Ultimate Lighttpd webserver security

last updated in Categories lighttpd, Security
Lighttpd logo

So far, I have deployed over 35+ dedicated and VPS servers running lighttpd web server under Debian Linux, RHEL and Fedora Core Linux. It is a very common scenario where you read that xyz blog or site hacked (read as cracked). How you are going to prevent such problems? The ultimate solution or answer is use chroot() security feature – it allows you to build hard to crack web server. Put your lighttpd into chrooted jail. But, what is chroot on Linux?

A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default Document Root is /home/lighttpd normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. Almost all-cracking web based attacks/attempts requires a shell access – /bin/sh or /bin/bash and compiler collection etc.

Lighttpd security tips

  • Run lighttpd as normal user so that you can drop root access/rights as soon as they go into background. This is almost default these days.
  • Do not grant root access to anyone use sudo
  • Do not grant shell access to everyone (e.g. FTP and email users).
  • Default firewall policy – close all doors open required windows i.e. only open or filter required ports
  • Run lighttpd in service in chrooted jail
  • Run only required network servers or services
  • Monitor lighttpd and system logs using logwatch or other automated softwares
  • Most important backup regularly

Today I am going to write about the biggest security feature offers by Lighttpd – chroot() jail.

Running your lighttpd web server in chrooted jail has its own advantages and disadvantages.

  • The biggest advantage is improved security (remember 99% script kiddies and other attacks required access outside Web server document root).
  • The disadvantageis it is hard to maintain and setup chrooted web server.

With chrooting you use a special part of file system (also called as jail). Once the chroot called the application, no one access anything outside the jail. For example, consider following setup:


When you start lighttpd web server, directory /weboot becomes the / (root) directory for lighttpd. Only the root user can escape the jail:
=> You
=> Your web server users
=> An attacker cannot access real file system and all other binaries.

The idea is quite simple if an attacker manages to get in via the lighttpd web server he will not have access to anything because he will be in jail. He cannot escape to real server (file system).


Article so far in this series…

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

6 comment

  1. I have sudo enabled on a webserver I maintain; maybe it is not such a good idea. But the intruder would first have to be able to log into my account, no? I am the only user enabled in sudoers.

  2. Colin ,

    sudo removes the need of sharing root password. Another thing is login as root is not good idea (just imagine accidental rm -rf /). So it is a good idea to run sudo.

    Appreciate your post.

  3. How is this a guide?
    Can you give more detail please? Maybe include some steps, how the root.document setting fits in, and how you chroot with cgi scripts etc. Thanks a bunch

    P.S. Anyone else have a good lighttpd chroot guide?

  4. Doesn’t compiling lighty from source make this task a lot easier,
    for example, by changing all installation-location-specific configuration options, e.g:

    this way all you have to do is set permissions on the folder, and no need for a script to pick and copy scattered files from various system folders.

    What do you think ?

    Have a question? Post it on our forum!