Hello, We're migrating a webserver from RedHat 7.x to CentOS 4.2. In the process, we'd like to improve security. We're currently planning on making sure SELinux is enabled, mounting the /tmp partition noexec, and running PHP in safe mode, hide_errors on, register_globals off by default. vsftpd is set to chroot logins. I've seen Apache run inside a chroot jail, but that was always very hassle-prone, and ironically, when security updates came out, they weren't applied within the chroot jail, (eg, installed via yum) making it more likely to get compromised! Is there an easier/better way to do this? Can you mix/match chroot'ed websites with those that aren't, without running a wholy separate webserver daemon? What other actions would the knowledgeable crowd here suggest? -Ben -- "The best way to predict the future is to invent it." - XEROX PARC slogan, circa 1978
> I've seen Apache run inside a chroot jail, but that was always very > hassle-prone, and ironically, when security updates came out, they weren't > applied within the chroot jail, (eg, installed via yum) making it more likely > to get compromised! Is there an easier/better way to do this? Can you > mix/match chroot'ed websites with those that aren't, without running a wholy > separate webserver daemon? > > What other actions would the knowledgeable crowd here suggest?SELinux and php in safe mode should take care of most of the problems. I'd recommend is going through the config and unloading the modules you don't need. I'd also recommend putting some time into mod_security. With a proper mod_security config and selinux, you can stop nearly everything thrown at the webserver. If someone manages to make it through an updated apache, selinux, php in safe mode, and mod_security.... they've EARNED that compromise. Beyond that, just the usual "keep your webapps updated" blah blah blah. -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety'' Benjamin Franklin 1775