If your Apache version has vulnerabilities and if it'is chrooted, unless jail is broke, the restricted file system of the jail will be compromised not the whole system. It limits damages after you need to imporve security at level 7. (Applications Layer). Do not use modules that have security issues, prevent users from executing cgi, Strong authentication, SSL, etc... King Regards, Farid On Fri, 4 Mar 2005 11:10:33 +0200, John <isofroni@xxxxxxxxx> wrote: > Well, fortunately the invader will not acess the system unless he breaks the > chroot() function of the kernel. > > > ----- Original Message ----- > From: "Ivan Barrera A." <Bruce@xxxxxx> > To: <users@xxxxxxxxxxxxxxxx> > Sent: Thursday, March 03, 2005 2:31 PM > Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > > > I suppose you mean the actuall chroot and not mod_chroot or mod_security > > > (???) > > > > > > > > > Let me ask you something. > > > If an apache version is vulnerable, anbd someone using a script or > something > > > manage to install a backdoor on the server (let say /tmp, that means > > > /chroot/tmp) > > > Could he install it and then open the port? > > > > They could. > > But, if they log in (suppose a login backdoor) they'll see the chrooted > env. > > You must take more security measures to avoid that. I prefer having tmp > > mounted as noexec. Obviously, that doesnt work if someone uploads a perl > > script and then execute perl to launch it.. but every measure counts. > > > > > > > > > > Give me some more advantages on actuall chroot. > > > > > > > > > Thanks in advance. > > > > > > > > > ----- Original Message ----- > > > From: "Farid Izem" <farid.izem@xxxxxxxxx> > > > To: <users@xxxxxxxxxxxxxxxx> > > > Sent: Wednesday, March 02, 2005 7:45 PM > > > Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > > > > > > > > > > >>Didn't look at the security issues as i trying to understand the > > >>chroot mecanism > > >>Not only for Apache but also for Squid and bind ! > > >> > > >>I think this module can increase the security in the near future ! > > >> > > >>Kind Regards, > > >> > > >>Farid. > > >> > > >> > > >>On Wed, 2 Mar 2005 15:21:22 +0200, John <isofroni@xxxxxxxxx> wrote: > > >> > > >>>Ok, but if you look in the bugs history then you will find that > > > > > > mod_security > > > > > >>>has been suffering > > >>>from various security problems. > > >>> > > >>>I have heard that it is a good module for chroot and other security > > >>>hardening. > > >>> > > >>> > > >>>----- Original Message ----- > > >>>From: "Farid Izem" <farid.izem@xxxxxxxxx> > > >>>To: <users@xxxxxxxxxxxxxxxx> > > >>>Sent: Wednesday, March 02, 2005 10:33 AM > > >>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > >>> > > >>> > > >>>>Yes, i said Mod_security not mod_chroot : > > >>>>Take a look at : > > >>>> > > >>> > > >>>http://www.modsecurity.org/documentation/apache-internal-chroot.html > > >>> > > >>>>Best Regards, > > >>>> > > >>>>Farid. > > >>>> > > >>>>On Tue, 1 Mar 2005 20:53:39 +0200, John <isofroni@xxxxxxxxx> wrote: > > >>>> > > >>>>>----- Original Message ----- > > >>>>>From: "Farid Izem" <farid.izem@xxxxxxxxx> > > >>>>>To: <users@xxxxxxxxxxxxxxxx> > > >>>>>Sent: Tuesday, March 01, 2005 7:39 PM > > >>>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > >>>>> > > >>>>> > > >>>>>>Not yet thinking on ! > > >>>>>>I compiled my apache from the lastest source before chrooting it. > > >>>>>>Maybe using a shell script using ldd command may be the first way > > > > > > to > > > > > >>>look > > >>> > > >>>>>at. > > >>>>> > > >>>>>>Using rpm httpd file and mod_security is the easiest solution to > > >>> > > >>>upgrade > > >>> > > >>>>>>Because mod_security provide a simple solution to chroot easily > > >>> > > >>>apache. > > >>> > > >>>>>>There are some limits to this mecanism but maybe i could be > > > > > > enought > > > > > >>>for > > >>> > > >>>>>you. > > >>>>> > > >>>>>>Any ideas on are welcome ! > > >>>>>> > > >>>>>>Kind Regards, > > >>>>>> > > >>>>>>Farid > > >>>>>> > > >>>>>> > > >>>>> > > >>>>>mod_security or mod_chroot ? > > >>>>>mod_chroot is mote focused on chrooting apache's process i think. > > >>>>> > > >>>>>What are the limitions you mentioned on this mechanism? > > >>>>> > > >>>> > > >>--------------------------------------------------------------------- > > >> > > >>>>>The official User-To-User support forum of the Apache HTTP Server > > >>> > > >>>Project. > > >>> > > >>>>>See <URL:http://httpd.apache.org/userslist.html> for more info. > > >>>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > >>>>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >>>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > >>>>> > > >>>>> > > >>>> > > >>>>--------------------------------------------------------------------- > > >>>>The official User-To-User support forum of the Apache HTTP Server > > > > > > Project. > > > > > >>>>See <URL:http://httpd.apache.org/userslist.html> for more info. > > >>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > >>>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > >>> > > >>>--------------------------------------------------------------------- > > >>>The official User-To-User support forum of the Apache HTTP Server > > > > > > Project. > > > > > >>>See <URL:http://httpd.apache.org/userslist.html> for more info. > > >>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > >>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > >>> > > >>> > > >> > > >>--------------------------------------------------------------------- > > >>The official User-To-User support forum of the Apache HTTP Server > Project. > > >>See <URL:http://httpd.apache.org/userslist.html> for more info. > > >>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > >> > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > The official User-To-User support forum of the Apache HTTP Server > Project. > > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|