him the best i could think of.
See the strength points of each os, don't just act childish
defending your fave. We would have the same discussion a year
ago if i had suggested to guy asking for firewalls to use pf.
Of course, now pf is in freebsd so you would accept it as good.
> It's like when Microsoft ran around claiming that Windows NT 3.51
> was "C4" security compliant (Air Force manual 33-270) everyone
> was really impressed but what Microsoft didn't tell you is that
> NT only met C4 security when it didn't have a network adapter
> installed!!!
Yes you are right. It's like that. You are funny.
> > P.S. Running apache chrooted is a great idea, and that's how my
> > httpd is running, but it can be a PITA if you try to
> > install it without understainding how it works.
>
> I'm sure you feel more secure running it like that, if it makes
> you happy, go for it. Me, I'm not going to be shutting down
> my DMZ any time soon.
Sure, if it makes you happy don't use it. Who cares.
P.S. No point of this being in the list, so if you want a reply
on this thread mail me personally.
--
Thanos Tsouanas <thanos@sians.org> .: Sians
http://thanos.sians.org/ .: http://www.sians.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050120085205.GA5537>