From owner-freebsd-questions@FreeBSD.ORG Thu Dec 15 06:09:00 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65DA816A41F for ; Thu, 15 Dec 2005 06:09:00 +0000 (GMT) (envelope-from mistry.7@osu.edu) Received: from mail.united-ware.com (am-productions.biz [69.61.164.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC10A43D60 for ; Thu, 15 Dec 2005 06:08:59 +0000 (GMT) (envelope-from mistry.7@osu.edu) Received: from [192.168.1.100] (am-productions.biz [69.61.164.22]) (authenticated bits=0) by mail.united-ware.com (8.13.4/8.13.4) with ESMTP id jBF6Br2P034457 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 15 Dec 2005 01:11:59 -0500 (EST) (envelope-from mistry.7@osu.edu) From: Anish Mistry To: Mike Esquardez Date: Thu, 15 Dec 2005 01:10:53 -0500 User-Agent: KMail/1.8.3 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1478177.B6pkB4bTl6"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200512150111.10835.mistry.7@osu.edu> X-Spam-Status: No, score=-4.8 required=5.0 tests=ALL_TRUSTED,BAYES_50, MYFREEBSD3 autolearn=failed version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mail.united-ware.com X-Virus-Scanned: ClamAV 0.87/1209/Mon Dec 12 10:48:01 2005 on mail.united-ware.com X-Virus-Status: Clean Cc: freebsd-questions@freebsd.org Subject: Re: Insecure Web App Hosting X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2005 06:09:00 -0000 --nextPart1478177.B6pkB4bTl6 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 14 December 2005 07:13 pm, Mike Esquardez wrote: > i have to install a server that will host a "test drive" of a web > app on the internet. from my inital look at the app, it looks like > it will be a target to be exploited. i am not involved with the > code so fixing it is not an option. what i would like to try and do > is host it in a manner where i can minimize the risk and damage. it > will only have sample data and it doesnt have to be "live". some > ideas i have- > > automate disk imaging or rsync. > read only filesystem. > integrity tool. > live cd version of the app. > > any other ideas????? > > its using apache/php/mysql and i have explained that it might not > be fully functional or might have to be offline for a small amount > of time each day. i have only just switched to freebsd so if any > one has any links to some docs or tools that would be helpful. > thankyou. > Mike 1) Setup a "jail" and make sure to set a high enough "securelevel" - Create a separate partition to run the jail and enable quotas 2) Setup suphp to run the php scripts as an unprivleged non-www user,=20 make sure to run php in safe_mode 3) Make sure the the database user (It's not using "root" right?) only=20 has privileges to access it's tables, and better yet restrict that to=20 the normal table operations (DELETE, UPDATE, SELECT, INSERT) if the=20 application isn't doing anything fancy. =2D-=20 Anish Mistry --nextPart1478177.B6pkB4bTl6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDoQj+xqA5ziudZT0RAilFAJ9dXnPgiPeIZ0auaURcqnsvJG2ovwCdHw2W SvrM1Jlk68JpvcZWHTY8lJ8= =phzU -----END PGP SIGNATURE----- --nextPart1478177.B6pkB4bTl6--