Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: To chroot or not to chroot?

from [Josh Tolley] Network Security [Permanent Link]
Subject: Re: To chroot or not to chroot?
Date: Thu, 24 Nov 2005 22:34:45 -0700 
The question here is "Is it worth the effort it would take to chroot
everything?" How much time/effort would it take for you to get
everything chrooted? Is the security of the site and the extra
security chrooting everytihing would add worth spending the time?
Should you instead just chroot some services? It's all a question of
risk vs. cost. As to your "Do I really make any difference" question,
of course you do. Perhaps it's easier to break into a web server
running, say, PHP, than to break into one serving only static pages,
but still, once you've broken in, you're still chrooted. It's a very
effective security measure, and if it's worth it for the site in
question, yes, do it.

-Josh Tolley

On 11/23/05, Martín Villalba <famafcs@gmail.com> wrote:

Hi, list! Maybe you can help me with this: I'm about to install a
webserver, which should have an http server, webmail, php support,
dns, ftp, remote login and a couple more things. Obviously, with all
those ports open, I must take every security measure I know (and some
I don't). But here comes my doubt: should I jail the webserver with
chroot? My first thought was "Duh, yes!", but thinking about it,
having all those services running at the same time, do I really make
any difference? It seems to me that in such environment a cracker (no,
i'm not writing "hacker") could do anything he (maybe she?) wants...
Ideas? Suggestions? Donations (cash, please)?
C-you

Martín
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: SF new article announcement: Tenable discusses the Nessus 3 release, mail list
Next by Date:  Re: Selectively disabling USB devices, Bernardo Wernesback
Previous by Thread:  RE: To chroot or not to chroot?, Jeroen van Meeuwen
Next by Thread:  Re: To chroot or not to chroot?, darren kirby
Indexes:  [Date] [Thread] [Top] [All Lists]