On Wednesday 14 December 2005 07:13 pm, Mike Esquardez wrote:
> i have to install a server that will host a "test drive" of a web
> app on the internet. from my inital look at the app, it looks like
> it will be a target to be exploited. i am not involved with the
> code so fixing it is not an option. what i would like to try and do
> is host it in a manner where i can minimize the risk and damage. it
> will only have sample data and it doesnt have to be "live". some
> ideas i have-
>
> automate disk imaging or rsync.
> read only filesystem.
> integrity tool.
> live cd version of the app.
>
> any other ideas?????
>
> its using apache/php/mysql and i have explained that it might not
> be fully functional or might have to be offline for a small amount
> of time each day. i have only just switched to freebsd so if any
> one has any links to some docs or tools that would be helpful.
> thankyou.
> Mike
1) Setup a "jail" and make sure to set a high enough "securelevel"
- Create a separate partition to run the jail and enable quotas
2) Setup suphp to run the php scripts as an unprivleged non-www user,
make sure to run php in safe_mode
3) Make sure the the database user (It's not using "root" right?) only
has privileges to access it's tables, and better yet restrict that to
the normal table operations (DELETE, UPDATE, SELECT, INSERT) if the
application isn't doing anything fancy.-- Anish Mistry
pgpapI1uMwaPO.pgp
Description: PGP signature
