Insecure Web App Hosting
Chad Leigh -- Shire.Net LLC
chad at shire.net
Thu Dec 15 01:06:29 PST 2005
On Dec 14, 2005, at 11:10 PM, Anish Mistry wrote:
> On Wednesday 14 December 2005 07:13 pm, Mike Esquardez wrote:
>> i have to install a server that will host a "test drive" of a web
>> app on the internet. from my inital look at the app, it looks like
>> it will be a target to be exploited. i am not involved with the
>> code so fixing it is not an option. what i would like to try and do
>> is host it in a manner where i can minimize the risk and damage. it
>> will only have sample data and it doesnt have to be "live". some
>> ideas i have-
>>
>> automate disk imaging or rsync.
>> read only filesystem.
>> integrity tool.
>> live cd version of the app.
>>
>> any other ideas?????
>>
>> its using apache/php/mysql and i have explained that it might not
>> be fully functional or might have to be offline for a small amount
>> of time each day. i have only just switched to freebsd so if any
>> one has any links to some docs or tools that would be helpful.
>> thankyou.
>> Mike
> 1) Setup a "jail" and make sure to set a high enough "securelevel"
Also, you can set up your jail so that the "system" parts of the jail
filesystem (not var and etc but / and /usr /lib /bin /sbin etc) are
read only so that no system executables can be modified at all from
inside the jail. This should prevent most root-kit type things being
installed and replacing system binaries.
google on jail and nullfs and readonly to see previous discussions
Chad
> - Create a separate partition to run the jail and enable quotas
> 2) Setup suphp to run the php scripts as an unprivleged non-www user,
> make sure to run php in safe_mode
> 3) Make sure the the database user (It's not using "root" right?) only
> has privileges to access it's tables, and better yet restrict that to
> the normal table operations (DELETE, UPDATE, SELECT, INSERT) if the
> application isn't doing anything fancy.
>
> --
> Anish Mistry
---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net
More information about the freebsd-questions
mailing list