[Techtalk] Re: Server was hacked into; looking for tips on how to secure it

Alain Tesio alain at onesite.org
Mon Feb 24 21:47:49 EST 2003

On Mon, 24 Feb 2003 05:08:52 -0500
Raven Alder <raven at oneeyedcrow.net> wrote:

> > > Maybe there's a way to run Apache in a chroot jail or something?  Of
> > > course, I barely understand what that term means.
> > 
> > There's all kinds of great books and articles on Apache. It's quite
> > secure-able, I don't know about using a chroot jail. Postfix runs
> > happily inside a chroot jail.

Hi, some advertisement for a script I wrote, makejail which automatizes almost all
usual things you need to do to build and update a chroot jail, like finding which
librairies are used, which config files it needs, ...
There are some debian packages in unstable and testing.

Look at the sample configuration files on this page to get a quick idea of what
it needs to build the jail by itself.

> 	The real kicker is the logs.  If you keep them in the chroot
> jail, any attacker that can become the Apache user can likely monkey
> with the logs.

> If you put them out of the jail, that makes it a lot easier to break the jail.

Can you explain this ?

> You can log them to an external box as well
> as keeping them within the jail -- this is generally my preferred
> solution, but make sure you have secure logging set up.  Wouldn't want
> an attacker that got your Web server to be able to get the syslog server
> too.

For syslog, you can tell the ksyslogd daemon to create an additional
socket inside the jail, with "-a /path/to/jail/dev/log", but for apache, I don't
think it logs anything to syslog.

About the apache log files, a simple solution if you can't afford a specific log box
is to have a process which duplicates the file, like "tail -f $file_in_jail > $file_outside_jail",
don't forget to handle it when you rotate the log files.


More information about the Techtalk mailing list