Firewall Wizards mailing list archives
Re: Web server security?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 22 Jun 2004 08:01:39 -0400 (EDT)
On Tue, 22 Jun 2004, Steffen Kluge wrote:
Upon further delving into the matter, I found that the SELinux community reckons they're adding value mainly in situations where you run various different services on a single machine. They seem to think SELinux is
While separation is certainly good in that case, it's also very good in the "this service can't be compromised from this vector" case if the TCB is extended into the network stack (a la' Red Book B2.) For instance, the ability to lock down content by MAC compartment so that you can only modify it if you're coming in from one specific IP address is at least "interesting."
probably not worthwhile for "single-trick ponies", since its main purpose is to isolate unrelated subsystems from each other (such as keeping a hacked web server from messing with IMAP accounts).
I prefer RSBAC for a bunch of reasons, but if someone's done the hard bit for SELinux, I'd do that instead. The core capability stuff is certainly interesting for generic kernels, but I'm really looking to lock down a server pretty well. FC2 is only interesting to me in that it contains Exec Shield, which should take away stack and heap overflows, leaving us perhaps with just return-into-libc exploits and software bugs... I've got a kernel module that needs dusting off that doesn't allow daemons to execve, which makes things a little better for that last vector...
I tend to set up my Internet exposed servers to run exactly one service (plus SSH, not exposed to the outside world), and strip them down accordingly. I concluded that SELinux isn't going to be worth the trouble in these cases. If you are concerned about web-only servers you might end up reaching the same conclusion.
Nope, I'm going to put SSL on my personal server in an attempt to sell some of my photography, and I know the additional complexity is going to require more frequent updates. It's also about time for more Apache issues, and I'm starting to mess with gcgi much more. The combination of things means that I need to lock down what's there, since those services will have to be exposed anyway. UML's interesting, since it would mean I could just get another IP address spun up for administrative chores, and maybe even look at some interesting architectures that would limit exposure to that at my colo provider. Additionally, if I can do a DockmasterII-alike Apache daemon, where the user's Web credentials set their MAC level and/or role, then I can start playing with more interesting ideas. My alternative is to go to a VPS and let the provider worry about updates, but where's the fun in that? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Web server security? Paul D. Robertson (Jun 21)
- Re: Web server security? Steffen Kluge (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Mason (Jun 22)
- Re: Web server security? Crispin Cowan (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 23)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 22)