Hello,
We're migrating a webserver from RedHat 7.x to CentOS 4.2. In the process,
we'd like to improve security.
We're currently planning on making sure SELinux is enabled, mounting the /tmp
partition noexec, and running PHP in safe mode, hide_errors on,
register_globals off by default.
vsftpd is set to chroot logins.
I've seen Apache run inside a chroot jail, but that was always very
hassle-prone, and ironically, when security updates came out, they weren't
applied within the chroot jail, (eg, installed via yum) making it more likely
to get compromised! Is there an easier/better way to do this? Can you
mix/match chroot'ed websites with those that aren't, without running a wholy
separate webserver daemon?
What other actions would the knowledgeable crowd here suggest?
-Ben
--
"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978
