On Wednesday, November 06, 2013 08:21:36 PM John M Andersen wrote:
On 11/6/2013 7:06 PM, Ted Byers wrote:
I was talking with a UNIX admin today about security, and he recommended a strategy involving what are temed jails on FreeBSD. He did say, he has limited experience on Suse and Ubuntu.
Holly cow Ted, do we have to cover a whole semester course in one email?
Sure, why not? ;-) No, seriously, if the topic is that big, what would be good is a paragraph or three giving an over-view, and perhaps two or three websites, annotated as to their strengths and weaknesses. And perhaps narrow the responses to what is necessary to secure a web application, whethr created on an application server like Tomcat, or as a suite of CGI scripts that run on a web server, like Apache's httpd server, likely written in either Perl or PHP (the admin I spoke to today told me that in his view, PHP is especially vulnerable while Perl makes it much easier to develop secure web applications). I DO have a couple books I am working through, but they deal almost exclusively with modsecurity. Web application security would be in a very sad state if there existed only one useful tool for securing web applications. I don't expect all the useful information to be provided in an email, but pointers to useful, trustworthy web resources seem like a reasonable request. At this stage, while I can write my Perl code so that the application is hard to attack, I do not know what else I can add to the web server (or application server) that makes attack harder still. Nor do I know if I'd need to take additionaal measures to configure my database so that attacks become harder still. A website, or three, that gives useful details for completing the tasks that are useful, and that explains the range of issues one needs to consider.
Jails (called chroot jails in linux) are usually for processes services and such, not for users. The FTP server might put every session in a chroot jail so that they can't get at anything else in the machine. Mail servers typically run in a jail. Users don't run in jails usually. Mostly just services.
I have no intention to expose ftp or to run my own email server. (I will need to support file upload via my web application, but even there, I need to ensure that the file is a plausible size and that it does not carry a hidden threat.) My main worry is focussed on making my web applications (and of course the DB they invariably use), as secure as practicable, and using configuration practices as a complement to my usual programming practices.
Services that are supposed to be run in a Jail, are usually set up that way when you install them by yast.
OK, how do I tell if Apache's web server, and the Apache Tomcat application server, is set up to run in a jail? And if they aren't, can they be assigned to a jail after they're installed, and if so how?
Virtual machines are whole different item.
Except that they provide a means of isolating the server application from the hardware, and can readily be blown away and replaced, if they're compromised. Thanks Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org