[Techtalk] Re: Server was hacked into; looking for tips on how
to secure it
Alain Tesio
alain at onesite.org
Mon Feb 24 21:47:49 EST 2003
On Mon, 24 Feb 2003 05:08:52 -0500
Raven Alder <raven at oneeyedcrow.net> wrote:
> > > Maybe there's a way to run Apache in a chroot jail or something? Of
> > > course, I barely understand what that term means.
> >
> > There's all kinds of great books and articles on Apache. It's quite
> > secure-able, I don't know about using a chroot jail. Postfix runs
> > happily inside a chroot jail.
Hi, some advertisement for a script I wrote, makejail which automatizes almost all
usual things you need to do to build and update a chroot jail, like finding which
librairies are used, which config files it needs, ...
http://www.floc.net/makejail/
There are some debian packages in unstable and testing.
Look at the sample configuration files on this page to get a quick idea of what
it needs to build the jail by itself.
> The real kicker is the logs. If you keep them in the chroot
> jail, any attacker that can become the Apache user can likely monkey
> with the logs.
> If you put them out of the jail, that makes it a lot easier to break the jail.
Can you explain this ?
> You can log them to an external box as well
> as keeping them within the jail -- this is generally my preferred
> solution, but make sure you have secure logging set up. Wouldn't want
> an attacker that got your Web server to be able to get the syslog server
> too.
For syslog, you can tell the ksyslogd daemon to create an additional
socket inside the jail, with "-a /path/to/jail/dev/log", but for apache, I don't
think it logs anything to syslog.
About the apache log files, a simple solution if you can't afford a specific log box
is to have a process which duplicates the file, like "tail -f $file_in_jail > $file_outside_jail",
don't forget to handle it when you rotate the log files.
Alain
More information about the Techtalk
mailing list