Re: running httpd in chroot jail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Does it make sense to block outgoing connections for a web server? There are some cases where our apps do connect to things like external APIs, and they do it on the b ackend, not necessarily in-browser.


On Fri, Jan 18, 2013 at 2:36 PM, P Fudd <pfudd@xxxxxxxxxxxx> wrote:
On 18 January 2013 16:31, Zachary Stern <zs@xxxxxxxxxxxxxxxxx> wrote:
> I wanted to get some opinions - do you folks think running httpd in a
> chroot jail is necessary on a server that only does httpd-serving and
> nothing else?

A chroot jail prevents a hacker from accessing anything you don't put in
the jail.  If you make everything read-only inside the jail, a hacker
would be hard-pressed to mess things up, and would only be able to copy
what is in the jail.  Definitely don't put writable /dev/sd* device files
in the jail, or expect your hard drive to get corrupted.

Hopefully you block outgoing connections and/or don't leave a copy of
netcat or telnet in there, so they can't use your machine as a jumping-off
point to hack someone else, or spew spam to the world.  I think users can
even use bash to connect to tcp ports on the net, so there's another thing
to block.

Cheers!

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux