Security Basics mailing list archives

Re: To chroot or not to chroot?

From: darren kirby <bulliver () badcomputer org>
Date: Thu, 24 Nov 2005 13:45:59 -0800

quoth the Martín Villalba:

Hi, list! Maybe you can help me with this: I'm about to install a
webserver, which should have an http server, webmail, php support,
dns, ftp, remote login and a couple more things. Obviously, with all
those ports open, I must take every security measure I know (and some
I don't). But here comes my doubt: should I jail the webserver with
chroot? My first thought was "Duh, yes!", but thinking about it,
having all those services running at the same time, do I really make
any difference? It seems to me that in such environment a cracker (no,
i'm not writing "hacker") could do anything he (maybe she?) wants...


I am no security expert, but I do run  a setup identical to what you are 
implementing (minus the FTP and webmail) so here's my 2 cents (feel free to 
reply if I say something dumb 'real' experts ...).

My understanding of chroot, is that if the service is compromised, then the 
attacker has a very limited set of commands available, not much more than 
shell builtins. And also, each service would be chrooted individually. So 
unless you help the cracker by putting netcat, wget, and gcc in  your chroot 
it doers offer a lot of advantages.

Why do you need the DNS server? If it is only for the local LAN then simply 
change your firewall to only allow queries on the internal interface. Also, 
be sure to not allow zone transfers. DNS should be chrooted (the named docs 
imply this is the best way).

For FTP I recommend vsftpd in a chroot, but as mentioned, I don't use FTP 
so...

As for login, use sshd (of course) and only allow key-based authentication. 
This way crackers will not even get a login prompt to brute force. Also, be 
sure to disable root logins.

Ideas? Suggestions? Donations (cash, please)?
C-you

Martín


HTH,
Darren
-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

Attachment: _bin
Description:

Current thread:

To chroot or not to chroot? Martín Villalba (Nov 24)
- RE: To chroot or not to chroot? Jeroen van Meeuwen (Nov 24)
- Re: To chroot or not to chroot? Josh Tolley (Nov 25)
- Re: To chroot or not to chroot? darren kirby (Nov 25)