Discussion:
Running Apache in chroot jail
Dan Egli
2014-10-14 07:09:12 UTC
Permalink
Hey plug folks,
I was wondering if anyone had any good URLs for how-to's or FAQs that
explain how to run Apache in a chroot jail. I'm in process of going through
my server configuration and moving everything possible into a chroot jail
for the extra security. The way I figure it, if someone does manage to hack
into my SMTP server, or my IMAP server, or something like that, then at
worst they get access to whatever is in that location, but don't get access
to anything critical. I'm guessing it reduces the likelihood of someone
using my system as a jumping point for spam or other hacks.

I've got the basic setup worked out for my mail servers and my DNS server.
The only other open TCP port on this machine (besides 22 for ssh,
obviously) is http/80. I know Apache has a module for running things in a
chroot environment (mod_root?) but I've never used it, nor until just
recently tried to migrate things to a chroot environment. So I'm looking
for documents that show the process.

Any suggestions are welcome. Basically I'm trying to minimize the exposure
in case someone does try to hack me. :)

--- Dan

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Ken Jordan
2014-10-14 07:16:44 UTC
Permalink
You may want to look into Docker then if you're jailing everything.
Docker is pretty much AWESOME. It's designed to run applications in a
sandbox environment. Any command/daemon you can think of will probably
run inside a Docker container. I'm not great with it myself, but if
you take about 15 minutes and read the introductory docs you will see
this is what you're really looking for.

Ken Jordan
Post by Dan Egli
Hey plug folks,
I was wondering if anyone had any good URLs for how-to's or FAQs that
explain how to run Apache in a chroot jail. I'm in process of going through
my server configuration and moving everything possible into a chroot jail
for the extra security. The way I figure it, if someone does manage to hack
into my SMTP server, or my IMAP server, or something like that, then at
worst they get access to whatever is in that location, but don't get access
to anything critical. I'm guessing it reduces the likelihood of someone
using my system as a jumping point for spam or other hacks.
I've got the basic setup worked out for my mail servers and my DNS server.
The only other open TCP port on this machine (besides 22 for ssh,
obviously) is http/80. I know Apache has a module for running things in a
chroot environment (mod_root?) but I've never used it, nor until just
recently tried to migrate things to a chroot environment. So I'm looking
for documents that show the process.
Any suggestions are welcome. Basically I'm trying to minimize the exposure
in case someone does try to hack me. :)
--- Dan
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Dan Egli
2014-10-15 05:45:39 UTC
Permalink
Sounds interesting. Got a URL? I think I may have heard mention of Docker
on the list before, but don't recall it's web site address.

Thanks for the tip!
--- Dan
Post by Ken Jordan
You may want to look into Docker then if you're jailing everything.
Docker is pretty much AWESOME. It's designed to run applications in a
sandbox environment. Any command/daemon you can think of will probably
run inside a Docker container. I'm not great with it myself, but if
you take about 15 minutes and read the introductory docs you will see
this is what you're really looking for.
Ken Jordan
Post by Dan Egli
Hey plug folks,
I was wondering if anyone had any good URLs for how-to's or FAQs that
explain how to run Apache in a chroot jail. I'm in process of going
through
Post by Dan Egli
my server configuration and moving everything possible into a chroot jail
for the extra security. The way I figure it, if someone does manage to
hack
Post by Dan Egli
into my SMTP server, or my IMAP server, or something like that, then at
worst they get access to whatever is in that location, but don't get
access
Post by Dan Egli
to anything critical. I'm guessing it reduces the likelihood of someone
using my system as a jumping point for spam or other hacks.
I've got the basic setup worked out for my mail servers and my DNS
server.
Post by Dan Egli
The only other open TCP port on this machine (besides 22 for ssh,
obviously) is http/80. I know Apache has a module for running things in a
chroot environment (mod_root?) but I've never used it, nor until just
recently tried to migrate things to a chroot environment. So I'm looking
for documents that show the process.
Any suggestions are welcome. Basically I'm trying to minimize the
exposure
Post by Dan Egli
in case someone does try to hack me. :)
--- Dan
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Ken Jordan
2014-10-15 06:01:06 UTC
Permalink
Post by Dan Egli
Sounds interesting. Got a URL? I think I may have heard mention of Docker
on the list before, but don't recall it's web site address.
https://www.docker.com

Here is the interactive tutorial <https://www.docker.com/tryit/>

If you have access to ye olde Youtube.com watch this video for a great demo
of configuration management (SaltStack in my case) and Docker. Super
powerful stuff. I should've mentioned previously though that Docker is
totally dependent on Linux. You can only run it on Linux I mean. So if you
are using a BSD variant then you have jails which are also pretty cool, but
I think lagging a bit when it comes to support from config management tool.
But I did notice something that may be interesting while double checking my
facts here. Maybe someone can comment on this link (I haven't been using
FreeBSD actively for a while)?

http://docs.bsdploy.net/en/latest/quickstart.html

Anyway Dan, it might be helpful for us to know which OS you're using
underneath so we provide better suggestions.
​ You mention using chroot instead of jails so I'm guessing Linux but we
should probably be sure.


Regards,
Ken

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the
Levi Pearson
2014-10-15 06:40:20 UTC
Permalink
Post by Ken Jordan
I should've mentioned previously though that Docker is
totally dependent on Linux. You can only run it on Linux I mean.
Although that was absolutely true in the past, they've apparently
abstracted over the container mechanism now and you can run recent
versions on other platforms. If you've been using VMs (via Vagrant or
something, or even configured manually) to sandbox servers or software
builds, Docker-managed containers are worth checking out. I'm not
sure if they've got the same level of support from enterprise-level
management tools, but for small-scale stuff Docker provides an
excellent amount of automation over the bare platform container
services.
Post by Ken Jordan
By contrast, Docker relies on a different sandboxing method known as containerization. Unlike traditional virtualization, containerization takes place at the kernel level. Most modern operating system kernels now support the primitives necessary for containerization, including Linux with openvz, vserver and more recently lxc, Solaris with zones and FreeBSD with Jails.
--Levi

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
James Noble
2014-10-15 16:12:27 UTC
Permalink
Post by Ken Jordan
I should've mentioned previously though that Docker is
totally dependent on Linux. You can only run it on Linux I mean.
I noticed Docker is coming to Windows.
http://www.pcworld.com/article/2834132/microsoft-to-bring-docker-to-windows-server.html

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Jonathan Duncan
2014-10-15 16:42:10 UTC
Permalink
Post by James Noble
Post by Ken Jordan
I should've mentioned previously though that Docker is
totally dependent on Linux. You can only run it on Linux I mean.
I noticed Docker is coming to Windows.
http://www.pcworld.com/article/2834132/microsoft-to-bring-docker-to-windows-server.html
https://docs.docker.com/installation/windows/

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Levi Pearson
2014-10-15 16:48:05 UTC
Permalink
Post by James Noble
Post by Ken Jordan
I should've mentioned previously though that Docker is
totally dependent on Linux. You can only run it on Linux I mean.
I noticed Docker is coming to Windows.
http://www.pcworld.com/article/2834132/microsoft-to-bring-docker-to-windows-server.html
Just as a side note, if you're going to trim the quoted context of an
email in your reply, and you trim out everything that someone said,
you should probably trim out their attribution line as well. Otherwise
the context ends up confusing rather than helping.

--Levi

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
John Nielsen
2014-10-15 13:23:21 UTC
Permalink
Post by Ken Jordan
So if you
are using a BSD variant then you have jails which are also pretty cool, but
I think lagging a bit when it comes to support from config management tool.
But I did notice something that may be interesting while double checking my
facts here. Maybe someone can comment on this link (I haven't been using
FreeBSD actively for a while)?
http://docs.bsdploy.net/en/latest/quickstart.html
I use FreeBSD and regularly run jails, but haven't done so on a large scale in a production environment. I hadn't encountered BSDploy before but it looks neat. It relies on EZjail and Ansible, both of which I have encountered before. Using them together with some fancy Python and stellar documentation seems like a great thing.

In addition to Ansible, I know SaltStack works fine on FreeBSD. I haven't looked in to other configuration management tools.

Running one of the above in a jail should work just the same as running it on a host.

JN

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Dan Egli
2014-10-16 06:56:26 UTC
Permalink
This is a Linux list, right? Of course I'm using Linux. :) Gentoo Linux to
be precise. Been using it for years, but like anything I've not learned it
as well as I could have, yet. I'll get there eventually. :)

I'll check Docker out. Thanks for the tip!
Post by Ken Jordan
Post by Dan Egli
Sounds interesting. Got a URL? I think I may have heard mention of Docker
on the list before, but don't recall it's web site address.
https://www.docker.com
Here is the interactive tutorial <https://www.docker.com/tryit/>
If you have access to ye olde Youtube.com watch this video for a great demo
of configuration management (SaltStack in my case) and Docker. Super
powerful stuff. I should've mentioned previously though that Docker is
totally dependent on Linux. You can only run it on Linux I mean. So if you
are using a BSD variant then you have jails which are also pretty cool, but
I think lagging a bit when it comes to support from config management tool.
But I did notice something that may be interesting while double checking my
facts here. Maybe someone can comment on this link (I haven't been using
FreeBSD actively for a while)?
http://docs.bsdploy.net/en/latest/quickstart.html
Anyway Dan, it might be helpful for us to know which OS you're using
underneath so we provide better suggestions.
​ You mention using chroot instead of jails so I'm guessing Linux but we
should probably be sure.

Regards,
Ken
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don'

Jonathan Duncan
2014-10-15 15:52:03 UTC
Permalink
Post by Ken Jordan
You may want to look into Docker then if you're jailing everything.
Docker is pretty much AWESOME. It's designed to run applications in a
sandbox environment. Any command/daemon you can think of will probably
run inside a Docker container. I'm not great with it myself, but if
you take about 15 minutes and read the introductory docs you will see
this is what you're really looking for.
Docker is awesome. Vagrant is another one (http://vagrantup.com).
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Andy Bradford
2014-10-14 14:42:52 UTC
Permalink
I was wondering if anyone had any good URLs for how-to's or FAQs that
explain how to run Apache in a chroot jail.
Apache httpd runs with chroot by default on OpenBSD from base. You have
to intentionally disable it with -u if you don't want it.

Newer versions of OpenBSD use nginx (also likely chrooted) and there is
rumor that they will replace that with their own httpd, which will also
likely be chrooted.

I highly recommend starting with a base system that is secure by
default.

Andy
--
TAI64 timestamp: 40000000543d368f



/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Matt Melvin
2014-10-14 17:30:13 UTC
Permalink
Post by Dan Egli
I was wondering if anyone had any good URLs for how-to's or FAQs that
explain how to run Apache in a chroot jail.
This seems to outline the steps to do just that:
http://www.linux-faqs.info/apache/running-apache-in-chroot-jail
Post by Dan Egli
Any suggestions are welcome. Basically I'm trying to minimize the exposure
in case someone does try to hack me. :)
Maybe it doesn't help you, because you've already got your server set
up and running Linux, but I've become a big fan of FreeBSD in the
server space. FreeBSD's jails
(https://www.freebsd.org/doc/handbook/jails.html) are meant to do
exactly what you're trying to do: divide your processes up into
separate environments to minimize your security risk if a process is
compromised. Of course it's not the only solution, but it's one that
I know about that seems to fit the bill.

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Matthew Frederico
2014-10-15 17:12:57 UTC
Permalink
I believe "betterlinux.com" has a system of doing this...
Post by Dan Egli
Hey plug folks,
I was wondering if anyone had any good URLs for how-to's or FAQs that
explain how to run Apache in a chroot jail. I'm in process of going through
my server configuration and moving everything possible into a chroot jail
for the extra security. The way I figure it, if someone does manage to hack
into my SMTP server, or my IMAP server, or something like that, then at
worst they get access to whatever is in that location, but don't get access
to anything critical. I'm guessing it reduces the likelihood of someone
using my system as a jumping point for spam or other hacks.
I've got the basic setup worked out for my mail servers and my DNS server.
The only other open TCP port on this machine (besides 22 for ssh,
obviously) is http/80. I know Apache has a module for running things in a
chroot environment (mod_root?) but I've never used it, nor until just
recently tried to migrate things to a chroot environment. So I'm looking
for documents that show the process.
Any suggestions are welcome. Basically I'm trying to minimize the exposure
in case someone does try to hack me. :)
--- Dan
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
--
--
-- Matthew Frederico

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
Loading...