Re: chroot or vm?
On Tue, Feb 24, 2009 at 16:16, Nuno Magalhães <nunomagalhaes@eu.ipp.pt> wrote:
> Greetings,
>
> i'm planning on running an http server, mainly for fun and to learn a
> bit, on my home machine. That's the same machine that has my personal
> stuff. I know this is sort of a religious question, but what do you
> guys recomend: running the server in a chroot or in some VM? Or a
> combination of both? Right nwo i'm relying ont he router's firewall,
> the usual all external blocked, all internal allowed, but if i want an
> internal amchine public i'll want a real firewall. What's the default?
> iptables? Other suggestions? I'd really want to separate public stuff
> from private.
>
> I'm running unstable on an AMD64 with 4GB of RAM.
Are you planning on running cgi, mod_php or similar? It you are
serving static html, basic security practices and a firewall would
be probably enough. Dynamic web servers are much more
vulnerable.
iptables/netfilter is the Linux firewall, but there are many frontends
of various types. I like shorewall, which is a set of scripts that make
for much nicer rulesets than raw iptables. The are also graphical
frontends, but to me they seem as bad as iptables, just in the opposite
direction.
http://www.shorewall.net/
As for chroot, many use it as a security measure, but many very
knowledgeable people, such as Alan Cox, will tell you "chroot is not
and never has been a security tool."
http://kerneltrap.org/Linux/Abusing_chroot
Things like BSD Jails, Linux VServers and Solaris Containers are
security measures, but they go much further than chroot.
I couldn't really advise you on VServers vs full VMs, except that
I think vservers are more lightweight.
http://linux-vserver.org/Overview
Cheers,
Kelly Clowers
Reply to: