Security for webserver behind router?

Ted Mittelstaedt tedm at toybox.placo.com
Thu Jan 20 00:27:22 PST 2005 


> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of 
> Thanos Tsouanas
> Sent: Wednesday, January 19, 2005 11:46 PM
> To: freebsd-questions at freebsd.org
> Subject: Re: Security for webserver behind router?
> 
> 
> Just how much secure do you want to be?  You can run apache
> chrooted in its directory.  That basically means, that if
> apache is installed at /var/www/ , you can set it so that it
> isn't aware of anything that's not under /var/www/
> 
> So, even if a security hole is found on apache, and someone does
> manage to break in, they won't be able to do much to the system,
> nor gain information about it, but will only be able to deal
> with /var/www/* ...
> 

Not true.  Naturally this is more of an academic discussion since
the vast majority of cracks are perpetuated against Windows.

If they get access to the CGI directory they can launch attacks
against the loopback address 127.0.0.1 and thus have access to
all services on the server, including the ones that are behind
the firewall.  They can also attack other hosts on the same subnet
and compromise those then head back to the apache box.

They can fill the disk up and if /var/tmp is on there then
things might stop working.

And of course, if the server isn't configured all that well they
might find a script that some cronjob is executing, that is
located down in the chrooted directory and install their stuff
there.

> If security is all that matters, you might want to have a look
> at OpenBSD's approach, which runs a modified apache version,
> chrooted by default.
>

OpenBSD's approach to security is designed to allow Theo de Raadt 
to run around and lecture everyone else about how crappy their
security is.  Out of the box an OpenBSD server is pretty useless.
Secure but useless.  To get it to do anything you have to start
turning on things, (like the webserver, etc.) and it's those
things that get broken into.

It's like when Microsoft ran around claiming that Windows NT 3.51
was "C4" security compliant  (Air Force manual 33-270) everyone
was really impressed but what Microsoft didn't tell you is that
NT only met C4 security when it didn't have a network adapter
installed!!!

 
> P.S. Running apache chrooted is a great idea, and that's how my
>      httpd is running, but it can be a PITA if you try to
>      install it without understainding how it works.
> 

I'm sure you feel more secure running it like that, if it makes
you happy, go for it.  Me, I'm not going to be shutting down
my DMZ any time soon.

Ted

More information about the freebsd-questions mailing list