Re: To chroot or not to chroot?

• Previous message: shankarnarayan.d_at_netsol.co.in: "Re: Sans GIAC GSEC exam"
• In reply to: Martín Villalba: "To chroot or not to chroot?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Thu, 24 Nov 2005 13:45:59 -0800

quoth the Martín Villalba:
> Hi, list! Maybe you can help me with this: I'm about to install a
> webserver, which should have an http server, webmail, php support,
> dns, ftp, remote login and a couple more things. Obviously, with all
> those ports open, I must take every security measure I know (and some
> I don't). But here comes my doubt: should I jail the webserver with
> chroot? My first thought was "Duh, yes!", but thinking about it,
> having all those services running at the same time, do I really make
> any difference? It seems to me that in such environment a cracker (no,
> i'm not writing "hacker") could do anything he (maybe she?) wants...

I am no security expert, but I do run a setup identical to what you are
implementing (minus the FTP and webmail) so here's my 2 cents (feel free to
reply if I say something dumb 'real' experts ...).

My understanding of chroot, is that if the service is compromised, then the
attacker has a very limited set of commands available, not much more than
shell builtins. And also, each service would be chrooted individually. So
unless you help the cracker by putting netcat, wget, and gcc in your chroot
it doers offer a lot of advantages.

Why do you need the DNS server? If it is only for the local LAN then simply
change your firewall to only allow queries on the internal interface. Also,
be sure to not allow zone transfers. DNS should be chrooted (the named docs
imply this is the best way).

For FTP I recommend vsftpd in a chroot, but as mentioned, I don't use FTP
so...

As for login, use sshd (of course) and only allow key-based authentication.
This way crackers will not even get a login prompt to brute force. Also, be
sure to disable root logins.

> Ideas? Suggestions? Donations (cash, please)?
> C-you
>
> Martín

HTH,
Darren

-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

• application/pgp-signature attachment: stored

• Previous message: shankarnarayan.d_at_netsol.co.in: "Re: Sans GIAC GSEC exam"
• In reply to: Martín Villalba: "To chroot or not to chroot?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: FTP access with RH 7.2 ... Thanks so much that was the problem and I can now login! ... >are assumed as guest and can access ftp home directory only. ... >># (comment this out if you don't want to chroot most of your users) ... >># the ftpchroot group and add the user to it. ... (RedHat) Proftpd setup ... 530 Login incorrect. ... but I have a /home/ftp dir owner and group is ftp ... I tried to chroot my users by writing the following directive: ... Many thx for the one who can help me setup my ftp server ... (comp.os.linux.networking) RE: ftpchroot ... > I'm trying to restrict an ftp user to a particular directory. ... specific subdirs of the chroot ... I've eliminated the space and restarted inetd and could not login to ftp ... If I remove the ftpchroot file altogether, I can login to ftp, but ... (freebsd-questions) Re: FTP guest access chroot not working ... the "root" dir for the chroot is /home/someguy/ftp ... # chroot ftp users ... cannot get out of that jail. ... if you created a symlink inside the jail that points to some real ... (comp.unix.sco.misc) Re: Q: Impact of globbing vulnerability in ftpd ... so ftpd is already chrooted and running with the uid of the user at ... sufficient to allow the vulnerability to be exploited. ... compounded because the FTP server only runs with an effective UID of the ... there are processes outside of the chroot() running as the same user. ... (FreeBSD-Security)