So far, I have deployed over 35+ dedicated and VPS servers running lighttpd web server under Debian Linux, RHEL and Fedora Core Linux. It is a very common scenario where you read that xyz blog or site hacked (read as cracked). How you are going to prevent such problems? The ultimate solution or answer is use chroot() security feature - it allows you to build hard to crack web server. Put your lighttpd into chrooted jail. But, what is chroot on Linux?
A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default Document Root is /home/lighttpd normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. Almost all-cracking web based attacks/attempts requires a shell access - /bin/sh or /bin/bash and compiler collection etc.
Lighttpd security tips
- Run lighttpd as normal user so that you can drop root access/rights as soon as they go into background. This is almost default these days.
- Do not grant root access to anyone use sudo
- Do not grant shell access to everyone (e.g. FTP and email users).
- Default firewall policy - close all doors open required windows i.e. only open or filter required ports
- Run lighttpd in service in chrooted jail
- Run only required network servers or services
- Monitor lighttpd and system logs using logwatch or other automated softwares
- Most important backup regularly
Today I am going to write about the biggest security feature offers by Lighttpd - chroot() jail.
Running your lighttpd web server in chrooted jail has its own advantages and disadvantages.
- The biggest advantage is improved security (remember 99% script kiddies and other attacks required access outside Web server document root).
- The disadvantageis it is hard to maintain and setup chrooted web server.
With chrooting you use a special part of file system (also called as jail). Once the chroot called the application, no one access anything outside the jail. For example, consider following setup:
/ /bin /usr /home /etc/ /webroot |-/tmp |-/usr |-/home/lighttpd /tmp /lib ... ...
When you start lighttpd web server, directory /weboot becomes the / (root) directory for lighttpd. Only the root user can escape the jail:
=> Your web server users
=> An attacker cannot access real file system and all other binaries.
The idea is quite simple if an attacker manages to get in via the lighttpd web server he will not have access to anything because he will be in jail. He cannot escape to real server (file system).
Article so far in this series...
- Debian Linux Lighttpd jail installation setup how to (PHP+MySQL)
- Debian Linux Lighttpd perl+mysql setup
- How to setup sendmail php mail() support for chrooted Lighttpd or Apache web server
- See all Lighttpd Web server related articles.