Re: chroot or vm?

On Tue, Feb 24, 2009 at 16:16, Nuno Magalhães <nunomagalhaes@xxxxxxxxx> wrote:
Greetings,

i'm planning on running an http server, mainly for fun and to learn a
bit, on my home machine. That's the same machine that has my personal
stuff. I know this is sort of a religious question, but what do you
guys recomend: running the server in a chroot or in some VM? Or a
combination of both? Right nwo i'm relying ont he router's firewall,
the usual all external blocked, all internal allowed, but if i want an
internal amchine public i'll want a real firewall. What's the default?
iptables? Other suggestions? I'd really want to separate public stuff
from private.

I'm running unstable on an AMD64 with 4GB of RAM.

Are you planning on running cgi, mod_php or similar? It you are
serving static html, basic security practices and a firewall would
be probably enough. Dynamic web servers are much more
vulnerable.

iptables/netfilter is the Linux firewall, but there are many frontends
of various types. I like shorewall, which is a set of scripts that make
for much nicer rulesets than raw iptables. The are also graphical
frontends, but to me they seem as bad as iptables, just in the opposite
direction.

http://www.shorewall.net/

As for chroot, many use it as a security measure, but many very
knowledgeable people, such as Alan Cox, will tell you "chroot is not
and never has been a security tool."

http://kerneltrap.org/Linux/Abusing_chroot

Things like BSD Jails, Linux VServers and Solaris Containers are
security measures, but they go much further than chroot.

I couldn't really advise you on VServers vs full VMs, except that
I think vservers are more lightweight.

http://linux-vserver.org/Overview


Cheers,
Kelly Clowers


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)