Best way to sandbox Apache on Linux

Question

I have Apache running on a public-facing Debian server, and am a bit worried about the security of the installation. This is a machine that hosts several free-time hobby project

Answer 1

What problem are you really trying to solve? If you care about what's on that server, you need to prevent intruders from getting into it. If you care about what intruders would do with your server, you need to restrict the capabilities of the server itself.

Neither of these problems could be solved with virtualization, without severly criplling the server itself. I think the real answer to your problem is this:

1. run an OS that provides you with an easy mechanism for OS updates.
2. use the vendor-supplied software.
3. backup everything often.

Answer 2

Make a virtual machine. try something like vmware or qemu

Answer 3

You should use SELinux. I don't know how well it's supported on Debian; if it's not, just install a Centos 5.2 with SELinux enabled in a VM. Shouldn't be too much work, and much much safer than any amateur chrooting, which is not as safe as most people believe. SELinux has a reputation for being difficult to admin, but if you're just running a webserver, that shouldn't be an issue. You might just have to do a few "sebool" to let httpd connect to the DB, but that's about it.

Answer 4

If using Debian, debootstrap is your friend coupled with QEMU, Xen, OpenVZ, Lguest or a plethora of others.

Answer 5

I second what xardias says, but recommend OpenVZ instead.

It's similar to Linux-Vserver, so you might want to compare those two when going this route.

I've setup a webserver with a proxy http server (nginx), which then delegates traffic to different OpenVZ containers (based on hostname or requested path). Inside each container you can setup Apache or any other webserver (e.g. nginx, lighttpd, ..). This way you don't have one Apache for everything, but could create a container for any subset of services (e.g. per project).

OpenVZ containers can quite easily get updated altogether ("for i in $(vzlist); do vzctl exec apt-get upgrade; done")

The files of the different containers are stored in the hardware node and therefore you can quite easily access them by SFTPing into the hardware node. Apart from that you could add a public IP address to some of your containers, install SSH there and then access them directly from the container. I've even heard from SSH proxies, so the extra public IP address might be unnecessary even in that case.