Does it make sense to block outgoing connections for a web server? There are some cases where our apps do connect to things like external APIs, and they do it on the b ackend, not necessarily in-browser.
On Fri, Jan 18, 2013 at 2:36 PM, P Fudd <pf...@binkmail.com> wrote: > On 18 January 2013 16:31, Zachary Stern <z...@enternewmedia.com> wrote: > > I wanted to get some opinions - do you folks think running httpd in a > > chroot jail is necessary on a server that only does httpd-serving and > > nothing else? > > A chroot jail prevents a hacker from accessing anything you don't put in > the jail. If you make everything read-only inside the jail, a hacker > would be hard-pressed to mess things up, and would only be able to copy > what is in the jail. Definitely don't put writable /dev/sd* device files > in the jail, or expect your hard drive to get corrupted. > > Hopefully you block outgoing connections and/or don't leave a copy of > netcat or telnet in there, so they can't use your machine as a jumping-off > point to hack someone else, or spew spam to the world. I think users can > even use bash to connect to tcp ports on the net, so there's another thing > to block. > > Cheers! >
