LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-25-2006, 09:29 PM   #1
JockVSJock
Member
 
Registered: Jan 2004
Posts: 602

Rep: Reputation: 31
[apache] Chroot or mod_security?


Doing more learning on security for Apache, and have been reading up securing a box that is running Apache for a web server.

There seems to be two ways to secure it: Chroot and mod_security

I've noticed that Chroot is alot of steps but there is plenty of documentation, via Google.

While researching Chroot, I found an Apache module called mod_security and of course web documentation:

http://www.modsecurity.org/
http://www.onlamp.com/pub/a/apache/2..._security.html

What are most people doing to secure their Apache web server?

What are the pros/cons of Chroot Vs mod_security?

thanks
 
Old 11-26-2006, 03:49 AM   #2
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
I hadn't looked at mod_security before, but it appears to do something totally different to chroot. With chroot you construct a restricted environment to run the chosen software in, and the rest of the system is "invisible" to the application.

This is time-consuming to setup, and the restricted application can escape the chroot if it gets root privileges. It's probably better to use SELinux, which is the default for current releases of Fedora Core and RHEL. On an SELinux system every secured service is effectively under chroot, because the SELinux policy absolutely prevents them from accessing other parts of the system. People complain about SELinux because it is *too* effective at restricting unsafe behavior out-of-the-box .

My personal Web server runs an older distro, and I opted for a low-maintenance approach: it runs the AIDE intrusion detection system so that I can see if a change occurs which I didn't make myself, and I set the security options in PHP to restrict the one remaining PHP application that I use. Long-term I'll migrate from that application to a Rails equivalent, turn off PHP altogether, and switch from Apache to lighttpd. One of the advertised features of lighttpd is that it chroots well.
 
  


Reply

Tags
apache, chroot, webserver


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Secure Your Apache With mod_security LXer Syndicated Linux News 0 07-13-2006 08:33 AM
chroot jail for apache dcdbutler Linux - Networking 3 04-02-2006 02:04 PM
Chroot Apache nistelrooy Linux - Security 1 06-18-2005 10:18 AM
mod_security for apache zsoltrenyi Linux - Security 0 02-08-2005 06:36 AM
Apache mod_security logging everything? ridertech Linux - Security 2 08-13-2004 01:10 PM


All times are GMT -5. The time now is 03:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration