Hello I know this question is not about shorewall but please don''t yell at me! I''ve been looking for this answer all over the net and can''t find and solid information on if I should do this or not, and you folks have been very helpful in the past :o). Here is my question. I have two hard drives, / and hd2. I have Fedora Core 2 on / (with the bott partition and swap) and /hd2 is 1 partition and empty. What I have been doing is installing all of my website (MySQL, Apache, php, etc..) on /hd2. I am wondering if it is worth "jailing" /hd2, or even if it''s possible. I host only my site and noone has any access to my computer but me. I take other security measures for MySQL and Apache etc. Is jailing everything worth it? Thanks alot for the advice. _________________________________________________________________ Add photos to your messages with MSN Premium. Get 2 months FREE* http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Nick . wrote:> > Here is my question. I have two hard drives, / and hd2. I have Fedora > Core 2 on / (with the bott partition and swap) and /hd2 is 1 partition > and empty. What I have been doing is installing all of my website > (MySQL, Apache, php, etc..) on /hd2. I am wondering if it is worth > "jailing" /hd2, or even if it''s possible. I host only my site and noone > has any access to my computer but me. I take other security measures for > MySQL and Apache etc. Is jailing everything worth it? >By _jailing_, I assume that you mean chroot jails. The theory behind a chroot jail is that if a process running inside the jail is compromised through a buffer overflow or other means, then the damage is limited by the jail. This assumes that nothing accessible from outside the jail runs as root because root can easily escape the jail. You *really* have to know what you are doing to set up a chroot jail and in most cases, you have to manually maintain the software inside the jail (the jail has to have a complete copy of everything needed to run the application including libraries, programs (including common utilities), and environment (the jail must have it''s own /etc directory for example). Most people would be better off using two systems -- one for the firewall and one for the server. The firewall can be a bare-bones box (if you run something like LEAF (http://leaf.sf.net), then the firewall doesn''t even need a hard drive). That way, if the server gets compromised, the firewall is still intact and if the server is in a DMZ then the firewall still sits between the compromised server and the rest of your network. The other alternative is to run UML (User-mode Linux) or VMware on the firewall and run your servers inside that isolated environment. My $.02 worth... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 09:53 AM 7/8/2004, Nick . wrote:> Here is my question. I have two hard drives, / and hd2. I have Fedora > Core 2 on / (with the bott partition and swap) and /hd2 is 1 partition > and empty. What I have been doing is installing all of my website (MySQL, > Apache, php, etc..) on /hd2. I am wondering if it is worth "jailing" > /hd2, or even if it''s possible. I host only my site and noone has any > access to my computer but me. I take other security measures for MySQL > and Apache etc. Is jailing everything worth it?You don''t chroot-jail partitions but services. So your question is whether it''s worthwhile to jail the services which use that partition. My answer would generally be that such an effort is positive but is likely not necessary (that is, not that much benefit given your description). It''s all about cost/benefit... is the benefit you get worth the time you spend on it? Only you can really answer that. Cheers, -- Rodolfo J. Paiz rpaiz@simpaticus.com http://www.simpaticus.com