Chrooting Apache/PHP/MySQL in FreeBSD

Discussion in 'Linux & BSD' started by NetRyder, Jul 6, 2005.

  1. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Alright, so I'm taking over the administration of two servers from a member of our team who graduated. They're currently running Debian, but since I'm going for a fresh start on one of them, I'm planning to use FreeBSD this time around (if things go as planned).

    This machine will be used as a webserver, among other things. I was wondering how many BSD users here chroot their Apache/PHP/MySQL installations for security purposes. Have you run into any troubles after doing so? How about maintenance - do you need to go through the same process again after a portupgrade, or does everything just go in its correct place?

    Would appreciate any input on this topic, along with any other general suggestions and recommendations that you might have. Thanks. :)
     
  2. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    I wouldn't be too concerned about jailing Apache/PHP/MySQL unless you do not plan on keeping the installed ports up-to-date. It is a fairly big hassle to copy everything into the jail environment, and yes you would have to do it everytime it is upgraded. Apache and MySQL run as the users www and mysql respectively, even if they are compromised, the damage is limited to files owned by www and mysql, eventhough there could be privelege escalation vulnerabilities, they are rare.
     
    NetRyder likes this.
  3. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Yeah, that's what I figured. Didn't seem like it was worth the hassle...I just noticed that there are people who do this, so I thought I'd get some opinions here.
    Thanks for your input, Joe. :)
     
  4. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    chrooting apache/mysql is for the overly paranoid. If you want I can send over a sysctl.conf that'll make your box a lean mean freebsd fighting machine and save you some trouble to boot :D
     
    NetRyder likes this.
  5. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    That would be awesome. Email it to my username at osnn dot net, please. Thanks. :)
     
  6. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
  7. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    ...and received. ;)
    Will be wiping the drive and doing the initial set up when I get back from work tomorrow evening. I only hope I don't run into any hardware-detection/driver problems...hate to deal with those. It's a Dell PowerEdge 1400SC box, if that makes any difference.

    Wish me luck. :)
     
  8. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    we got it running nicely on 420SC's, 1800's (sata and scsi variants) and a range of 1u rackmounts. Dell works with pretty much everything these days. I've yet to try darwin on one though... could be fun :p Must convince the boss one day :D
     
  9. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Lovely. Went in and set up the base system last night. Everything running perfectly. Will be getting the rest done from home over SSH this weekend.
     
  10. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    some useful ports to install residie in sysutils/portupgrade and sysutils/portaudit misc/mc editors/vim editoris/nano add sendmail_enable="none" to /etc/rc.conf too :D
     
  11. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Yep, already disabled sendmail. ;)
     
  12. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    Do yourself a favor as well. Head over to freshports.org, get an account, add all your ports to your watchlist and get an email when a port is updated. Keep yerself up to date with the latest. Also, make it a habit, to at least check the advisories on http://freebsd.org/ at least once a week, and hang out on #freebsdhelp on Efnet if you want to have it easily seen that there is a new very important update by looking at the topic.

    Also, keep tabs on the last patchlevel by reading advisories, or at least updating to the latest RELENG every so often, of what ever version you plan to use. I suggest 5.x

    And do yourself a favor, and use ports for everything. Or to qoute #freebsdhelp:

    "Use ports, or a 300 lb geek will sit on you after 96 hour coding frenzy"

    BTW, chrooting mysql/www is useless, and won't help secure much, breaking out of a chroot is getting easier, as more and more problems are found with the way it secures every so often, what it is being abused for is not what it was designed for in the first place. As for jailling the services, you could do it, but i'd call you crazy.

    Enjoy your FreeBSD days. If you need any help, post here off course!

    Lord: Do me a favor, and send me your rc.conf/sysctl.conf so that i can tweak my servers.
     
    NetRyder likes this.
  13. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Thanks for the tips, X. I already subscribed to the advisories RSS feed last night after everything was set up. The FreshPorts tip is a nice one...I'll do that when I get home today. Ports all the way, of course. And yes, I gave up the idea of chrooting a while ago...wasn't too keen on doing it in the first place. :)

    Thanks again folks. More fun this weekend.
     
  14. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Actually FreeBSD 6 has been in code freeze since June 10 and gets is RELENG_6 branch on sunday, I have 2 machines running it now problem free, the in-place source upgrade from 5 went as nicely as upgradeing inside the 5.x branch.

    so 2 more machines will be getting freebsd 6 soon, and I'll try and throw it at the coreix dns server sometime next week :)
     
  15. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    BTW, the solaris 10 thread kicked my brain into gear:

    Its a good idea to put NO_X = True and WITHOUT_X11=yes into /etc/make.conf on a FreeBSD server.
     
  16. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    oh and something else. A collegue of mine here at coreix pointed out devel/strace the otherday. Its awesome at helping you find the cause of segfaults :D
     
  17. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    I use strace all the time, on 5.x systems you need to mount /procfs though, which is a security risk, and has been disabled by default. So mount procfs, and then turn it off again when done.

    6.x is where i am going to go asap as well. More finegrained control over locking, meaning more speed should come out of the system.
     
  18. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    news to me, I dont think I've ever had procfs not mounted...
     
  19. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    4.x it is enabled as it is needed for ps and other tools. For 5.x and 6.x it is disabled as it could lead to security problems. I remember reading in updating. Here is a snippet from http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html for another interesting.


     
  20. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    my list of useful ports,
    editors/nano
    misc/screen
    net/cvsup-without-gui
    ftp/wget
    security/sudo
    security/chkrootkit

    screen I find particularly useful when rebuilding world and kernels
    screen -L make buildworld
    the -L switch means it dumps all of the output into screenlog.0 in the same directory so if you come back much later and screen has terminated you can still check to see if everything went right http://geffy.co.uk/archives/000162.php for some information on other compilation options. You might also want to take a look at http://geffy.co.uk/audit_auth for checking through your auth logs.