Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Jan 2005 10:52:05 +0200
From:      Thanos Tsouanas <thanos@sians.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Security for webserver behind router?
Message-ID:  <20050120085205.GA5537@kender.sians.org>
In-Reply-To: <LOBBIFDAGNMAMLGJJCKNAEBGFAAA.tedm@toybox.placo.com>
References:  <20050120074624.GA3246@kender.sians.org> <LOBBIFDAGNMAMLGJJCKNAEBGFAAA.tedm@toybox.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 20, 2005 at 12:27:01AM -0800, Ted Mittelstaedt wrote:
> > Just how much secure do you want to be?  You can run apache
> > chrooted in its directory.  That basically means, that if
> > apache is installed at /var/www/ , you can set it so that it
> > isn't aware of anything that's not under /var/www/
> > 
> > So, even if a security hole is found on apache, and someone does
> > manage to break in, they won't be able to do much to the system,
> > nor gain information about it, but will only be able to deal
> > with /var/www/* ...
>
> Not true.  Naturally this is more of an academic discussion since
> the vast majority of cracks are perpetuated against Windows.
> 
> If they get access to the CGI directory they can launch attacks
> against the loopback address 127.0.0.1 and thus have access to
> all services on the server, including the ones that are behind
> the firewall.  They can also attack other hosts on the same subnet
> and compromise those then head back to the apache box.

Have you actually done such a thing with obsd?  Please let me
know how you did it, and let it not include a httpd -u flag on
the apache, nor things like chmod -R 777 / .... ;)

> They can fill the disk up and if /var/tmp is on there then
> things might stop working.

Of course /var/tmp is not in /var/www...

> And of course, if the server isn't configured all that well they
> might find a script that some cronjob is executing, that is
> located down in the chrooted directory and install their stuff
> there.

Ok, so you put scripts under /var/www/ for use with cronjob..
is this stupid or what?
 
> > If security is all that matters, you might want to have a look
> > at OpenBSD's approach, which runs a modified apache version,
> > chrooted by default.
>
> OpenBSD's approach to security is designed to allow Theo de Raadt 
> to run around and lecture everyone else about how crappy their
> security is.  Out of the box an OpenBSD server is pretty useless.
> Secure but useless.  To get it to do anything you have to start
> turning on things, (like the webserver, etc.) and it's those
> things that get broken into.

You obviously never used it.  But the point is not to talk about
obsd on a fbsd list, is it?  The guy needs suggestions, and i
gave him the best i could think of.
See the strength points of each os, don't just act childish
defending your fave.  We would have the same discussion a year
ago if i had suggested to guy asking for firewalls to use pf.
Of course, now pf is in freebsd so you would accept it as good.

> It's like when Microsoft ran around claiming that Windows NT 3.51
> was "C4" security compliant  (Air Force manual 33-270) everyone
> was really impressed but what Microsoft didn't tell you is that
> NT only met C4 security when it didn't have a network adapter
> installed!!!

Yes you are right.  It's like that.  You are funny.

> > P.S. Running apache chrooted is a great idea, and that's how my
> >      httpd is running, but it can be a PITA if you try to
> >      install it without understainding how it works.
> 
> I'm sure you feel more secure running it like that, if it makes
> you happy, go for it.  Me, I'm not going to be shutting down
> my DMZ any time soon.

Sure, if it makes you happy don't use it.  Who cares.

P.S.  No point of this being in the list, so if you want a reply
      on this thread mail me personally.

-- 
Thanos Tsouanas <thanos@sians.org> .: Sians
http://thanos.sians.org/           .: http://www.sians.org/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050120085205.GA5537>