Ultimate Lighttpd webserver security

Lighttpd logo

So far, I have deployed over 35+ dedicated and VPS servers running lighttpd web server under Debian Linux, RHEL and Fedora Core Linux. It is a very common scenario where you read that xyz blog or site hacked (read as cracked). How you are going to prevent such problems? The ultimate solution or answer is use chroot() security feature – it allows you to build hard to crack web server. Put your lighttpd into chrooted jail. But, what is chroot on Linux?

A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default Document Root is /home/lighttpd normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. Almost all-cracking web based attacks/attempts requires a shell access – /bin/sh or /bin/bash and compiler collection etc.

Lighttpd security tips

  • Run lighttpd as normal user so that you can drop root access/rights as soon as they go into background. This is almost default these days.
  • Do not grant root access to anyone use sudo
  • Do not grant shell access to everyone (e.g. FTP and email users).
  • Default firewall policy – close all doors open required windows i.e. only open or filter required ports
  • Run lighttpd in service in chrooted jail
  • Run only required network servers or services
  • Monitor lighttpd and system logs using logwatch or other automated softwares
  • Most important backup regularly

Today I am going to write about the biggest security feature offers by Lighttpd – chroot() jail.

Running your lighttpd web server in chrooted jail has its own advantages and disadvantages.

  • The biggest advantage is improved security (remember 99% script kiddies and other attacks required access outside Web server document root).
  • The disadvantageis it is hard to maintain and setup chrooted web server.

With chrooting you use a special part of file system (also called as jail). Once the chroot called the application, no one access anything outside the jail. For example, consider following setup:


When you start lighttpd web server, directory /weboot becomes the / (root) directory for lighttpd. Only the root user can escape the jail:
=> You
=> Your web server users
=> An attacker cannot access real file system and all other binaries.

The idea is quite simple if an attacker manages to get in via the lighttpd web server he will not have access to anything because he will be in jail. He cannot escape to real server (file system).


Article so far in this series…

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 6 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
6 comments… add one
  • Colin Jan 10, 2007 @ 3:57

    I have sudo enabled on a webserver I maintain; maybe it is not such a good idea. But the intruder would first have to be able to log into my account, no? I am the only user enabled in sudoers.

  • 🐧 nixCraft Jan 10, 2007 @ 6:50

    Colin ,

    sudo removes the need of sharing root password. Another thing is login as root is not good idea (just imagine accidental rm -rf /). So it is a good idea to run sudo.

    Appreciate your post.

  • reader87634576 Mar 3, 2007 @ 6:39

    How is this a guide?
    Can you give more detail please? Maybe include some steps, how the root.document setting fits in, and how you chroot with cgi scripts etc. Thanks a bunch

    P.S. Anyone else have a good lighttpd chroot guide?

  • 🐧 nixCraft Mar 3, 2007 @ 7:32


    It is here

  • Arul Jul 16, 2008 @ 13:41

    Can you give me information about security measures?

  • Hany el-Kerdany Sep 11, 2009 @ 6:25

    Doesn’t compiling lighty from source make this task a lot easier,
    for example, by changing all installation-location-specific configuration options, e.g:

    this way all you have to do is set permissions on the folder, and no need for a script to pick and copy scattered files from various system folders.

    What do you think ?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum