Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th January 2019
thefronny thefronny is offline
Port Guard
Join Date: Oct 2008
Posts: 37
Default httpd in a vm on a firewall

I currently have httpd running on my firewall. I've been able to get a vm running on that machine (it wasn't that hard at all, I found a good tutorial) and am wondering if there's any security benefits to having httpd running in a vm rather than natively on the firewall machine. Am guessing the firewall is not a good place to begin with.

Reply With Quote
  #2   (View Single Post)  
Old 27th January 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,122

Step 1: Think about the web server's design, and what a successful attacker could do.

The web server httpd(8) runs in a chroot(2) and is structured with privilege separation. In the event of a successful web server compromise, the attacker should have only unprivileged functions and be limited to the chroot() filesystem, which is /var/www by default.

You must determine what the impact of such a breach could be. Examine both the immediate access to data within the chroot(), and the use of the web server as a new attack vector.

Data access: Do you have anything of value stored within /var/www, or whatever chroot() you provision? Are there any databases, user data, or applications (such as PHP) that you want to protect? Are they protected from the www user?

Attack Vector: What internal network or socket access restrictions should be considered? What should the web server not normally be able to connect with? How will you block these attacks in advance, before a breach occurs?

Step 2: Consider the operational features of virtual machines.

You may want to separate the functions of your web applications. For example, you may want a web server to provide presentation services, an application server to provide the application's logic, and a database server to provide and store the data. By isolating the three functions, you may be able to provide performance scaling by adding and removing web and application servers as transaction demands vary. Or provide additional network layers to isolate your database servers from all external accesses except by your application servers.

But please, don't consider virtual machines a "security" feature. Consider them operational isolation.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
cms for httpd psypro OpenBSD General 1 9th August 2016 08:51 PM
New httpd and PHP morophla OpenBSD Packages and Ports 21 31st August 2015 09:54 PM
httpd problem or something else c0mrade Other BSD and UNIX/UNIX-like 6 15th January 2009 09:19 PM
httpd -DNOHTTPACCEPT starbuck FreeBSD General 9 23rd August 2008 12:14 PM
httpd.conf Snoop1990 General software and network 5 29th July 2008 04:30 AM

All times are GMT. The time now is 08:52 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick