Please forgive my noob questions as I (re)learn some of the basics of secure server setup:
My Setup
FreeBSD 9, a jail in it called webserver.mydomain.com, and apache 2.4.2 installed from source in the jail (so I can use the latest stable event mpm, although now everything is in /usr/local/apache244).
This will be a live production server that will be run behind an existing reverse proxy (in a jail) on another machine, so apache will listen on an unprivileged high port (8085+).
I will be the only one with physical access to all servers, the only person editing apache configs and maintaining the apps/OS, and most of the time the only one updating web content on it.
I may give someone chrooted sftp access to the documentroot folder to sync/update/backup web content.
Question 1
For bare minimum security (using a jail or not), should I be running apache as if it is set up in a shared hosting environment?
Something like this where the documentroot (mydomain.com) is symlinked to the home of user mydomain.com:
I've read that, for security and performance reasons, symlinking should be turned off in directories apache serves.
If so, what is the best way of doing this?
And am I gaining any security by doing this or am I better to just use what I'm doing in Question 2?
The only benefit I can see is if I want to give someone ssh/scp access, but this can be accomplished with chrooted sftp and not giving them a user account.
Question 2
Should the apache user:group eg webserver:webserver own the subdirectories and files in documentroot?
I've read that apache should only have read access to web server content, and as a new unprivileged user eg webserver.
What I've done so far:
Created a new unprivileged user for apache:
Then I've created a new unprivileged user for owning content in the documentroot (same process as above) named webadmin.
And then I've made the unprivileged apache webserver user part of the unprivileged webadmin group.
This should give the apache user webserver read access to the documentroot's contents when I:
(mydomain.com ofc being documentroot)
This way the only way to change ownership of content in documentroot is to be root and chown content as webadmin.
Can I similarly change ownership to webadmin:webadmin and chown as 444 apache's config and log files??
Am I doing this right?
Question 3
If I do 1 and 2 - do I still need to run apache in a jail?
I've read that jails can add unnecessary processing overhead to production servers.
My main reason for using one would be to limit access to other network resources if an intruder gets into the jail.
But I already have a good server cloning and web content backup system, so re-provisioning a server isn't a big headache (yet) if it were hacked.
Thanks
My Setup
FreeBSD 9, a jail in it called webserver.mydomain.com, and apache 2.4.2 installed from source in the jail (so I can use the latest stable event mpm, although now everything is in /usr/local/apache244).
This will be a live production server that will be run behind an existing reverse proxy (in a jail) on another machine, so apache will listen on an unprivileged high port (8085+).
I will be the only one with physical access to all servers, the only person editing apache configs and maintaining the apps/OS, and most of the time the only one updating web content on it.
I may give someone chrooted sftp access to the documentroot folder to sync/update/backup web content.
Question 1
For bare minimum security (using a jail or not), should I be running apache as if it is set up in a shared hosting environment?
Something like this where the documentroot (mydomain.com) is symlinked to the home of user mydomain.com:
Code:
/usr/local/www/mydomain.com ---> /usr/home/mydomain.com
I've read that, for security and performance reasons, symlinking should be turned off in directories apache serves.
If so, what is the best way of doing this?
And am I gaining any security by doing this or am I better to just use what I'm doing in Question 2?
The only benefit I can see is if I want to give someone ssh/scp access, but this can be accomplished with chrooted sftp and not giving them a user account.
Question 2
Should the apache user:group eg webserver:webserver own the subdirectories and files in documentroot?
I've read that apache should only have read access to web server content, and as a new unprivileged user eg webserver.
What I've done so far:
Created a new unprivileged user for apache:
Code:
1) # pw groupadd webserver
Code:
2) pw adduser webserver -g webserver -d /nonexistent -s /usr/sbin/nologin -c "User and group Apache runs as"
Then I've created a new unprivileged user for owning content in the documentroot (same process as above) named webadmin.
And then I've made the unprivileged apache webserver user part of the unprivileged webadmin group.
Code:
pw groupmod webadmin -m webserver
This should give the apache user webserver read access to the documentroot's contents when I:
Code:
chown -R webadmin:webadmin /usr/local/www/mydomain.com
Code:
chmod -R 444 /mydomain.com
(mydomain.com ofc being documentroot)
This way the only way to change ownership of content in documentroot is to be root and chown content as webadmin.
Can I similarly change ownership to webadmin:webadmin and chown as 444 apache's config and log files??
Am I doing this right?
Question 3
If I do 1 and 2 - do I still need to run apache in a jail?
I've read that jails can add unnecessary processing overhead to production servers.
My main reason for using one would be to limit access to other network resources if an intruder gets into the jail.
But I already have a good server cloning and web content backup system, so re-provisioning a server isn't a big headache (yet) if it were hacked.
Thanks