ZoneMinder Forums

What sorts of web-server hardening tricks have folks tried in order to make the server they're running ZoneMinder on more secure?

I've been looking at mod_security, and I've been trying to get a server running in a chroot, but so far my experiments have generated little but frustration....

It is a lot of problems with safety it was - possible to solve running ZM from under the single user who is distinct from apache. But IMHO it is impossible because of PHP. I am right?

The mod_security route works fine with mod_php. It's the other components that give trouble. This is what I've found so far:

• The pure PHP parts, including the mySQL query stuff, work inside the mod_security chroot. The main catch is that the mySQL socket needs to be accessible from within the chroot, which can be done by poking a small hole in the chroot using

  Code: Select all

  mount --bind /var/run/mysqld   /chroot/var/run/mysqld

  or the equivalent fstab entry.
• The zms cgi can be made to work inside the mod_security chroot simply by linking it -static
• Things go pear-shaped once the PHP code starts trying "exec", which it needs to do for a variety of things. All of a sudden it finds it needs perl and a few other things which simply aren't there inside the mod_security chroot.

you may want to look into http://www.suphp.org/
mod_suphp uses php-cgi instead of mod-php and makes it possible to run php scripts as a specific user/group much like suexec.

not as tight as a chroot, but for complex environments it's easier to manage.

--francois