Re: Insecure Web App Hosting
On Dec 14, 2005, at 11:10 PM, Anish Mistry wrote: On Wednesday 14 December 2005 07:13 pm, Mike Esquardez wrote: i have to install a server that will host a test drive of a web app on the internet. from my inital look at the app, it looks like it will be a target to be exploited. i am not involved with the code so fixing it is not an option. what i would like to try and do is host it in a manner where i can minimize the risk and damage. it will only have sample data and it doesnt have to be live. some ideas i have- automate disk imaging or rsync. read only filesystem. integrity tool. live cd version of the app. any other ideas? its using apache/php/mysql and i have explained that it might not be fully functional or might have to be offline for a small amount of time each day. i have only just switched to freebsd so if any one has any links to some docs or tools that would be helpful. thankyou. Mike 1) Setup a jail and make sure to set a high enough securelevel Also, you can set up your jail so that the system parts of the jail filesystem (not var and etc but / and /usr /lib /bin /sbin etc) are read only so that no system executables can be modified at all from inside the jail. This should prevent most root-kit type things being installed and replacing system binaries. google on jail and nullfs and readonly to see previous discussions Chad - Create a separate partition to run the jail and enable quotas 2) Setup suphp to run the php scripts as an unprivleged non-www user, make sure to run php in safe_mode 3) Make sure the the database user (It's not using root right?) only has privileges to access it's tables, and better yet restrict that to the normal table operations (DELETE, UPDATE, SELECT, INSERT) if the application isn't doing anything fancy. -- Anish Mistry --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Insecure Web App Hosting
On 12/15/05, Mike Esquardez [EMAIL PROTECTED] wrote: i have to install a server that will host a test drive of a web app on the internet. from my inital look at the app, it looks like it will be a target to be exploited. i am not involved with the code so fixing it is not an option. what i would like to try and do is host it in a manner where i can minimize the risk and damage. it will only have sample data and it doesnt have to be live. some ideas i have- automate disk imaging or rsync. read only filesystem. integrity tool. live cd version of the app. any other ideas? What about putting your services in a jail(8) ? its using apache/php/mysql and i have explained that it might not be fully functional or might have to be offline for a small amount of time each day. i have only just switched to freebsd so if any one has any links to some docs or tools that would be helpful. thankyou. Mike _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Pietro Cerutti [EMAIL PROTECTED] Beansidhe - SwiSS Death / Thrash Metal www.beansidhe.ch Windows: Where do you want to go today? Linux: Where do you want to go tomorrow? FreeBSD: Are you guys coming or what? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Insecure Web App Hosting
On 12/15/05, Mike Esquardez [EMAIL PROTECTED] wrote: i have to install a server that will host a test drive of a web app on the internet. from my inital look at the app, it looks like it will be a target to be exploited. i am not involved with the code so fixing it is not an option. what i would like to try and do is host it in a manner where i can minimize the risk and damage. it will only have sample data and it doesnt have to be live. some ideas i have- automate disk imaging or rsync. read only filesystem. integrity tool. live cd version of the app. any other ideas? If this Web App depends on Apache/PHP/mySQL then you'll need a module like mod_security for Apache and use rules from gotroot.com to secure against SQL injections...etc. I'd actually do the following: 1) Secure your Kernel 2) IPFW and close the server down except to services you need 3) run rkhunter as cron to scan against problems 4) run the mod_security for Apache and make sure your PHP/Apache processes are configured properly. 5) Lastly, do backups ;-) Tamouh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Insecure Web App Hosting
On Wednesday 14 December 2005 07:13 pm, Mike Esquardez wrote: i have to install a server that will host a test drive of a web app on the internet. from my inital look at the app, it looks like it will be a target to be exploited. i am not involved with the code so fixing it is not an option. what i would like to try and do is host it in a manner where i can minimize the risk and damage. it will only have sample data and it doesnt have to be live. some ideas i have- automate disk imaging or rsync. read only filesystem. integrity tool. live cd version of the app. any other ideas? its using apache/php/mysql and i have explained that it might not be fully functional or might have to be offline for a small amount of time each day. i have only just switched to freebsd so if any one has any links to some docs or tools that would be helpful. thankyou. Mike 1) Setup a jail and make sure to set a high enough securelevel - Create a separate partition to run the jail and enable quotas 2) Setup suphp to run the php scripts as an unprivleged non-www user, make sure to run php in safe_mode 3) Make sure the the database user (It's not using root right?) only has privileges to access it's tables, and better yet restrict that to the normal table operations (DELETE, UPDATE, SELECT, INSERT) if the application isn't doing anything fancy. -- Anish Mistry pgpapI1uMwaPO.pgp Description: PGP signature