chroot, mod_security, or other web-server hardening tricks?

lazyleopard · Post by **lazyleopard** » Tue Feb 01, 2005 10:22 pm

What sorts of web-server hardening tricks have folks tried in order to make the server they're running ZoneMinder on more secure?

I've been looking at mod_security, and I've been trying to get a server running in a chroot, but so far my experiments have generated little but frustration....

oskin · Post by **oskin** » Mon Feb 21, 2005 9:13 pm

It is a lot of problems with safety it was - possible to solve running ZM from under the single user who is distinct from apache. But IMHO it is impossible because of PHP. I am right?

lazyleopard · Post by **lazyleopard** » Sat Mar 12, 2005 7:44 pm

The mod_security route works fine with mod_php. It's the other components that give trouble. This is what I've found so far:

The pure PHP parts, including the mySQL query stuff, work inside the mod_security chroot. The main catch is that the mySQL socket needs to be accessible from within the chroot, which can be done by poking a small hole in the chroot using
Code: Select all
```
mount --bind /var/run/mysqld   /chroot/var/run/mysqld
```
or the equivalent fstab entry.
The zms cgi can be made to work inside the mod_security chroot simply by linking it -static
Things go pear-shaped once the PHP code starts trying "exec", which it needs to do for a variety of things. All of a sudden it finds it needs perl and a few other things which simply aren't there inside the mod_security chroot.

matrix · Post by **matrix** » Sat May 07, 2005 4:37 pm

you may want to look into http://www.suphp.org/
mod_suphp uses php-cgi instead of mod-php and makes it possible to run php scripts as a specific user/group much like suexec.

not as tight as a chroot, but for complex environments it's easier to manage.

--francois