Hello everyone,

I want to run some of my own servers that will be publicly accessible. Primarily for Drupal and Gitlab. With the whole shellshock and other pretty nasty security bugs that have been discovered as of late I want to try and lock my systems down as much as possible. So I have already read the SANS, NSA, Redhat, Cisco and others papers/guides on configuring a secure Linux server.

None of them have made mention to running the public services in a chroot jail. Most of them mention partitioning the system so you can use noexec, and other mount flags to prevent applications from running in /tmp, /var/tmp and prevent device drives like /dev/[disk] being mounted to /tmp or /var/tmp.

I am wondering if this is at all necessary if the public application are running in chroot jails. This seems like an even more secure setup than partitioning the system to begin with.

Also as part of my security strategy I am limiting ALL outbound traffic. Unless I have specific need to allow the outbound traffic from my system it gets blocked and logged. This means I can detect (HIDS|OSSEC|Tripwire or whatever) when something "unauthorized" tries to connect outbound from my system (remote code execution like shellshock to "ping" for testing if remote code execution works).

By putting our public facing application in a chroot jail it should also prevent those remote code executions from even running because they would not have access to the executed programs.

So back to my point. Is the partitioning really necessary if your using chroot jailed applications?

Not sure a partition helps in attacks versus a mount point that is jailed. In many ways they are the same. Guess it can't hurt and depending on attack could help.

At this point I might have gone to a VM.


Others may have better ideas?