DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th January 2009
Nk2Network Nk2Network is offline
Port Guard
 
Join Date: Jan 2009
Posts: 43
Default security apache

Hello everyone,

I am in a freebsd 7 I need to know to secure information to secure my apache


Reply With Quote
  #2   (View Single Post)  
Old 17th January 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

I don't think there is anything specifically 'FreeBSD' about securing Apache. Have you tried looking at Apache documentation and/or Apache forums?
Reply With Quote
  #3   (View Single Post)  
Old 17th January 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

the only freebsd'isms you should be aware of, is you have the option of using a Jail rather then merely a chroot.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #4   (View Single Post)  
Old 17th January 2009
Nk2Network Nk2Network is offline
Port Guard
 
Join Date: Jan 2009
Posts: 43
Default

hello,

I would like to restrict access to process Apache file system in use Chrooter,I need help creating my Chrooter

begin this process by creating a new folder with road /chroot/httpd

PHP Code:
mkdir -/chroot/httpd/dev
mkdir 
-/chroot/httpd/etc
mkdir 
-/chroot/httpd/var/run
mkdir 
-/chroot/httpd/usr/lib
mkdir 
-/chroot/httpd/usr/libexec
mkdir 
-/chroot/httpd/usr/local/apache/bin
mkdir 
-/chroot/httpd/usr/local/apache/logs
mkdir 
-/chroot/httpd/usr/local/apache/conf
mkdir 
-/chroot/httpd/www 
The possessor of all such records must be the root, and access rights must be of 0755. Create special device file: /dev /null /


PHP Code:
-al /dev/null
crw
-rw-rw1 root wheel 22 Mar 14 12:53 /dev/null
mknod 
/chroot/httpd/dev/null c 2 2
chown root
:sys /chroot/httpd/dev/null
chmod 666 
/chroot/httpd/dev/null 
PHP Code:
added to /etc /rc.conf
I admit to being difficult to understand and possible to have an explanation so I can understand

Examples of use "ldd", orders "strings" et "truss" are below

PHP Code:
localhost# ldd /usr/local/apache/bin/httpd
/usr/local/apache/bin/httpd:
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280bd000)
libc.so.4 => /usr/lib/libc.so.4 (0x280d6000)

localhost# strings /usr/local/apache/bin/httpd | grep lib
/usr/libexec/ld-elf.so.1
libcrypt
.so.2
libc
.so.4

localhost
# truss /usr/local/apache/bin/httpd | grep open
(...)
open("/var/run/ld-elf.so.hints",0,00) = (0x3)
open("/usr/lib/libcrypt.so.2",0,027757775370) = (0x3)
open("/usr/lib/libc.so.4",0,027757775370) = (0x3)
open("/etc/spwd.db",0,00) = (0x3)
open("/etc/group",0,0666) = (0x3)
open("/usr/local/apache/conf/httpd.conf",0,0666) = (0x3)
(...) 
The above should not be applied only httpd program, but all libraries and binary files required

some command does not work

PHP Code:
cp /usr/local/apache/bin/httpd /chroot/httpd/usr/local/apache/binNo such 
file or directory
PHP Code:
cp /var/run/ld-elf.so.hints /chroot/httpd/var/run
command works
PHP Code:
cp /usr/lib/libcrypt.so.2 /chroot/httpd/usr/lib
No such file or directory
PHP Code:
cp /usr/lib/libc.so.4 /chroot/httpd/usr/lib
No such file or directory
PHP Code:
cp /usr/libexec/ld-elf.so.1 /chroot/httpd/usr/libexec
command works

Using the "truss" we can also discover that the following configuration files must be present in the chroote environment:

command works

PHP Code:
cp /etc/hosts /chroot/httpd/etc/
cp /etc/host.conf /chroot/httpd/etc/
cp /etc/resolv.conf /chroot/httpd/etc/
cp /etc/group /chroot/httpd/etc/
cp /etc/master.passwd /chroot/httpd/etc/passwords
cp 
/usr/local/apache/conf/mime.types /chroot/httpd/usr/local/apache/conf

Last edited by Nk2Network; 17th January 2009 at 10:21 PM.
Reply With Quote
  #5   (View Single Post)  
Old 18th January 2009
Nk2Network Nk2Network is offline
Port Guard
 
Join Date: Jan 2009
Posts: 43
Exclamation Chrooter

hello

I admit to being difficult to understand and possible to have an explanation so I can understand

Examples of use "ldd", orders "strings" et "truss" are below


PHP Code:
localhost# ldd /usr/local/apache/bin/httpd
/usr/local/apache/bin/httpd:
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280bd000)
libc.so.4 => /usr/lib/libc.so.4 (0x280d6000)

localhost# strings /usr/local/apache/bin/httpd | grep lib
/usr/libexec/ld-elf.so.1
libcrypt.so.2
libc.so.4

localhost# truss /usr/local/apache/bin/httpd | grep open
(...)
open("/var/run/ld-elf.so.hints",0,00) = 3 (0x3)
open("/usr/lib/libcrypt.so.2",0,027757775370) = 3 (0x3)
open("/usr/lib/libc.so.4",0,027757775370) = 3 (0x3)
open("/etc/spwd.db",0,00) = 3 (0x3)
open("/etc/group",0,0666) = 3 (0x3)
open("/usr/local/apache/conf/httpd.conf",0,0666) = 3 (0x3)
(...)

The above should not be applied only httpd program, but all libraries and binary files required

some command does not work


PHP Code:
cp /usr/local/apache/bin/httpd /chroot/httpd/usr/local/apache/bin/ No such

file or directory
PHP Code:
cp /var/run/ld-elf.so.hints /chroot/httpd/var/run/

command works
PHP Code:
cp /usr/lib/libcrypt.so.2 /chroot/httpd/usr/lib/

No such file or directory
PHP Code:
cp /usr/lib/libc.so.4 /chroot/httpd/usr/lib/

No such file or directory

PHP Code:
cp /usr/libexec/ld-elf.so.1 /chroot/httpd/usr/libexec/

command works
Reply With Quote
  #6   (View Single Post)  
Old 18th January 2009
Nk2Network Nk2Network is offline
Port Guard
 
Join Date: Jan 2009
Posts: 43
Default

Anybody can help for my problem
Reply With Quote
  #7   (View Single Post)  
Old 19th January 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

Maybe you could try explaining it to people in plain english?

(Note: the idea of a chroot/jail is to prevent chroot/jail'ed things from leaving their prision.)
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
security LOG problem paul-lkw FreeBSD General 5 9th July 2009 05:05 AM
Upgrade Apache 1.3 mod_ssl to Apache 2.2 beandip FreeBSD Ports and Packages 11 26th March 2009 09:12 PM
A failure in password security TerryP Off-Topic 3 25th September 2008 03:19 AM
strange security run output deadeyes FreeBSD Security 5 2nd July 2008 04:51 PM


All times are GMT. The time now is 10:04 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick