> I've seen Apache run inside a chroot jail, but that was always very
> hassle-prone, and ironically, when security updates came out, they weren't
> applied within the chroot jail, (eg, installed via yum) making it more likely
> to get compromised! Is there an easier/better way to do this? Can you
> mix/match chroot'ed websites with those that aren't, without running a wholy
> separate webserver daemon?
>
> What other actions would the knowledgeable crowd here suggest?
SELinux and php in safe mode should take care of most of the problems.
I'd recommend is going through the config and unloading the modules
you don't need. I'd also recommend putting some time into
mod_security. With a proper mod_security config and selinux, you can
stop nearly everything thrown at the webserver. If someone manages to
make it through an updated apache, selinux, php in safe mode, and
mod_security.... they've EARNED that compromise. Beyond that, just the
usual "keep your webapps updated" blah blah blah.
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety''
Benjamin Franklin 1775
