[Techtalk] Re: Server was hacked into; looking for tips on how to secure it

Raven Alder raven at oneeyedcrow.net
Mon Feb 24 06:08:52 EST 2003 

Heya --

Quoth Carla Schroder (Sun, Feb 23, 2003 at 11:20:09PM -0800):
> > I don't think there are known exploits against BIND 9, although
> > there were against BIND 8. 
> 
> Feh on BIND in any form.
> http://www.isc.org/products/BIND/bind-security.html, for one example.
> You're much better off using djbdns. I cannot say if it BIND had
> anything to do with your system getting cracked, but why risk it. 
	
	Yes and no.  BIND is pretty notorious for security problems.
It's got memory leaks on some versions, its default config is not the
most secure (though that has gotten a lot better than it used to be),
and you may need to patch frequently.  However, djbdns has amazingly
poor and unhelpful documentation, serious interoperability problems, and
only implements those parts of the RFCs that djb likes.

	But everyone needs DNS.  It's the devil and the deep blue sea.
Pick which set of problems you would rather deal with.  [grin]

BIND 9 exploits:
http://www.sfu.ca/~siegert/linux-security/msg00127.html
http://www.cert.org/advisories/CA-2002-15.html
 
> > Maybe there's a way to run Apache in a chroot jail or something?  Of
> > course, I barely understand what that term means.
> 
> There's all kinds of great books and articles on Apache. It's quite
> secure-able, I don't know about using a chroot jail. Postfix runs
> happily inside a chroot jail.

	There is indeed a way to run Apache in a chroot jail.
Basically, what that means is that you lock the Apache process and all
its data to a subsection of your filesystem and it's not aware of
anything outside of that.  So even if the attacker gains the privileges
of the Apache user, they won't be able to get to anything outside of
that chroot jail (that section of the filesystem and the processes
within it).  This makes privilege escalation much more difficult.

	The real kicker is the logs.  If you keep them in the chroot
jail, any attacker that can become the Apache user can likely monkey
with the logs.  If you put them out of the jail, that makes it a lot
easier to break the jail.  You can log them to an external box as well
as keeping them within the jail -- this is generally my preferred
solution, but make sure you have secure logging set up.  Wouldn't want
an attacker that got your Web server to be able to get the syslog server
too.

Chrooting Apache:
http://penguin.epfl.ch/chroot.html

Googling should yield other results.  Post if you have problems with
this -- I've chrooted a lot of servers in my time and may be able to
help.

Cheers,
Raven

More information about the Techtalk mailing list