I have a pretty good idea of how to do this, I just wanted to make sure I wasn't going to be seriously screwing stuff up before I deployed it. I have a web application which uses uwsgi and nginx, and I wanted to chroot the app to a specific directory. I was planning on chrooting both nginx and uwsgi to the same directory. Now, I know how to do this, but would this be all I need to do to make it secure (in terms of jailing it), or is there anything else I should do? Alternatively, is chrooting one of them unnecessary? i.e., should I just chroot uwsgi or nginx and leave the other alone?
Asked
Active
Viewed 860 times
1 Answers
0
chroot is a good start in securing your webserver, but it only works correctly when uwsgi is working/configured correctly.
If you are really looking for a secure environment you would also want to configure selinux/apparmour to restrict what your web server has access to. In this way even if your web server is compromised and/or mis-configured the damage would be limited to only being able to access what the web server had access to.
You still aren't really secure in the strictest sense. Other things that you would be interested in are things like what user the web server is running as, what permissions the web server has, what permissions you are allowing to applications your web server is running, how updates are being applied, what other processes are running, and so on.
Once you are comfortable with all of those things you would look more into social engineering aspects of things, like, are your passwords secure, what about users using your system, are you securing data to/from your web server.
In short you can probably never do enough to make something secure depending on your definition of secure, but chroot is probably fine for what you are doing.
Clarus
- 131
- 7