On Tue, Feb 24, 2009 at 16:16, Nuno Magalhães <[email protected]> wrote: > Greetings, > > i'm planning on running an http server, mainly for fun and to learn a > bit, on my home machine. That's the same machine that has my personal > stuff. I know this is sort of a religious question, but what do you > guys recomend: running the server in a chroot or in some VM? Or a > combination of both? Right nwo i'm relying ont he router's firewall, > the usual all external blocked, all internal allowed, but if i want an > internal amchine public i'll want a real firewall. What's the default? > iptables? Other suggestions? I'd really want to separate public stuff > from private. > > I'm running unstable on an AMD64 with 4GB of RAM.
Are you planning on running cgi, mod_php or similar? It you are serving static html, basic security practices and a firewall would be probably enough. Dynamic web servers are much more vulnerable. iptables/netfilter is the Linux firewall, but there are many frontends of various types. I like shorewall, which is a set of scripts that make for much nicer rulesets than raw iptables. The are also graphical frontends, but to me they seem as bad as iptables, just in the opposite direction. http://www.shorewall.net/ As for chroot, many use it as a security measure, but many very knowledgeable people, such as Alan Cox, will tell you "chroot is not and never has been a security tool." http://kerneltrap.org/Linux/Abusing_chroot Things like BSD Jails, Linux VServers and Solaris Containers are security measures, but they go much further than chroot. I couldn't really advise you on VServers vs full VMs, except that I think vservers are more lightweight. http://linux-vserver.org/Overview Cheers, Kelly Clowers -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
