Ultimate Lighttpd webserver security
So far, I have deployed over 35+ dedicated and VPS servers running lighttpd web server under Debian Linux, RHEL and Fedora Core Linux. It is a very common scenario where you read that xyz blog or site hacked (read as cracked). How you are going to prevent such problems? The ultimate solution or answer is use chroot() security feature - it allows you to build hard to crack web server. Put your lighttpd into chrooted jail. But, what is chroot on Linux?
A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default Document Root is /home/lighttpd normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. Almost all-cracking web based attacks/attempts requires a shell access - /bin/sh or /bin/bash and compiler collection etc.
Lighttpd security tips
- Run lighttpd as normal user so that you can drop root access/rights as soon as they go into background. This is almost default these days.
- Do not grant root access to anyone use sudo
- Do not grant shell access to everyone (e.g. FTP and email users).
- Default firewall policy - close all doors open required windows i.e. only open or filter required ports
- Run lighttpd in service in chrooted jail
- Run only required network servers or services
- Monitor lighttpd and system logs using logwatch or other automated softwares
- Most important backup regularly
Today I am going to write about the biggest security feature offers by Lighttpd - chroot() jail.
Running your lighttpd web server in chrooted jail has its own advantages and disadvantages.
- The biggest advantage is improved security (remember 99% script kiddies and other attacks required access outside Web server document root).
- The disadvantageis it is hard to maintain and setup chrooted web server.
With chrooting you use a special part of file system (also called as jail). Once the chroot called the application, no one access anything outside the jail. For example, consider following setup:
/
/bin
/usr
/home
/etc/
/webroot
|-/tmp
|-/usr
|-/home/lighttpd
/tmp
/lib
...
...
When you start lighttpd web server, directory /weboot becomes the / (root) directory for lighttpd. Only the root user can escape the jail:
=> You
=> Your web server users
=> An attacker cannot access real file system and all other binaries.
The idea is quite simple if an attacker manages to get in via the lighttpd web server he will not have access to anything because he will be in jail. He cannot escape to real server (file system).
Index
Article so far in this series...
- Debian Linux Lighttpd jail installation setup how to (PHP+MySQL)
- Debian Linux Lighttpd perl+mysql setup
- How to setup sendmail php mail() support for chrooted Lighttpd or Apache web server
- See all Lighttpd Web server related articles.
You may also be interested in other helpful articles:
- Lighttpd install perl, mysql support in chrooted jail
- Setup sendmail php mail() support for chrooted Lighttpd or Apache web server
- Debian Linux Security Update: Lighttpd DoS and Gaim Package Remote Security Issues
- Download of the day: Lighttpd web server 1.4.17
- Install chrooted lighttpd under Ubuntu Linux 64 bit version
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
I have sudo enabled on a webserver I maintain; maybe it is not such a good idea. But the intruder would first have to be able to log into my account, no? I am the only user enabled in sudoers.
Colin ,
sudo removes the need of sharing root password. Another thing is login as root is not good idea (just imagine accidental rm -rf /). So it is a good idea to run sudo.
Appreciate your post.
How is this a guide?
Can you give more detail please? Maybe include some steps, how the root.document setting fits in, and how you chroot with cgi scripts etc. Thanks a bunch
P.S. Anyone else have a good lighttpd chroot guide?
reader87634576,
It is here
Can you give me information about security measures?