Thank-You for the feedback. I have 1 computer and I run iptables with shorewall, along with many security features for mysql and apache. I also run the latest kernel with grsecurity. I''m thinking I don''t need a chroot-jail. >From: Tom Eastep <teastep@shorewall.net> >Reply-To: Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> >To: Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> >Subject: Re: [Shorewall-users] [OT] A question about "jailing" >Date: Thu, 08 Jul 2004 09:19:39 -0700 > >Nick . wrote: > >> >> Here is my question. I have two hard drives, / and hd2. I have >>Fedora Core 2 on / (with the bott partition and swap) and /hd2 is 1 >>partition and empty. What I have been doing is installing all of my >>website (MySQL, Apache, php, etc..) on /hd2. I am wondering if it >>is worth "jailing" /hd2, or even if it''s possible. I host only my >>site and noone has any access to my computer but me. I take other >>security measures for MySQL and Apache etc. Is jailing everything >>worth it? >> > >By _jailing_, I assume that you mean chroot jails. > >The theory behind a chroot jail is that if a process running inside >the jail is compromised through a buffer overflow or other means, >then the damage is limited by the jail. This assumes that nothing >accessible from outside the jail runs as root because root can >easily escape the jail. > >You *really* have to know what you are doing to set up a chroot jail >and in most cases, you have to manually maintain the software >inside the jail (the jail has to have a complete copy of everything >needed to run the application including libraries, programs >(including common utilities), and environment (the jail must have >it''s own /etc directory for example). > >Most people would be better off using two systems -- one for the >firewall and one for the server. The firewall can be a bare-bones >box (if you run something like LEAF (http://leaf.sf.net), then the >firewall doesn''t even need a hard drive). That way, if the server >gets compromised, the firewall is still intact and if the server is >in a DMZ then the firewall still sits between the compromised server >and the rest of your network. > >The other alternative is to run UML (User-mode Linux) or VMware on >the firewall and run your servers inside that isolated environment. > >My $.02 worth... > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm _________________________________________________________________ MSN Premium with Virus Guard and Firewall* from McAfee® Security : 2 months FREE* http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines