Re: Web server security?

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 22 Jun 2004, Steffen Kluge wrote:

> Upon further delving into the matter, I found that the SELinux community
> reckons they're adding value mainly in situations where you run various
> different services on a single machine. They seem to think SELinux is

While separation is certainly good in that case, it's also very good in
the "this service can't be compromised from this vector" case if the TCB
is extended into the network stack (a la' Red Book B2.)

For instance, the ability to lock down content by MAC compartment so that
you can only modify it if you're coming in from one specific IP address is
at least "interesting."

> probably not worthwhile for "single-trick ponies", since its main
> purpose is to isolate unrelated subsystems from each other (such as
> keeping a hacked web server from messing with IMAP accounts).

I prefer RSBAC for a bunch of reasons, but if someone's done the hard bit
for SELinux, I'd do that instead.  The core capability stuff is certainly
interesting for generic kernels, but I'm really looking to lock down a
server pretty well.

FC2 is only interesting to me in that it contains Exec Shield, which
should take away stack and heap overflows, leaving us perhaps with just
return-into-libc exploits and software bugs...  I've got a kernel module
that needs dusting off  that doesn't allow daemons to execve, which makes
things a little better for that last vector...

> I tend to set up my Internet exposed servers to run exactly one service
> (plus SSH, not exposed to the outside world), and strip them down
> accordingly. I concluded that SELinux isn't going to be worth the
> trouble in these cases.
>
> If you are concerned about web-only servers you might end up reaching
> the same conclusion.

Nope, I'm going to put SSL on my personal server in an attempt to sell
some of my photography, and I know the additional complexity is going to
require more frequent updates.  It's also about time for more Apache
issues, and I'm starting to mess with gcgi much more.  The combination of
things means that I need to lock down what's there, since those services
will have to be exposed anyway.

UML's interesting, since it would mean I could just get another IP address
spun up for administrative chores, and maybe even look at some interesting
architectures that would limit exposure to that at my colo provider.

Additionally, if I can do a DockmasterII-alike Apache daemon, where the
user's Web credentials set their MAC level and/or role, then I can start
playing with more interesting ideas.

My alternative is to go to a VPS and let the provider worry about updates,
but where's the fun in that?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards