Am So, den 11.07.2004 schrieb Wayne Stidolph um 21:22: > I want to transfer my web serving (small static pages) from an > internal server to my firewall machine, to cut down on the number of > computers running in my SOHO; but I'd like to stay reasonably secure > :) So, I'm thinking I need to run httpd in a chroot, or a user-mode > virtual machine. But which? From the information given it is hard to say whether putting your webserver and content into a "sandbox" would be a bit overdose. Though attention about security aspects are never wrong. As you say you have only static webcontent I don't think there is much need to make your life harder by implementing a chrooted Apache or a system inside a host system with UML. Is it home hobby hosting or home office hosting you are doing? If you have no sensible data on the boarder machine and no scripting languages active for the web site I would think keeping both eyes on Apache security issues (reading bugtraq) and keeping the system always up to date is enough to run it normally. > I have read about chroot and about UML, but haven't actually set up > either and am uncertain about the security/performance/maintenance > tradeoffs between them. I've done some searching for a > discussion/guidance around anywhere on which way to proceed, > particularly on FC2, but so far haven't been unsuccesful. For running UML you will need to compile your kernel with support for it. The Fedora kernel has no support for UML. Comparing chroot and UML, the first is simpler and last more powerful because not limited to the Apache processes. Actually I am myself experimenting with UML (trying to apply the SKAS patch to the FC2 kernel) and looking forward how the performance will be. Meanwhile I heard something bad about UML in this aspect and was pointed to Linux-VServer http://www.linux-vserver.org. Here are Apache2 chroot howtos: 1) http://www.haught.org/freebsdapache.php 2) http://www.cgisecurity.com/webservers/apache/chrootapache2-howto.html > Wayne Stidolph wayne _dot_ stidolph _at_ gmail _dot_ com Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435.2.3 Serendipity 22:39:24 up 4 days, 4:47, load average: 0.51, 0.66, 0.63
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil