Use a reverse proxy behind your Chrooted WebServer to filter the content. Best Regards, Farid On Fri, 4 Mar 2005 11:10:33 +0200, John <isofroni@xxxxxxxxx> wrote: > Well, fortunately the invader will not acess the system unless he breaks the > chroot() function of the kernel. > > > ----- Original Message ----- > From: "Ivan Barrera A." <Bruce@xxxxxx> > To: <users@xxxxxxxxxxxxxxxx> > Sent: Thursday, March 03, 2005 2:31 PM > Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > > > I suppose you mean the actuall chroot and not mod_chroot or mod_security > > > (???) > > > > > > > > > Let me ask you something. > > > If an apache version is vulnerable, anbd someone using a script or > something > > > manage to install a backdoor on the server (let say /tmp, that means > > > /chroot/tmp) > > > Could he install it and then open the port? > > > > They could. > > But, if they log in (suppose a login backdoor) they'll see the chrooted > env. > > You must take more security measures to avoid that. I prefer having tmp > > mounted as noexec. Obviously, that doesnt work if someone uploads a perl > > script and then execute perl to launch it.. but every measure counts. > > > > > > > > > > Give me some more advantages on actuall chroot. > > > > > > > > > Thanks in advance. > > > > > > > > > ----- Original Message ----- > > > From: "Farid Izem" <farid.izem@xxxxxxxxx> > > > To: <users@xxxxxxxxxxxxxxxx> > > > Sent: Wednesday, March 02, 2005 7:45 PM > > > Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > > > > > > > > > > >>Didn't look at the security issues as i trying to understand the > > >>chroot mecanism > > >>Not only for Apache but also for Squid and bind ! > > >> > > >>I think this module can increase the security in the near future ! > > >> > > >>Kind Regards, > > >> > > >>Farid. > > >> > > >> > > >>On Wed, 2 Mar 2005 15:21:22 +0200, John <isofroni@xxxxxxxxx> wrote: > > >> > > >>>Ok, but if you look in the bugs history then you will find that > > > > > > mod_security > > > > > >>>has been suffering > > >>>from various security problems. > > >>> > > >>>I have heard that it is a good module for chroot and other security > > >>>hardening. > > >>> > > >>> > > >>>----- Original Message ----- > > >>>From: "Farid Izem" <farid.izem@xxxxxxxxx> > > >>>To: <users@xxxxxxxxxxxxxxxx> > > >>>Sent: Wednesday, March 02, 2005 10:33 AM > > >>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > >>> > > >>> > > >>>>Yes, i said Mod_security not mod_chroot : > > >>>>Take a look at : > > >>>> > > >>> > > >>>http://www.modsecurity.org/documentation/apache-internal-chroot.html > > >>> > > >>>>Best Regards, > > >>>> > > >>>>Farid. > > >>>> > > >>>>On Tue, 1 Mar 2005 20:53:39 +0200, John <isofroni@xxxxxxxxx> wrote: > > >>>> > > >>>>>----- Original Message ----- > > >>>>>From: "Farid Izem" <farid.izem@xxxxxxxxx> > > >>>>>To: <users@xxxxxxxxxxxxxxxx> > > >>>>>Sent: Tuesday, March 01, 2005 7:39 PM > > >>>>>Subject: Re: [users@httpd] Problem Starting Apache Chrooted > > >>>>> > > >>>>> > > >>>>>>Not yet thinking on ! > > >>>>>>I compiled my apache from the lastest source before chrooting it. > > >>>>>>Maybe using a shell script using ldd command may be the first way > > > > > > to > > > > > >>>look > > >>> > > >>>>>at. > > >>>>> > > >>>>>>Using rpm httpd file and mod_security is the easiest solution to > > >>> > > >>>upgrade > > >>> > > >>>>>>Because mod_security provide a simple solution to chroot easily > > >>> > > >>>apache. > > >>> > > >>>>>>There are some limits to this mecanism but maybe i could be > > > > > > enought > > > > > >>>for > > >>> > > >>>>>you. > > >>>>> > > >>>>>>Any ideas on are welcome ! > > >>>>>> > > >>>>>>Kind Regards, > > >>>>>> > > >>>>>>Farid > > >>>>>> > > >>>>>> > > >>>>> > > >>>>>mod_security or mod_chroot ? > > >>>>>mod_chroot is mote focused on chrooting apache's process i think. > > >>>>> > > >>>>>What are the limitions you mentioned on this mechanism? > > >>>>> > > >>>> > > >>--------------------------------------------------------------------- > > >> > > >>>>>The official User-To-User support forum of the Apache HTTP Server > > >>> > > >>>Project. > > >>> > > >>>>>See <URL:http://httpd.apache.org/userslist.html> for more info. > > >>>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > >>>>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >>>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > >>>>> > > >>>>> > > >>>> > > >>>>--------------------------------------------------------------------- > > >>>>The official User-To-User support forum of the Apache HTTP Server > > > > > > Project. > > > > > >>>>See <URL:http://httpd.apache.org/userslist.html> for more info. > > >>>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > >>>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >>>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > >>> > > >>>--------------------------------------------------------------------- > > >>>The official User-To-User support forum of the Apache HTTP Server > > > > > > Project. > > > > > >>>See <URL:http://httpd.apache.org/userslist.html> for more info. > > >>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > >>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > >>> > > >>> > > >> > > >>--------------------------------------------------------------------- > > >>The official User-To-User support forum of the Apache HTTP Server > Project. > > >>See <URL:http://httpd.apache.org/userslist.html> for more info. > > >>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > >>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > >> > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > The official User-To-User support forum of the Apache HTTP Server > Project. > > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|