I need a better resource than this or this on how to secure Apache2 using chroot on a Debian system. It seems most articles deal with Apache1. I tried to follow them and adapt to Apache2, but it only had bad results.
Asked
Active
Viewed 2,180 times
3
-
afaik, you do not secure apache by chrooting, but rather _try_ to contain the damage to the rest of the system in case of a breach. – benjamin Mar 20 '11 at 10:00
3 Answers
3
You can use mod_security to do this for you very easily.
The documentation is here.
Just install libapache-mod-security and add the following line to your apache.conf.
SecChrootDir /chroot
David Pashley
- 23,497
- 2
- 46
- 73
2
Since you are running Debian, my advice would be to just use makejail, which creates old-style (external) jails with ease. I've used it many times without any trouble. I originally came up with the internal chroot idea implemented in ModSecurity (I am the author), which was subsequently implemented by mod_chroot and is now available in Apache itself. Had I known about makejail at the time, I would have never bothered with anything else. Having said that, the internal chroot facility is generally very easy to use if your requirements are not complex. It is very important to choose the correct directory structure. For example, put your jail in /chroot/opt/apache, then create a symlink /opt/apache to /chroot/opt/apache. (It's been a while since I chrooted the stock Debian Apache and I don't remember where exactly the Apache is installed at.) That would make the paths inside and outside the jail identical, which is critical.
Also, Chapter 2 of Apache Security (which I wrote) is available online from http://www.apachesecurity.net. It contains a detailed discussion about chroot and step-by-step instructions. It starts on page 40.
-- Ivan Ristić ModSecurity Handbook & SSL Labs
Ivan Ristic
- 146
- 1
- 2